Certifications and Accreditations
Carpathia solutions have all been engineered with compliance in mind. This isn’t an afterthought, it’s in the DNA of everything we do, from helping clients meet the unique needs of the federal cloud to ensuring PCI, SOX and HIPAA compliance. The certification landscape is continuously evolving, and partnering with Carpathia will ensure you always are putting the best foot forward ensuring compliance and safeguarding your customers' data. We are actively involved in the community to help form and evolve current standards across the board. As frequent speakers at industry events, with active involvement in industry working groups such as ARIN and the Green Grid, we ensure you have the appropriate compliance posture.
Carpathia Held Certifications
AT101 SOC2, Type 2. As the replacement for SAS70 Type 2 the AT101 examination with Service Organization Control provides a rigorous framework of control objectives. Its scope expands from a traditional SAS70 type 2 to now include Security, Availability, Process Integrity, Confidentially and Privacy. This report is produced by an independent auditing company and reviewed on an annual basis.
SAFE HARBOR - The European Commission’s Directive on Data Protection went into effect in October 1998. It prohibits the transfer of personal data to non-European Union nations that do not meet the European “adequacy” standard for privacy protection.
The Safe Harbor — approved by the EU in July of 2000 — is an important way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the Safe Harbor will assure that EU organizations know that your company provides “adequate” privacy protection, as defined by the Directive.
Notice: Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.
Security: Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Data integrity: Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete and current.
Carpathia has helped hundreds of customers achieve compliance with their regulatory and industry standards including:
Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)
The DoD Information Assurance Certification and Accreditation Process (DIACAP) is the United States Department of Defense (DoD) process to ensure that risk management is applied on information systems (IS). DIACAP defines a DoD-wide formal and standard set of activities, general tasks and a management structure process for the certification and accreditation (C&A) of a DoD IS that will maintain the information assurance (IA) posture throughout the system's life cycle.
An interim version of the DIACAP was signed July 6, 2006 and superseded DITSCAP. The final version is titled Department of Defense Instruction 8510.01 and was signed on November 28, 2007. It supersedes the Interim DIACAP Guidance.
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The PCI security standards are technical and operational requirements that were created to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. Organizations that store, process or transmit cardholder data must meet these secure hosting standards – with guidance for software developers and manufacturers of applications and devices used in those transactions. A company processing, storing or transmitting cardholder data must be PCI compliant.
All in-scope companies must validate their compliance annually. This validation can be conducted by Qualified Security Assessors - i.e. companies that have completed a three-step certification process by the PCI SSC which recognizes them as being qualified to assess compliance to the PCI DSS standard. However, smaller companies have the option to use a Self-Assessment Questionnaire (SAQ). Whether this questionnaire needs to be validated by a QSA depends on the requirements of the card brands in that merchant's region.
Federal Information Security Management Act - FISMA
In 2002, the E-Government Act (Public Law 107-347) was passed by the 107th Congress and signed into law by the President in December 2002. It recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the “Federal Information Security Management Act” (FISMA) requires each federal system to undergo a certification and accreditation process that certifies federal systems have implemented the minimum security controls and processes to protect the confidentiality, integrity and availability of government data. Carpathia’s federally compliant and secure data centers and solutions meet or exceed federally mandated requirements to ensure customer hosted applications achieve accreditation and are FISMA compliant.
Health Insurance Portability and Accountability Act - HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L.104-191) (HIPAA) was enacted by the U.S. Congress in 1996. It was originally sponsored by Sen. Edward Kennedy and Sen. Nancy Kassebaum. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans and employers.
The Administration Simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system. Carpathia's compliant and secure data centers and solutions meet or exceed the standards that ensure an organization remains HIPPA compliant.
Sarbanes–Oxley Act - SoX
The Sarbanes–Oxley Act of 2002 (Pub.L. 107-204, 116 Stat. 745, enacted July 30, 2002), also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' (in the House) and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which set new or enhanced standards for all U.S. public company boards, management and public accounting firms. It is named after sponsors U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley.
The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets. Carpathia’s compliant and secure data centers and solutions meet or exceed the standards that ensure an organization remains SOX compliant.
Gramm–Leach–Bliley Act - GLBA
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, (Pub.L. 106-102 , 113 Stat. 1338 , enacted November 12, 1999) is an act of the 106th United States Congress (1999-2001) signed into law by President Bill Clinton which repealed part of the Glass-Steagall Act of 1933, opening up the market among banking companies, securities companies and insurance companies. The Glass-Steagall Act prohibited any one institution from acting as any combination of an investment bank, a commercial bank and an insurance company.
GLBA allowed commercial banks, investment banks, securities firms and insurance companies to consolidate. For example, Citicorp (a commercial bank holding company) merged with Travelers Group (an insurance company) in 1998 to form the conglomerate Citigroup, a corporation combining banking, securities and insurance services under a house of brands that included Citibank, Smith Barney, Primerica and Travelers. This combination, announced in 1998, would have violated the Glass-Steagall Act and the Bank Holding Company Act of 1956 by combining securities, insurance and banking, if not for a temporary waiver process. The law was passed to legalize these mergers on a permanent basis. Historically, the combined industry has been known as the "financial services industry"