SoftLayer data centers for government workloads were designed and built to meet the strictest standards of the U.S. government. We’ve employed the security and privacy controls defined by NIST SP 800-53, and all SoftLayer data centers for government use meet FedRAMP and FISMA compliance standards and are audited regularly in our SOC 2, Type II reports.
SoftLayer helps customers seeking HIPAA and PCI-DSS compliance by providing and meeting the necessary infrastructure-related controls for those certifications. These physical and network controls are enhanced with additional security features such as multi-factor authentication, hardware and software firewalls, vulnerability scans, anti-virus and anti-spyware protection, host-based intrusion detection, virtual private networks (IPSEC and VPN SSL), and SSL certificates.
FedRAMP (the Federal Risk and Authorization Management Program) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP authorizes cloud systems with a three-step process that includes security assessment, leveraging and authorization, and ongoing assessment and authorization. All SoftLayer data centers are built to FedRAMP standards. Data centers reserved for government workloads have FedRAMP certification pending.
The Federal Information Security Management Act of 2002 (FISMA) was created to ensure the security of data in the federal government. The act requires program officials and agency heads to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. All SoftLayer data centers are built to FISMA standards. Data centers reserved for government workloads have FISMA certification pending.
SoftLayer provides SOC 1, SOC 2 and SOC 3 reports. These reports evaluate SoftLayer's operational controls with respect to criteria set by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. The Trust Services Principles define adequate control systems and establish industry standards for services providers such as SoftLayer to safeguard their customers' data and information. Customers may download the current SoftLayer SOC 1 and SOC 2 reports from the customer portal or contact our sales team. Our SOC 3 report is available for general use and can be accessed here: SoftLayer SOC 3 Report.
Safe Harbor is an important way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the safe harbor will assure that EU organizations know that your company provides “adequate” privacy protection, as defined by the Directive. SoftLayer Safe Harbor Information: http://safeharbor.export.gov/companyinfo.aspx?id=18310
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. One of the mechanisms the Cloud Security Alliance uses in pursuit of its mission is the Security, Trust, and Assurance Registry (STAR)—a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings. SoftLayer STAR Consensus Assessment Initiative Questionnaire: https://cloudsecurityalliance.org/star-registrant/softlayer/
If you store or process credit card data then PCI Compliance and network security are of primary concern to your business. To ensure consistent standards for merchants, the Payment Card Industry Security Standards Council established Payment Card Industry (PCI) data security standards. These standards incorporate best practices to protect cardholder data, and they often require validation from a third-party Qualified Service Assessor (QSA). We help our customers supplement their internal security controls to meet PCI compliance by assisting with 3rd party auditor security walkthroughs and providing proof of physical and environmental controls while maintaining strict information security policies.
The U.S. Health Insurance Portability and Accountability Act requires specific security controls for businesses that store or process protected health information online. The SoftLayer cloud platform meets all of the necessary requirements for HIPAA on the data center/service provider side. For more information about and assistance to achieve, certify, and maintain HIPAA compliance for your SoftLayer environment, please contact our sales team.
The Criminal Justice Information Systems (CJIS) Division is a division of the United States Department of Justice Federal Bureau of Investigation. CJIS Division created and published a Security Policy (CJISD-ITS-DOC-08140-5.4), which contains minimum information security requirements, guidelines, and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI).
SoftLayer is approved and ready for CJI workloads. For more information about how to leverage SoftLayer for Criminal Justice Information workloads, download our guide on Leveraging SoftLayer for CJIS workloads.