Carpathia Hosting is constantly striving to meet and exceed industry standards. One of the key values we bring to every engagement is the fact that all of our services meet industry-specific security requirements through our SAS70 Type II and Safe Harbor ISP certifications.

SAS70 Type II

Statement on Auditing Standards No. 70 - Set up by the American Institute of Certified Public Accountants in 1993, SAS70 spells out how an external auditor should assess the internal controls of an outsourcing service provider and issue an attestation report to outside parties or to a client.

Under SAS70, an outsourcing-service provider undergoes an audit, performed either by its own independent auditor or by the auditors of its outsourcing clients.

There are two types of service-auditor reports:

1. Type I includes the service auditor's opinion on the fairness of the presentation of the provider's description of its controls and how well they're designed to meet specified control objectives.
2. Type II - generally preferred for their greater depth - includes the same data as Type I as well as the auditor's opinion on the effectiveness of the controls during the period under review

SAFE HARBOR ISP

USA Department of Commerce and European Commission "SAFE HARBOR"
The European Commission’s Directive on Data Protection went into effect in October, 1998. It prohibits the transfer of personal data to non-European Union nations that do not meet the European “adequacy” standard for privacy protection.

The Safe Harbor — approved by the EU in July of 2000 — is an important way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the Safe Harbor will assure that EU organizations know that your company provides “adequate” privacy protection, as defined by the Directive.

• Notice: Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.
• Security: Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
• Data integrity: Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

We have also successfully achieved these more stringent industry-specific certifications:

Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)

The DoD Information Assurance Certification and Accreditation Process (DIACAP) is the United States Department of Defense (DoD) process to ensure that risk management is applied on information systems (IS). DIACAP defines a DoD-wide formal and standard set of activities, general tasks and a management structure process for the certification and accreditation (C&A) of a DoD IS that will maintain the information assurance (IA) posture throughout the system's life cycle.

An interim version of the DIACAP was signed July 6, 2006 and superseded DITSCAP. The final version is titled Department of Defense Instruction 8510.01 and was signed on November 28, 2007. It supersedes the Interim DIACAP Guidance.

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard, and is a worldwide security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The PCI security standards are technical and operational requirements that were created to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions. A company processing, storing, or transmitting cardholder data must be PCI DSS compliant.

All in-scope companies must validate their compliance annually. This validation can be conducted by Qualified Security Assessors - i.e. companies that have completed a three-step certification process by the PCI SSC which recognizes them as being qualified to assess compliance to the PCI DSS standard. However, smaller companies have the option to use a Self-Assessment Questionnaire (SAQ). Whether this questionnaire needs to be validated by a QSA depends on the requirements of the card brands in that merchant's region.