Compliance with standards and regulations
When it comes to cloud computing, many organizations are concerned with compliance with standards and regulations, and many of the interesting types of applications that organizations would like to deploy to the cloud are often those governed by some form of regulatory standard. If you require additional information regarding your particular regulatory requirements, contact Acquia. This page summarizes Acquia's compliance with the following standards and regulations, both governmental and non-governmental:
- SOC 1 (SSAE No. 16 and ISAE No. 3402)
- SOC 2
- PCI DSS (Payment Card Industry Data Security Standard)
- FedRAMP and FISMA
- CSA STAR (Cloud Security Alliance Security, Trust and Assurance Registry)
- Safe Harbor
- EU cookie regulations
- Section 508
Statement on Standards for Attestation Engagement (SSAE) No. 16 is an American auditing standard issued by the American Institute of Certified Public Accountants (AIPCA) and is used to create a SOC 1 branded report. Acquia’s SSAE 16 audit report is aligned with the International Standards for Assurance Engagements (ISAE) No. 3402 auditing standard. This allows for the report to be recognized both in the U.S. and throughout the world.
Acquia has a SOC 1 SSAE 16/ISAE 3402 Type 2 audit performed on an annual basis by an independent third-party audit firm. The audit report attests to the design and operating effectiveness of Acquia’s business and security controls safeguarding systems and data. Acquia’s SSAE 16/ISAE 3402 audit report is available to current customers and prospective customers upon request and with a fully executed nondisclosure agreement (NDA).
A Service Organization Control (SOC) 2 report, titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is designed to meet a broad set of reporting needs about the controls at a service organization in the form of a CPA firm’s independent attestation report. SOC 2 reports are based on the following AICPA Trust Services Principles and Criteria:
- Common Criteria (Security) — The system is protected against unauthorized access (both physical and logical).
- Availability — The system is available for operation and use as committed or agreed.
- Processing Integrity — System processing is complete, accurate, timely, and authorized.
- Confidentiality — Information designated as confidential is protected as committed or agreed.
- Privacy — Privacy. Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and CICA. The TSPC of security, availability and processing integrity are used to evaluate whether a system is reliable.
Acquia has SOC 2 Type 2 audit performed on an annual basis by an independent third party audit firm. The audit report attests to the suitability of the design and operating effectiveness of Acquia’s controls to meet the Security, Availability and Confidentiality trust services criteria. Acquia’s SOC 2 audit report is available to current customers and prospective customers upon request and with a fully executed NDA.
Payment Card Industry Data Security Standard (PCI DSS) compliance applies to any organization that stores, transmits, or transacts credit card data. PCI compliance is important; failure to become PCI compliant may expose your businesses to legal and financial liabilities. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard helps organizations proactively protect customer account data.
The majority of Acquia Cloud Enterprise sites with e-commerce capabilities use third-party credit card processors, embedding the secure payment form code within their site so that credit card data is sent directly from the end user to the credit card processor. Because credit card data is not stored on the site that implements e-commerce in this way, the PCI compliance requirements are minimized.
Acquia Cloud Enterprise provides a PCI-compliant platform foundation for building PCI certified Drupal sites. Both Acquia Cloud Enterprise and Amazon Web Services have been QSA validated as complying with standards applicable to a Level 1 service provider under PCI - DSS Version 2.0.
For more on Amazon’s PCI accreditation, see http://aws.amazon.com/compliance/pci-dss-level-1-faqs/.
As a merchant, Acquia does not store its customers' credit card data when customers use credit cards to procure its services. Acquia has a completed PCI Self-Assessment Questionnaire C (SAQ C) on file and is certified quarterly by SecurityMetrics.
As a Cloud Service Provider (CSP) supporting U.S. government agencies and departments, Acquia is committed to meeting the guidelines of the Federal Risk Authorization and Management Program (FedRAMP). Completing FedRAMP will provide government organizations with insight into Acquia’s security architecture and the continuous monitoring processes related to the Acquia Platform as a Service (PaaS).
Due to the transition from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 3 to Revision 4 requirements, Acquia is in the process of re-engaging a certified third party assessment organization (3PAO) to complete the security control assessment of Acquia Cloud Enterprise. The assessment is tentatively scheduled for Q2 2015. Once the assessment is complete, Acquia’s FedRAMP package will be made available to government customers via the FedRAMP repository.
Acquia Cloud is built on Amazon AWS and thus inherits Infrastructure layer controls from Amazon. Separately, Amazon AWS has received FedRAMP authorization for the Infrastructure layer.
Acquia enables US government agencies to achieve and sustain compliance with FISMA. Numerous Federal organizations have successfully achieved security authorizations and made risk-based decisions to allow sites to be hosted on Acquia Cloud in accordance with the Risk Management Framework (RMF) process defined in the NIST Special Publication (SP) 800-37. Acquia's platform has helped federal agencies expand cloud computing use cases and deploy sensitive government data and applications in the cloud, while complying with the rigorous security requirements of federal standards.
The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The CSA is led by a broad coalition of industry practitioners, corporations, associations, and other key stakeholders.
CSA's Security, Trust and Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by cloud computing offerings, thereby helping organizations assess the security of cloud providers they currently use or are considering contracting with. Acquia has completed and published its Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document the security controls in our PaaS (platform as a service) offering. The CAIQ provides a set of over 140 questions that a cloud consumer and cloud auditor may wish to ask of a cloud provider.
Acquia's CAIQ is available for download from the CSA STAR registry.
Safe Harbor is a certification program run by the US Department of Commerce that aims to harmonize data privacy practices between the US and the stricter privacy regulations of the European Union (EU). Acquia was registered with the Safe Harbor program on February 7, 2012. To view Acquia's certification with Safe Harbor, see http://safeharbor.export.gov/companyinfo.aspx?id=22159.
Drupal sites, like the vast majority of websites, make use of session cookies and may employ other types of cookies. Acquia's customers should consult with their legal counsel as to whether their website is required to implement consent before storing cookies on customer devices that serve EU users. Acquia can work with its customers to implement technical solutions, including modules or custom code, in order to satisfy the requirements from the customers' legal counsel.
Acquia abides by all privacy laws and regulations that are applicable to our hosting services and to our customers that host sites that may contain personal information on Acquia Cloud. Acquia personnel have logical access to customer data stored in customer sites only if they are authorized and have a need for access due to their job function. Neither Amazon nor any other third party employed by Acquia has logical access to customer data housed in customer sites hosted on Acquia Cloud. Acquia does not transfer customer data hosted on Acquia Cloud outside of Acquia Cloud or to any third party without customer authorization.
Customers must ensure that privacy concerns and regulations are addressed and adhered to at the application layer where customer personnel may have logical access to personal information uploaded or stored in customer sites.
In 1998, the US Rehabilitation Act was amended to require federal agencies to make their electronic and information technology accessible to people with disabilities. Section 508 was enacted to eliminate barriers in information technology, to make new opportunities available for people with disabilities, and to encourage development of technologies that will help achieve these goals. The law applies to all federal agencies when they develop, procure, maintain, or use electronic and information technology.
Drupal has been used to create many Section 508-compliant websites. For more information on how to ensure Section 508 compliance for your Drupal site, see our white paper on this topic: https://www.acquia.com/collateral/drupal-and-section-508-compliance.