ViaWest understands that our customers are subject to varying compliance and regulatory obligations. In order to effectively meet our customers’ needs, ViaWest's compliance group has created a security, governance and risk management framework of policies, procedures and standards that draws on many areas. Our policies, procedures and standards are based on aspects of the following control specifications:
- ISO/IEC 27000 series
- NIST 800-53
- Information Technology Infrastructure Library (ITIL)
- Health Insurance Portability and Accountability Act (HIPAA) Security Rule
- Federal Information Security Management Act (FISMA)
- Gramm-Leach-Bliley Act (GLBA) Interagency Guidelines
- Payment Card Industry (PCI) Data Security Standard v2.0
- Trust Services Principles and Criteria
Often, our customers have requirements above and beyond what our standard process or product offerings provide. In these situations, ViaWest will work with you, our customer, to tailor products or processes where possible and develop an ideal solution that is centered around you.
ViaWest’s Reports and Accreditations
ViaWest’s in-house compliance team obtains independent auditor reports and certifications annually. These provide our customers and their auditors the information on the design and operating effectiveness of ViaWest’s operational controls that is likely to be relevant to our customers’ internal control systems. By obtaining these reports, ViaWest saves our customers the time and expense of sending in their own auditors in addition to providing our customers the assurance they need regarding the assets and information within our data centers.
The independent auditor reports or certifications that ViaWest obtains include:
SOC 1/SSAE 16/ISAE 3402 SOC 1 Type II Report
ViaWest has obtained a Service Organization Controls 1 (SOC 1), Type II report. The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) professional standards. This dual-standard report is specifically intended to meet the needs of ViaWest customers and their auditors, as they evaluate the effect of the controls at ViaWest on their financial statement assertions. The SOC 1 report attests that ViaWest’s control objectives are appropriately designed and operating effectively. This report is available for ViaWest customers via the MySupport portal.
SOC 2 on the Security and Availability Trust Services Principles
In addition to the SOC 1 report, ViaWest obtains a Service Organization Controls 2 (SOC 2), Type II report. Similar to the SOC 1 in the evaluation of controls, the SOC 2 report is an attestation report that is an evaluation of controls specific to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations such as ViaWest. The ViaWest SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security and the availability principles set forth in the AICPA’s Trust Services Principles criteria. This report provides additional transparency into ViaWest security and availability controls based on a pre-defined industry standard of leading practices and further demonstrates ViaWest’s commitment to providing our customers with assurance, confidence and transparency. This report is available to ViaWest customers through our customer service portal, MySupport.
SOC 3 on the Security and Availability Trust Services Principles
ViaWest’s SOC 3 report is a Trust Services Report (Trust Services Principles, Criteria, and Illustrations) specifically designed to meet the needs of customers and potential customers who want assurance about ViaWest controls related to one or more of the Trust Services Principles (security, availability, processing integrity, confidentiality, or privacy) but do not need the level of detail provided in a SOC 2 Report. ViaWest’s SOC 3 report on the Security and Availability Trust Services Principles is available to view by clicking the SysTrust seal above and for ViaWest customers via the MySupport portal.
HIPAA Report for Physical Controls
Though ViaWest does not store, transmit, or process electronic Protected Health Information (ePHI), we acknowledge that our customers might. As a result, ViaWest engaged Coalfire Systems, a leading IT Governance, Risk and Compliance firm, to conduct an independent assessment of the physical components of ViaWest’s Colocation and Managed Service hosting offerings for compliance with the physical security-related safeguards associated with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. This assessment report applies to ViaWest’s Cornell, Synergy Park, DeLong and Arapahoe facilities and can be accessed from ViaWest’s customer service portal, MySupport.
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage, enhance and facilitate the broad adoption of consistent data security measures for cardholder data globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data.
Compliance with the standard requires organizations to:
- Build and maintain a secure network - PCI DSS sections 1 & 2
- Protect cardholder data - PCI DSS sections 3 & 4
- Maintain a vulnerability management program - PCI DSS sections 5 & 6
- Implement strong security measures - PCI DSS sections 7, 8 & 9
- Regularly test and monitor networks - PCI DSS sections 10 & 11
- Maintain an information security policy - PCI DSS section 12
Attestation of Compliance for our physical security (PCI DSS section 9), information security policies (PCI DSS section 12) and our managed firewall service (sections 1, 2, 6, 8, 9 & 12 as applicable) documents are available for customers installed in our Cornell, Delong, Synergy Park and Arapahoe facilities. This compliance has been validated by an authorized independent Qualified Security Assessor.
United States- European Union Safe Harbor Privacy Framework
US-EU Safe Harbor is a streamlined process for US companies to comply with the EU Directive 95/46/EC on the protection of personal data. The process was developed by the US Department of Commerce in consultation with the EU. The Safe Harbor Principles are designed to prevent accidental information disclosure or loss. ViaWest annually reregisters its adherence to the program.
These achievements demonstrate our commitment to processes and standards that enable us to maintain the governance and security controls our customers need to help meet their regulatory obligations. By having a dedicated compliance department we believe we are uniquely qualified to provide high-quality services to our customers.