If you’re searching for a new colocation provider or simply need to update your requirements for the new year, read on for a list of priority questions to ask potential or existing providers to ensure they’re operating at the highest level of security and efficiency. The last thing you want to deal with is finding out they’re not up to par only after something goes awry and your company is suffering from prolonged downtime and outages.
Many audits and compliance requirements that affect data center operators have undergone significant changes in just the past few years – find out which ones apply to you below.
Is your data center SOC 2, SOC 1(SSAE 16) audited? The outdated SAS 70 standard no longer applies when it comes to auditing and measuring the security and operating levels of colocation facilities. A SOC 2, Type 1 and 2 audit report measures the security, availability, processing integrity, confidentiality and privacy controls of a data center’s system, as well as the operating effectiveness of these controls. Note: SOC 2 offers a more detailed version of a SOC 3 report, and not all SOC 2 reports are alike. Check the report carefully to review which criteria their independent auditor has covered.
What kind of compliance requirements can you meet? Depending on what industry you are in, you may need a colocation provider that has been independently HIPAA audited against the OCR Audit Protocol (for healthcare), or one that has an attestation of PCI DSS compliance (for retail/e-commerce). Or, if in the financial industry, you may need SOX compliance. HIPAA hosting has its own set of requirements separate from PCI hosting and SOX hosting.
Where are your data centers located? An ideal location is safe from natural disasters, has a naturally cool climate, and are convenient for high availability and disaster recovery solutions. For example, Michigan colocation offers a location free from destructive floods, hurricanes, tornadoes and other unpredictable natural disasters, ensuring your servers aren’t at risk.
Is there 24×7 support offered by the managed colocation provider? Find out what type of staff certification and training your colocation provider has on hand for full support.
What kind of physical and network security is in place to protect the servers?Physical security, administrative security and technical security all work in different ways to create a fully secure environment for your data. Ask your colocation provider what type of services are available, and what is included with your colocation package.
What is being monitored, and how? What kind of monitoring capabilities are available for the client? Ask about which metrics are included in monitoring by your managed colocation provider, and what type of logging and reports will be sent out, and how often. Ask about notifications and alerts that tell you about your bandwidth use, firewall rules, IP address blocks and more – and find out how configurable these options are, and how you will be notified, whether by phone, email or text. Find out if, and how you can monitor your own servers remotely via an online client portal.
Colocation Monitoring
Is data being backed up and how? Is it onsite or offsite backup, online or tape? How often is it backed up and for how long? What software is used to backup the data and what procedures does the managed colocation provider have in place to ensure that none is lost?
What happens if the server malfunctions, or other issues arise? Who is going to troubleshoot and identify the problem? Is the client responsible for the parts or the labor or both? Who will coordinate the resolution to the problem, and what kind of processes are in place?
Are changes to the server being tracked and logged? What type of patch management is offered? Are changes to the server’s configuration tracked and logged by the managed colocation provider? Find out what is included in your managed colocation solution.
Is your data center SOC 2, SOC 1(SSAE 16) audited? The outdated SAS 70 standard no longer applies when it comes to auditing and measuring the security and operating levels of colocation facilities. A SOC 2, Type 1 and 2 audit report measures the security, availability, processing integrity, confidentiality and privacy controls of a data center’s system, as well as the operating effectiveness of these controls. Note: SOC 2 offers a more detailed version of a SOC 3 report, and not all SOC 2 reports are alike. Check the report carefully to review which criteria their independent auditor has covered.
