AGILE is committed to compliance and certifications to validate our systems and processes. Our commitment to trust services criteria provides assurances to our clients related to how we handle information. Third-party/independent certifications help to ensure that our clients can trust and have confidence in how we manage information and assets.
AGILE Data Center Certifications
Internal control reports on the services provided by AGILE contain valuable information that our clients need to assess and address the risks associated with our services.
SSAE 16: About SOC 1 and SOC 2
SOC 1 – SOC for Service Organizations: ICFR
Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR) These reports, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements. There are two types of reports for these engagements:
- Type 2 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
- Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
Use of these reports is restricted to the management of the service organization, user entities, and user auditors.
SOC 2® – SOC for Service Organizations: Trust Services Criteria
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
Similar to a SOC 1 report, there are two types of reports: A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports is restricted.
About SSAE 16
In April 2010, the Auditing Standards Board (ASB) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (AT sec. 801), which replaces the guidance for service auditors reporting on a service organization’s controls relevant to user entities’ internal control over financial reporting (ICFR) in Statement on Auditing Standards (SAS) No. 70, Service Organizations (AU sec 324). SSAE 16 is effective for service auditors’ reports for periods ending on or after June 15, 2011. Reports issued under SSAE No 16 provide audit evidence to CPAs auditing the financial statements of entities that use a service organization. In SSAE No. 16, an entity that performs a specialized task or function for other entities is known as a service organization and an entity that outsources a task or function to a service organization is known as a user entity.
Founded in 1887, the AICPA represents the CPA profession nationally regarding rule-making and standard-setting, and serves as an advocate before legislative bodies, public interest groups and other professional organizations. The AICPA develops standards for audits of private companies and other services by CPAs; provides educational guidance materials to its members; develops and grades the Uniform CPA Examination; and monitors and enforces compliance with the profession’s technical and ethical standards.
The AICPA’s founding established accountancy as a profession distinguished by rigorous educational requirements, high professional standards, a strict code of professional ethics, a licensing status and a commitment to serving the public interest.
Learn more at http://www.aicpa.org/
AGILE Data Centers, processes and facilities are also compliant with HIPAA.
General Information About HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. This includes: covered entities (CE); all treatment providers; healthcare payment and operations; business associates; personnel with access to patient information to provide support in treatment, payment or operations. Subcontractors and business associates must also follow HIPAA compliance.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.1 To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
To learn more about HIPAA, click here.
AGILE Chesapeake fulfills annual PCI-DSS compliance audits
The Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.
The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually, either by an external Qualified Security Assessor QSA or by a firm specific Internal Security Assessor that creates a Report on Compliance for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
To learn more about PCI-DSS, click here.
AGILE maintains strict quality management standards under ISO 9001:2015
AGILE’s Quality Policy: It is the policy of Agile Data Sites, LLC to establish, maintain and continually improve internal processes and controls to client, partner and regulatory requirements and to provide redundant and highly reliable cloud, Disaster Recovery, hosting and collocations services at a competitive price, that meets and exceeds client expectations.
ISO 9001:2015 Definition:
ISO 9001:2015 sets out the criteria for a quality management system and is the only standard in the family that can be certified to (although this is not a requirement). It can be used by any organization, large or small, regardless of its field of activity. In fact, there are over one million companies and organizations in over 170 countries certified to ISO 9001.
This standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process approach and continual improvement. These principles are explained in more detail in the pdf Quality Management Principles. Using ISO 9001:2015 helps ensure that customers get consistent, good quality products and services, which in turn brings many business benefits.
To learn more about ISO 9001:2015, click here.