TulsaConnect is SAS 70 Certified.
What is SAS 70?
SAS 70 is an acronym for "Statement on Auditing Standard No. 70". It is an accounting standard developed by the American Institute of Certified Public Accountants that audits the internal controls of service organizations, such as TulsaConnect. It was created to help identify those organizations willing to hold themselves to a very high level of standards.
What happens during a SAS 70, and what types of things do they look at?
There are two types of SAS 70 audits - a Type I and Type II. During a Type I audit, the auditor examines the controls that the service organization claims to have in place at a specific point in time and issues an opinion on if those controls are appropriate and effective. A Type II audit is similar to a Type I audit, except the controls are tested over a longer period (typically 6 months or longer).
What is a "control"?
A control is a process, policy, or tool that you have in place which is designed to enforce a specific claim. For example, TulsaConnect has controls in place to ensure that only authorized personnel have physical access to our Data Centers. These controls consist of biometric security devices, entry/exit logs, and record-on-motion security cameras. All customer access to the facilities are via TulsaConnect escort only.
Why is SAS 70 Important for TulsaConnect?
Having a SAS 70 report available for our customers demonstrates our commitment to complete transparency into our policies, procedures, and controls. In addition, having TulsaConnect's SAS 70 report available may simplify any internal or external audits that a customer organization may be subject to.
TulsaConnect SAS 70 Certification
TulsaConnect completed its Type II certification in April, 2010 and will be repeating the aduit in 2011. The audit was performed by SAS 70 Corp., a licensed CPA firm performing SAS 70 Auditing Services nationwide. For a copy of our SAS 70 report, please contact your account representative.
TulsaConnect is PCI-DSS Certified.
What is PCI-DSS?
The PCI Data Security Standard (PCI-DSS) is a set of comprehensive requirements for enhancing payment account data security developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International to help facilitate the broad adoption of consistent data security measures on a global basis.
The PCI-DSS is a multifaceted security standard that includes detailed requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
What types of requirements does PCI-DSS have?
The core of the PCI-DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Requirement 12: Maintain a policy that addresses information security
What does TulsaConnect's PCI-DSS certification cover?
TulsaConnect's PCI-DSS certification covers Requirement 9 (Restrict physical access to cardholder data) and Requirement 12 (Maintain a policy that addresses information security) of the PCI-DSS specification. These two requirements were most appropriate for the unmanaged Co-location side of our business.
Can TulsaConnect provide a fully managed PCI-DSS compliant hosting solution?
Yes. For customers needing high-level compliance to the full list of requirements, we can architect a multi-server, fully managed PCI-DSS compliant dedicated server solution tailored to your specific needs.
TulsaConnect PCI-DSS Certification
TulsaConnect renewed its PCI-DSS certification in February of this year. The audit was performed by True Digital Security, a Tulsa-based PCI-DSS Qualified Security Assessor (QSA). For a copy of our PCI-DSS report, please contact your account representative.
TulsaConnect can provide a HIPAA compliant hosting solution for your organization.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted by Congress to create a national standard for protecting the privacy of patients' personal health information. This includes the implementation of new safeguards to protect the security and confidentiality of an individuals protected health information.
Title II of the HIPAA act is most relevant to Information Technology. This portion of HIPAA calls for industry standard electronic data interchange (EDI) combined with stronger security standards that will ultimately guard against fraud, abuse, and eliminate unauthorized use of healthcare information. Under HIPAA, the owner of the data in an outsourcing relationship must require the service provider to maintain the confidentiality of that information.
How does HIPAA impact the services TulsaConnect provides?
While there is no true "HIPAA certification" for Data Centers and/or Hosting providers, there are general guidelines that have to be met. Without a benchmark (such as provided under PCI-DSS), compliance with these security and privacy rules is open for interpretation. TulsaConnect maintains a SAS 70 audit and PCI-DSS certification, which demonstrates that we exercise the utmost diligence in the evaluation and implementation of processes, policies, and systems.
How can TulsaConnect help me become HIPAA compliant?
HIPAA-compliant Hosting requires that "Covered Entities", such as HMOs, group health plans, healthcare providers, etc. meet certain standards. While the onus is on the healthcare organization to meet the listed requirements, TulsaConnect can provide a hosted I.T. infrastructure that ensures compliance with HIPAA’s "security rules" as they related to the I.T. infrastructure. A dual approach, where the customer provides the methodology for compliance, and TulsaConnect provides compliant server hosting services, is the best solution to meeting compliancy, while remaining cost-effective for the customer.
TulsaConnect HIPAA compliancy statement
TulsaConnect earned a HIPAA compliancy statement in January, 2010. The audit was performed by RavenEye, a PCI-DSS Qualified Security Assessor (QSA). For a copy of our HIPAA compliancy statement, please contact your account representative.