参照: https://www.softlayer.com/compliance
SOC 2 Compliance (server organization Control): Reports on the data Centers controls:
Security: protected against both physical and logical unauthorized access
Availability: the system is up and running as the committed agreed
Processing integrity: process is complete, accurate, timely and authorized
Confidentially: information deemed confidential is protected as committed or agreed. (Personal information is collected, used, retained, disclosed and disposed of correctly).
SOC requires a written statement of description of all the above and how it relates in the environment.
More can be found here: http://www.trustnetinc.com/Compliance/soc-2-report-what-is-it.html
http://www.ssae16.org/white-papers/soc-1-vs-soc-2.html
(SOC 1)SSAE no. 16 Audits (Statement on standards for Attestation Engagements no 16): is a more in-depth controls audit of:
Security
Availability
Processing integrity
Confidentially
SOC 2 was created with the SOC 1 framework.
NDA – non discourse agreement
US and EU - Swiss safe Harbor Frameworks –
The European Commission’s Directive on Data Protection went into effect in October of 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection.
While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU.
SoftLayer partners with McAfee to scan customer servers and certify compliance to PCI-DSS (free PCI for all of SL customers).
PCI-DSS - The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step. The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents.
FISMA - requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
HIPAA- The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.
SoftLayer will sign a Business Agreement (BA) defined by the customers Risk management framework if agreed upon compliance obligations.
To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.