Cologix has achieved ISO/IEC 27001:2013 (ISO 27001) certification for its information security management system (ISMS) supporting its Data Center Colocation and Interconnection Services for the specified corporate office and data center facility locations. ISO 27001 is an internationally recognized standard that demonstrates an organization’s commitment to establishing a management system relevant to information security, and continual improvement over time. An ISMS is a holistic approach to securing the confidentiality, integrity, and availability (CIA) of corporate information assets, and it consists of policies, procedures and other controls involving people, processes and technology.
Risk management forms the cornerstone of an ISMS. Regular information security risk assessments are conducted to determine which security controls to implement and maintain, and to ensure the effectiveness of the ISMS. The ISO 27001 standard defines its requirements for the risk management process, including risk assessment and risk treatment.
The Health Insurance Portability and Accountability Act (HIPAA) regulation was enacted in 1996 and applies to covered entities, as well as business associates (organizations that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity) and subcontractors (organizations that create, receive, maintain, or transmit PHI on behalf of a business associate). Subcontractors are also considered business associates.
The HIPAA Security Rule includes 22 Standards and 50 Implementation Specifications and is applicable to all business associates.
The HITECH Breach Notification Rule includes 4 Standards and 9 Implementation Specifications of which a subset is applicable to business associates.
Cologix receives an annual independent third-party assessment of its controls in relation to the HIPAA Security Rule and HITECH Breach Notification Rule.
SOC 1 Type 2
The controls addressed in a SOC 1 examination are those that Cologix implements at its sole discretion to prevent, detect and correct, errors or omissions in the information it provides to its customers.
By engaging an independent CPA to examine and report on Cologix’s controls, Cologix can respond to meet the needs of its customers and obtain an objective evaluation of the effectiveness of controls that address operations and compliance over the controls that may have a direct or indirect impact to the financial reporting of its customers. Cologix undergoes an annual SOC 1 Type 2 examination that opines on management’s description of a System and Organization’s system, the suitability of the design and operating effectiveness of its controls.
SOC 2 Type 2
SOC 2 reports are attestation reports that opine on an organization’s controls that are relevant to the AICPA’s Trust Services Categories and related Criteria. Cologix’s Data Center Colocation and Interconnection Services are evaluated using the following Trust Services Categories and related Criteria as part of its annual SOC 2 Type 2 examination.
- Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability – Information and systems are available for operation and use to meet the entity’s objectives.
PCI DSS Validation
PCI DSS applies to all entities, both service providers and merchants, that store, process, and/or transmit cardholder data. PCI DSS evaluates a merchant’s or service provider’s controls to protect payment card data from unauthorized access or use. This includes a set of technical and operational controls, including physical security, and ongoing security operations to maintain a compliant security posture year-round.
The Payment Card Industry Data Security Standard (PCI DSS) validation must be performed by an accredited Qualified Security Assessor (QSA) Company. PCI DSS includes a set of detailed requirements and defined testing procedures that must be performed during the validation process for the requirements determined to be within scope and compliant for the service provider or merchant.
At the conclusion of each annual engagement, Cologix receives a Report on Compliance (ROC) and Attestation of Compliance (AOC). The AOC includes a summary of the assessment findings and conclusion along with sign-offs from both the QSA Company and the Organization.