There are a number of certifications that qualify a data center’s capabilities on an overall basis and within specific fields like serving Government or the healthcare industry.
Years in the making, AiNET Data Centers proudly feature the following Certifications:
- SSAE-16 Type II SOC1/SOC2/SOC3: SSAE-16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70. The changes made to the standard will bring your company, and the rest of the companies in the US, up to date with new international service organization reporting standards, the ISAE 3402.
A SOC 1 Report (Service Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The SOC1 Report is what you would have previously considered to be the standard SAS70, complete with a Type I and Type II reports, but falls under the SSAE 16 guidance.
The Service Organization Control (SOC) 2 Report will be performed in accordance with AT 101 and based upon the Trust Services Principles, with the ability to test and report on the design (Type I) and operating (Type II) effectiveness of a service organization’s controls (just like SOC 1 / SSAE 16). The SOC 2 report focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 16 which is focused on the financial reporting controls.
The SOC 3 Report , just like SOC 2, is based upon the Trust Service Principles and performed under AT101, the difference being that a SOC 3 Report can be freely distributed (general use) and only reports on if the entity has achieved the Trust Services criteria or not (no description of tests and results or opinion on description of the system). The lack of a detailed report requires that a SOC 3 be performed as a Type II, unlike SOC 1 and SOC 2 where there is a Type I option. SOC 3 reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality and privacy) and allow the organization to place a seal on their website upon successful completion.
The Trust Service Principles were designed with a focus on e-commerce systems due to the amount of private/confidential/financial information that flows across the internet daily. When a customer processes a transaction (online retailer), builds a business on your service (SaaS providers), or submits private information, they want to know best practices are being followed by the company to guard against security leaks, lost sales, and damaged data. The most common reports based upon the trust principles are referred to as WebTrust and SysTrust.
The SysTrust review encompasses a combination of the following principles:
Security: The system is protected against unauthorized access (both physical and logical).
Availability: The system is available for operation and use as committed or agreed.
Processing Integrity: System processing is complete, accurate, timely, and authorized.
Confidentiality: Information designated as confidential is protected as committed or agreed.
The WebTrust certification can fall into the following four categories:
WebTrust. The scope of the engagement includes any combination of the trust principles and criteria .
WebTrust Online Privacy. The scope of the engagement is based upon the online privacy principle and criteria.
WebTrust Consumer Protection. The scope of the engagement is based upon the processing integrity and relevant online privacy principles and criteria.
WebTrust for Certification Authorities. The scope of the engagement is based upon specific principles and related criteria unique to certification authorities.
- SAS 70 Type II: SAS 70 provides guidance to service auditors when assessing the internal controls of a service organization. The more-stringent SAS 70 Type II certification report includes the service auditor’s opinion on the fairness of the presentation of the service organization’s description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives.
- TIA-942 Tier IV: Highest level data certification designated by the Telecommunications Industry Association (TIA) and sanctioned by the American National Standards Institute (ANSI). The hallmark of a TIA-942 Tier IV data center is a design/implementation that offers not just concurrent maintainability, but also fault tolerance – the ability of the data center to withstand the loss of one or more major systems. See thorough system block diagrams of AiNET’s certified TIA-942 Tier IV design/implementation.
- DCID 6/9 (Director of Central Intelligence, Directive 6/9): Standard addressing the construction, access control and alarming of a Sensitive Compartmented Information Facility (SCIF). Still widely-known, although it has been replaced by ICD 705.
- ICD 705.2/705.3 (Intelligence Community Directive 705.2/705.3): The successor set to DCID 6/8, ICD 705.2 addresses Construction of SCIFs Within the United States (including U.S. Trusts, Territories and Possessions) while 705.3 addresses foreign locations.
- FISMA (Federal Information Security Management Act). Active High/Moderate/Low ATO.
- NIST Cloud (National Institute of Standards and Technology Standards on Cloud computing and security):
- DIACAP (DoD Information Assurance Certification and Accreditation Process):
- HIPAA (Health Insurance Portability and Accountability Act).
- PCI-DSS (Payment Card Industry Data Security Standard): An information security standard for organizations that handle cardholder information for credit cards, debit cards, etc.
- Sarbanes-Oxley: The Sarbanes–Oxley (“SOX”) law defines mandates and requirements for financial reporting.
- FIPS-140: Issued by the National Institute of Standards and Technology, the Federal Information Processing Standards (FIPS) 140 Series are security standards dealing with hardware and software cryptography modules.