Compliance Management security and compliance CeNTURYLINK® TECHNOLOGY SOLUTIONS Compliance The CenturyLink Compliance Management team is dedicated to continually improving and maintaining compliance certifications that are critical to our customers. Through our disciplined assessment and audit processes, CenturyLink has implemented comprehensive practices for SSAE 16 SOC 1, PCI DSS, ISO 27001, Safe Harbor, Global Risk Management, Business Continuity and Disaster Recovery (BCDR), HIPAA, and FISMA (NIST 800-53). We engage external audit firms to perform multiple types of assessments designed to address our customers’ diverse compliance requirements. One of these external firms is BrightLine CPAs & Associates, Inc. BrightLine is the first and only company in the world accredited to perform a suite of services that includes SSAE 16 (SOC 1) examinations, SOC 2 and 3 examinations, PCI DSS compliance validation, ISO 27001 certification, and FedRAMP assessment services. SSAE 16 / ISAE 3402 (SOC 1) Program CenturyLink provides an annual Statement on Standards for Attestation Engagements (SSAE) No. 16 and International Standard on Assurance Engagements (ISAE) 3402 combined examination. The certification validates CenturyLink’s commitment to operational excellence and client satisfaction. The SSAE 16 (SOC 1) Type II report covers the period from October 1 through September 30 each year. A Type II examination means that an independent service auditor has formally evaluated and issued an opinion on the description of selected CenturyLink systems and the suitability of the design and operating effectiveness of applicable controls. Data Centers U.S. Albuquerque, NM Atlanta, GA Boston, MA Chicago, IL Columbus, OH Dallas, TX Denver, CO LA/Orange Co., CA Metro NY/NJ Minneapolis, MN Seattle, WA Silicon Valley, CA St. Louis, MO Tampa, FL Washington, D.C. Canada Montreal Toronto Vancouver Europe Frankfurt London Asia Hong Kong Singapore Tokyo This audit report includes controls related to managed security services, change management, service delivery, support services, environmental services, logical and physical security, managed hosting services, and managed storage and backup services in CenturyLink’s data centers in Asia, EMEA, and North America. Report copies can be provided upon request subject to CenturyLink’s Non-Disclosure Agreement. CenturyLink can also supply a mid-year SOC 1 report geared towards colocation customers. The report covers the period from October 1 through June 30 and includes physical security and facility and environmental protection services. PCI DSS 2.0 Reports on Compliance (ROCs) ISO 27001 CenturyLink currently maintains ISO 27001 certification for operations and data centers in Singapore, United Kingdom, Germany, and Japan. ISO 27001 is an International Standard providing a model for establishing, operating, monitoring, and improving an Information Security Management System (ISMS). The ISO 27001 certification allows CenturyLink to demonstrate effective information security processes are defined and implemented. ISO 27001 conducts interim audits annually to support a three year renewal cycle. The most recent renewal certification audit was completed in 2013. CenturyLink is currently listed on the VISA list of PCI compliance service providers. This listing is possible because we have obtained the following passing Reports On Compliance (ROC): • Data Center Services (Japan, Singapore, UK, Germany, North America, and Canada) Physical and administrative security controls in the majority of CenturyLink branded data centers. • Managed Firewalls and NIDS Services (not location specific) Cisco ASA and Check Point firewalls, and Network Intrusion Detection Systems (NIDS) Safe Harbor Certification (EU Data Directive) CenturyLink’s auditors provide a “ROC Letter” that confirms CenturyLink’s compliance with specific PCI controls and the applicable locations and services. This ROC Letter is available upon request, subject to CenturyLink’s Non-Disclosure Agreement. HIPAA For customers requiring a broader PCI commitment than our current ROCs, CenturyLink has developed a detailed matrix of the PCI controls defining which party is responsible for each control and describes that responsibility. This matrix is vetted against the specific solution sold to the customer and is appended to a PCI Addendum defining CenturyLink’s obligations with respect to the Matrix. While this is not a guarantee of PCI compliance, CenturyLink customers have provided feedback that this approach is one of the most helpful in the industry when it comes to comprehensively addressing PCI. CenturyLink adheres to the Safe Harbor Principles administered by the United States Department of Commerce in consultation with the European Commission and the Federal Data Protection and Information Commissioner of Switzerland with respect to personal information within the scope of this Policy. CenturyLink will conduct annual assessments to confirm the accuracy of, and verify its adherence to, this Policy. CenturyLink will investigate suspected infractions and will take all appropriate action. CenturyLink’s Safe Harbor Policy can be found at: http://www.centurylinktechnology.com/safe-harbor-policy CenturyLink expects to self-certify, in accordance with the NIST 800-66 controls, and provide a report that demonstrates adherence to the HIPAA Security Rules. Requests for use of a Business Associate Agreement will be evaluated on a case-by-case basis within the context of the customer’s specific services and solutions. For customers requiring specific HIPAA commitments, CenturyLink has developed a detailed matrix of the HIPAA Security Rules controls defining which party is responsible for each control and describes that responsibility. For more information about CenturyLink Technology Solutions, visit www.centurylink.com/technology. Services not available everywhere. Business customers only. CenturyLink may change or cancel services or substitute similar services at its sole discretion without notice. ©2014 CenturyLink, Inc. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product names are the property of CenturyLink, Inc. All other marks are the property of their respective owners. Not to be distributed or reproduced by anyone other than CenturyLink entities and CenturyLink Channel Alliance members.
© Copyright 2024 ExpyDoc
