Navigation:  SaaS - Software as a Service > SaaS Business Fundamentals >

Offload Security Requirements

Previous page Next page
  rev. 25/04/2008        

Enterprises of all sizes must ensure supplier, operational and regulatory (such as Sarbanes-Oxley and HIPAA) compliance in order to drive down risk.  These requirements are complex and should be managed strategically.

PCI DSS Service Provider Level 1 Certification

PCI DSS (Payment Card Industry Data Security Standard) is a prescriptive data security standard that applies to any electronic application that is storing, processing, or transmitting credit/debit card data. The standard is maintained by the PCI Security Standards Council, and includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. These requirements are designed around six major principles:

Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy

SAS 70 Type I and Type II

SAS 70 is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) to evaluate the internal controls of a service provider.  The Type I audit evaluates the service provider’s documented internal procedures and processes to  ensure that they are sufficient to achieve the service provider’s control objectives.  The Type II audit conducts a series of tests to ensure that the service provider is actually following those documented procedures and processes. AppExchange Service Provider Certification

Certification requires extensive annual audit on a yearly basis that evaluates the security profile provided by the on-demand environment, including operational processes, access controls, HR policies, and security incident response procedures.  In addition, the environment undergoes an extensive network penetration test.

This certification is rare, reflecting a rigorous process.

U.S. Commerce Department Safe Harbor Certification

This certification signifies that the service provider employs policies and procedures that meet the privacy standards of the European Commission's Directive on Data Protection.  The EU directive prohibits the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection.


MEcom is not subject to other regulatory requirements such as Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX).  We could get that kind of coverage through a hosting service.

med_Offload_Security_Requirements         ©2012 Managing Energy Inc.