Data Security and Compliance
Data Protection
We are committed to:
- ensuring that we comply with the eight data protection principles, as listed below
- meeting our legal obligations as laid down by the Data Protection Act 1998
- ensuring that data is collected and used fairly and lawfully
- processing personal data only in order to meet our operational needs or fulfill legal requirements
- taking steps to ensure that personal data is up to date and accurate
- establishing appropriate retention periods for personal data
- ensuring that data subjects’ rights can be appropriately exercised
- providing adequate security measures to protect personal data
- ensuring that a nominated officer is responsible for data protection compliance and provides a point of contact for all data protection issues
- ensuring that all staff are made aware of good practice in data protection
- providing adequate training for all staff responsible for personal data
- ensuring that everyone handling personal data knows where to find further guidance
- ensuring that queries about data protection, internal and external to the organisation, is dealt with effectively and promptly
- regularly reviewing data protection procedures and guidelines within the organisation.
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
- Appropriate technical and organisational measures shall be taken against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Security with Early to Primary Essence
Early Essence/Primary Essence comprises a secure dedicated platform sat on the Rackspace Network, which is always accessed through 256-bit SSL. As a result of this, any data transferred or transmitted is inherently secure, both as a result of our internal policies but also as a result of Rackspace’s network and policies.
Below is detailed the security specifications for Early Essence/Primary Essence data storage provider, Rackspace UK.
Physical Security
- Physical Security includes locking down and logging all physical access to our data centre.
- Data centre access is limited to only authorised personnel
- Badges and biometric scanning for controlled data centre access
- Security camera monitoring at all data centre locations
- Access and video surveillance log retention
- 24×7 onsite staff provides additional protection against unauthorised entry
- Unmarked facilities to help maintain low profile
- Physical security audited by independent firms annually
Network Infrastructure
- Network Infrastructure provides the availability guarantees backed by aggressive SLAs.
- High-performance bandwidth provided by multiple network providers
- Elimination of single points of failure throughout shared network infrastructure
- Cables properly trunked and secured
- Proactive network management methodology monitors network route efficiency
- Real-time topology and configuration improvements to adjust for anomalies
- Network uptime backed by Service Level Agreements
- Network management performed by only authorised personnel
Human Resources
- Human Resources provide Rackspace employees with an education curriculum to help ensure that they understand their roles and responsibilities related to information security.
- Reference checks taken for employees with access to customer accounts
- Employees are required to sign non-disclosure and confidentiality agreements
- Employees undergo mandatory security awareness training upon employment and annually thereafter
- Operations Security
- Operational Security involves creating business processes and policies that follow security best practices to limit access to confidential information and maintain tight security over time.
- ISO 27001/2 based policies, reviewed at least annually
- Documented infrastructure change management procedures
- Secure document and media destruction
- Incident management function
- Business continuity plan focused on availability of infrastructure
- Independent reviews performed by third parties
- Continuous monitoring and improvement of security program
Environmental Controls
- Environmental Controls implemented to help mitigate against the risk of service interruption caused by fires, floods and other forms of natural disasters.
- Dual power paths into facilities
- Uninterruptable power supplies (minimum N+1)
- Diesel generators (minimum N+1)
- Service agreements with fuel suppliers in place
- HVAC (minimum N+1)
- Smoke detectors
- Flood detection
- Continuous facility monitoring
Security Organisation
- Security Organisation includes establishing a global security services team tasked with managing operational risk, by executing an information management framework based on the ISO 27001 standard.
- Security management responsibilities assigned to Global Security Services
- Chief Security Officer oversight of Security Operations and Governance, Risk, and Compliance activities
- Direct involvement with Incident Management, Change Management, and Business Continuity
- ISO/IEC 27001:2005 (Information Security Management Systems)
- Rackspace Ltd. has been certified to this standard since 2009.
The requirements of this standard are managed via our Rackspace Business Security Management System.
ISO 27001 follows the best practise controls documented in ISO 27002.
What does it mean for our customers?
Our ISO 27001-certified Business Security Management System demonstrates our commitment to operating our data centres in a secure and responsible manner. We align it with other associated security standards and requirements, such as PCI-DSS (see PCI-DSS tab) and our ISAE 3402 controls (see ISAE 3402 tab) to provide multiple evidence of our security credentials.
What is the scope of the certification?
Our UK (four data halls across three facilities) and Hong Kong (one hall) data centres are certified to ISO 27001 under the scope of “The management of information security in the design, implementation and support of hosting solutions at our UK (LON1 & LON3) and Hong Kong (HK1) data centre facilities.” It is planned to expand scope to our Australian data centre during 2013.
Who is the certifying body and how often are you assessed?
Certification Europe are our appointed external assessment body; we are assessed at least twice a year against a three-year audit plan.
International Standards for Assurance Engagements (ISAE) No. 3402
ISAE 3402 is the international version of the North American SSAE 16. Together they replaced the SAS 70 auditing standard.
A SOC (Service Organization Controls) Report is produced providing customers with externally validated and unbiased information about the nature and effectiveness of the operational controls in place at the organisation.
SOC Reports are split into two types: Type I and Type II. In a Type I report the auditor evaluates the controls of an organisation at the time of audit to prevent accounting errors and misrepresentation. The auditor also evaluates the likelihood that those controls will produce the desired results. A Type II report includes the same information as that contained in a Type I report but also attempts to determine the effectiveness of the controls since their implementation. Type II typically utilise data compiled over a six-month period of time. A global Type II SOC1 report is produced concerning the controls in place in Rackspace.
What does it mean for our customers?
The Rackspace Type II SOC reports can be used to satisfy requirements under both the ISAE 3402 and SSAE 16 standards. This report contains a description of the controls we have in place and the auditor’s informed opinion of how effective the controls were during the audit period. The audit period for Rackspace extends from October 1st to September 30th each year. We have aligned it with our other associated security standards and requirements (ISO 27001 and PCI-DSS controls) to provide multiple evidence of our security credentials.
The Mobile Application
The mobile application, which can be used on Android and iOS devices, transmits all data through our API which is accessed through the same SSL channels as the website uses, i.e. All traffic to and from the app is over https. We don’t eve entertain traffic over http, we instantly force a https connection instead.
The app requires a secure login and authentication much in the same way the website does and the app is very limited in what it can do, it can only upload observation data and it can only access class lists, it cannot access any score data, any analysis or confidential information.