Early to Primary Essence Hosting at Rackspace
Early Essence/Primary Essence comprises a secure dedicated platform sat on the Rackspace Network, which is always accessed through 256-bit SSL. As a result of this, any data transferred or transmitted is inherently secure, both as a result of our internal policies but also as a result of Rackspace’s network and policies.
Below is detailed the security specifications for Early Essence/Primary Essence data storage provider, Rackspace UK.
- Physical Security includes locking down and logging all physical access to our data centre.
- Data centre access is limited to only authorised personnel
- Badges and biometric scanning for controlled data centre access
- Security camera monitoring at all data centre locations
- Access and video surveillance log retention
- 24×7 onsite staff provides additional protection against unauthorised entry
- Unmarked facilities to help maintain low profile
- Physical security audited by independent firms annually
- Network Infrastructure provides the availability guarantees backed by aggressive SLAs.
- High-performance bandwidth provided by multiple network providers
- Elimination of single points of failure throughout shared network infrastructure
- Cables properly trunked and secured
- Proactive network management methodology monitors network route efficiency
- Real-time topology and configuration improvements to adjust for anomalies
- Network uptime backed by Service Level Agreements
- Network management performed by only authorised personnel
- Human Resources provide Rackspace employees with an education curriculum to help ensure that they understand their roles and responsibilities related to information security.
- Reference checks taken for employees with access to customer accounts
- Employees are required to sign non-disclosure and confidentiality agreements
- Employees undergo mandatory security awareness training upon employment and annually thereafter
- Operations Security
- Operational Security involves creating business processes and policies that follow security best practices to limit access to confidential information and maintain tight security over time.
- ISO 27001/2 based policies, reviewed at least annually
- Documented infrastructure change management procedures
- Secure document and media destruction
- Incident management function
- Business continuity plan focused on availability of infrastructure
- Independent reviews performed by third parties
- Continuous monitoring and improvement of security program
- Environmental Controls implemented to help mitigate against the risk of service interruption caused by fires, floods and other forms of natural disasters.
- Dual power paths into facilities
- Uninterruptable power supplies (minimum N+1)
- Diesel generators (minimum N+1)
- Service agreements with fuel suppliers in place
- HVAC (minimum N+1)
- Smoke detectors
- Flood detection
- Continuous facility monitoring
- Security Organisation includes establishing a global security services team tasked with managing operational risk, by executing an information management framework based on the ISO 27001 standard.
- Security management responsibilities assigned to Global Security Services
- Chief Security Officer oversight of Security Operations and Governance, Risk, and Compliance activities
- Direct involvement with Incident Management, Change Management, and Business Continuity
- ISO/IEC 27001:2005 (Information Security Management Systems)
- Rackspace Ltd. has been certified to this standard since 2009.
Its full title is ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements and is a voluntary internationally-recognised standard providing a framework for managing a business’ security responsibilities. It provides external assurance as to the effectiveness of the operational security controls in our working environment.
The requirements of this standard are managed via our Rackspace Business Security Management System.
ISO 27001 follows the best practise controls documented in ISO 27002.
What does it mean for our customers?
Our ISO 27001-certified Business Security Management System demonstrates our commitment to operating our data centres in a secure and responsible manner. We align it with other associated security standards and requirements, such as PCI-DSS (see PCI-DSS tab) and our ISAE 3402 controls (see ISAE 3402 tab) to provide multiple evidence of our security credentials.
What is the scope of the certification?
Our UK (four data halls across three facilities) and Hong Kong (one hall) data centres are certified to ISO 27001 under the scope of “The management of information security in the design, implementation and support of hosting solutions at our UK (LON1 & LON3) and Hong Kong (HK1) data centre facilities.” It is planned to expand scope to our Australian data centre during 2013.
Who is the certifying body and how often are you assessed?
Certification Europe are our appointed external assessment body; we are assessed at least twice a year against a three-year audit plan.
International Standards for Assurance Engagements (ISAE) No. 3402
Its full title is International Standards for Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organisation. It is an internationally recognized auditing standard used to assess the controls in place at a third-party service organisation.
ISAE 3402 is the international version of the North American SSAE 16. Together they replaced the SAS 70 auditing standard.
A SOC (Service Organization Controls) Report is produced providing customers with externally validated and unbiased information about the nature and effectiveness of the operational controls in place at the organisation.
SOC Reports are split into two types: Type I and Type II. In a Type I report the auditor evaluates the controls of an organisation at the time of audit to prevent accounting errors and misrepresentation. The auditor also evaluates the likelihood that those controls will produce the desired results. A Type II report includes the same information as that contained in a Type I report but also attempts to determine the effectiveness of the controls since their implementation. Type II typically utilise data compiled over a six-month period of time. A global Type II SOC1 report is produced concerning the controls in place in Rackspace.
What does it mean for our customers?
The Rackspace Type II SOC reports can be used to satisfy requirements under both the ISAE 3402 and SSAE 16 standards. This report contains a description of the controls we have in place and the auditor’s informed opinion of how effective the controls were during the audit period. The audit period for Rackspace extends from October 1st to September 30th each year. We have aligned it with our other associated security standards and requirements (ISO 27001 and PCI-DSS controls) to provide multiple evidence of our security credentials.