We\u2019ve probably all been guilty at least once of spouting off an IT acronym in response to a prospective customer\u2019s question about compliance, only to see their eyes glaze over. They don\u2019t care about a string of letters, they want to know how we\u2019re going to solve their business problems.<\/p>\n
And unfortunately, when it comes to security and compliance, there are a whole lot of different acronyms our Partners need to wade through.<\/p>\n
The slew of IT compliance standards, programs, and frameworks out there today can be mind-boggling, even for IT professionals. So here we\u2019re going to take a look at the major security standards that Sherweb\u2019s managed cloud services<\/a> and our other supported services are certified for. We\u2019ll also talk about the best ways to explain them to customers.<\/p>\n Let\u2019s start with the big one. System and Organization Control 2 is the gold standard used for assessing the quality of IT service providers. Sherweb is proud to be SOC 2 Type II-certified for seven years running<\/a>.<\/p>\n SOC reports assess the reliability of service providers of many different types, including IT service providers. They receive a SOC report after completing an intensive audit of their practices and controls, performed by an independent certified public accountant. There are three different SOC reports: SOC 1 is intended only to assess financial service controls. SOC 2 and 3 both report on operational and technical service controls. They\u2019re assessed on five \u2018Trust Service Principles\u2019: Their system\u2019s security, availability, and integrity. As well as the confidentiality and privacy of their data handling practices.<\/p>\n The primary difference between SOC 2 and 3 reports are their intended audiences. SOC 3 reports are designed to be public-facing documents. SOC 2 reports offer more confidential details about the service provider\u2019s operations, and so are only available to customers under contract and\/or NDA.<\/p>\n At the end of the SOC audit, the CPA issues a Type I report verifying that the service provider is capable of meeting all the standards. Some providers, like Sherweb, take the audit a step further and get a Type II report, where the CPA verifies that the service provider\u2019s standards and practices have actually been consistently applied over time.<\/p>\n Customers just want to know that their IT assets are safe and will be available when they need them. If your customer isn\u2019t going to know what SOC 2 is, one useful approach is to explain the underlying Trust Service Principles that Sherweb\u2019s services are certified. You can short-hand \u2018Type II\u2019 by saying that the provider has been certified at the highest standard by an independent auditor.<\/p>\n Then there are customers in more heavily-regulated industries, who are often already familiar with SOC. These are easier to deal with. Saying you can put their apps and data in a SOC 2 Type-II certified cloud environment should make them relax, because it often means half their next audit is already done for them, since they\u2019re \u2018inheriting\u2019 Sherweb\u2019s certified practices.<\/p>\n This is another one we\u2019re proud to hold. Not only have we received SOC 2 certification for our own infrastructure and processes, we\u2019re also SOC 2-certified for managing Office 365 for your customers.<\/p>\n Since Microsoft\u2019s cloud services are already SOC 1, 2, and 3-certified<\/a>, our own SOC 2 certification is validation of our practices managing your customers\u2019 O365 tenants. For example, the reliability of our user and ACL configurations, and the confidentiality we have built into our processes for managing their user and organizational requests.<\/p>\n One of the main concerns we\u2019ve heard from customers resistant to cloud services is they feel that the infrastructure they rely on will be out of their control. If you\u2019re talking to a customer with that concern you can explain that Sherweb\u2019s O365 service practices have been independently audited and verified to be at the highest levels of reliability and confidentiality.<\/p>\n And unlike working with Microsoft alone, Sherweb can handle the O365 migration and onboarding top-to-bottom for your customers. They\u2019ll have a dedicated migration specialist and 24\/7 support available for all issues, not just ones Microsoft internally classifies as \u2018critical.\u2019<\/p>\n Our Performance Cloud<\/a> platform is compliant with the Payment Card Industry Data Security Standard, verified annually by an independent auditor.<\/p>\n Any business that wants to process, store, or transact credit card payments needs to run PCI-DSS compliant network infrastructure or IaaS. The DSS was originally developed to protect against credit card fraud, but over time as threats have evolved, it\u2019s become the de facto<\/em> payment card security standard. It has 12 underlying and lengthy key requirements. These group together into six requirement categories, which we\u2019ve found are more meaningful to customers. They stipulate that a service provider must:<\/p>\n Unless your customers are doing cash-only business they should care about this. They\u2019ll want to know that their own<\/em> customers\u2019 transaction data will be handled securely. Which in turn protects both their own finances and their reputation.<\/p>\n You can tell them that moving to Sherweb Performance Cloud infrastructure puts their transactions on a platform that meets the strict standards of the payment card industry’s governing body.<\/p>\n Sherweb is also a service provider for Azure, which supports a variety of different compliance standards on its own. It meets SOC 2 and 3, and PCI-DSS standards, just like Sherweb\u2019s own offerings. But we can also stand up Azure environments that meet many other standards that your customers may care about. Three of the most important are ISO-27001, FedRAMP, and HITRUST for HIPAA.<\/p>\n First, Azure is ISO-27001 <\/strong>compliant. This standard mandates that an organization have more than just a certain number of security controls in place, they need a fully-fledged information security management system to keep those controls organized and up to date.<\/p>\n Often times, startups or smaller customers going for private funding will benefit from showing\u2014\u2014or may need<\/em> to show\u2014investors that they have an infosec management system (ISMS) in place. Showing that their cloud services are ISO-27001 compliant makes that easy. Also, state, provincial, and federal programs will sometimes require this certification to award contracts.<\/p>\n Speaking of Federal compliance, Azure and O365 also meet FedRAMP<\/strong><\/a> standards. FedRAMP mandates a set of controls as part of an overall security program that contractors for many US Federal agencies need to hold.<\/p>\n If your customers already do business with the US government they should be familiar with this, and be happy to hear that you can easily provision compliant environments. And if you hear from customers who are thinking about pursuing a US government contract it\u2019s worth pointing out that this is a program they\u2019ll need to comply with, and that you\u2019re able to provision what they need.<\/p>\n Azure environments can also be configured according to the HITRUST Common Security Framework<\/strong>. This is a set of security standards designed to ensure IT infrastructure meets HIPAA patient data privacy requirements. Penalties for HIPAA breaches can easily reach into the millions of dollars.<\/p>\n Provisioning a HIPAA-compliant computing environment on in-house infrastructure is usually time-consuming and cumbersome. So you can tell your customers that migrating to Azure means they can deploy HIPAA-compliant environments using predefined blueprints<\/a> basically on demand, without weeks, months, or even years of planning.<\/p>\n These are just some of the standards that Sherweb can make Azure environments compliant with. The platform is also able to work with GDPR<\/a> and a variety of other European, global, US, and industry-specific requirements<\/a>.<\/p>\n That\u2019s a lot of security standards. What all of this boils down to is that when you\u2019re sitting across the table from a prospective customer, no matter what industry, and they ask if their data is safe with you, you can reply, \u201cyes\u201d with confidence. Sherweb\u2019s service portfolio gives you secure, compliant IaaS options for any customer need.<\/p>\n If you have a tricky security issue, feel free to contact <\/a>Sherweb\u2019s<\/a> cloud experts<\/a> for help finding the right solution for your customer.<\/p>\n","protected":false},"excerpt":{"rendered":" We\u2019ve probably all been guilty at least once of spouting off an IT acronym in response to a pro","protected":false},"author":177,"featured_media":18454,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[753],"tags":[349,919],"class_list":["post-18449","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-compliance","tag-cybersecurity"],"yoast_head":"\nSOC2 Type II Certification<\/strong><\/h2>\n
What Is It?<\/h3>\n
What Customers Actually Care About<\/h3>\n
SOC2 for Office 365<\/strong><\/h2>\n
What Is It?<\/h3>\n
What Customers Actually Care About<\/h3>\n
PCI-DSS Compliance<\/strong><\/h2>\n
What Is It?<\/h3>\n
\n
What Customers Actually Care About<\/h3>\n
MS Azure Compliance Portfolio<\/strong><\/h2>\n
What Are They and Why Do They Matter?<\/h3>\n
It\u2019s All About Trust<\/strong><\/h2>\n