By Albert A. Ahdoot, Director of Business Development, Colocation America

Complying with ISO 27001, PCI DSS, and FISMA is a must for colocation facilities handling financial data.

In today’s finance industry, organizations are tasked with handling ever-increasing volumes of data securely and efficiently, which is why an effective IT strategy is essential to the success of any financial services company. The ongoing shift to mobile banking, investing, and payments has only intensified this imperative.

While major financial services companies may have the resources to build and manage their own data centers, many smaller players rely on server colocation to meet their IT needs. Colocation facilities provide racks, security, power, cooling, fire protection, and network connectivity while still allowing customers to purchase and retain ownership of their own servers. In short, colocation takes advantage of economies of scale to reduce costs for organizations with finite IT budgets.

To meet the financial services industry’s needs, however, colocation facilities need to maintain the proper certifications. For facilities handling financial services organizations’ workloads, the most important certifications are ISO 27001, PCI DSS, and FISMA. Below, I’ll explain these three certifications, and what they mean for colocation facilities.

International Organization for Standardization (ISO 27001)

The ISO 27001 standard was developed by the International Organization for Standardization in coordination with the International Electrotechnical Commission. It takes a comprehensive approach to keeping sensitive information secure by using a risk management model that covers people, processes, and technologies.

To comply with ISO 27001, colocation facilities must first examine all the information security risks they face. Next, they must design and implement information security controls to address these risks. Finally, they must create ongoing management processes that will enable security procedures to adapt to the ever-evolving threat landscape. Once an organization has gone through this process, they can be audited by an accredited certification body. ISO 27001 certification provides an assurance to financial services companies that a colocation facility will keep their sensitive data safe.

Physical security is a key component of ISO 27001 compliance. Colocation facilities need robust access control measures to limit entry to authorized individuals — for instance, turnstile gates that only allow one entry at a time help eliminate the problem of unauthorized “tailgaters.” A single-entry point is also ideal for secure access, and constant camera surveillance—with an approved video retention policy—is a must. Onsite guards can provide even more security.

Network security is another major component of ISO 27001 compliance. The standard mandates firewalls to repel malware attacks as well as the encryption of stored data, and demands a strong password policy that requires passwords to include upper and lower case letters, numbers, and special characters. Furthermore, passwords must be changed on a regular basis, and there should be safeguards for preventing password recycling. Two-factor authentication also greatly enhances digital systems’ security.

Finally, the ISO standard highlights third-party vulnerability and penetration testing as a valuable tool. Colocation facilities should strongly consider hiring an outside vendor to attempt a system break-in, facilitating the discovery of threats the facility may not have otherwise anticipated.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard is more specific than ISO 21007, as it applies only to organizations that handle credit card transactions. This standard is designed to prevent credit card fraud. Compliance is crucial for financial organizations that deal with credit cards, as some companies—including Visa and Mastercard—levy fines for lack of compliance.

The overarching goal of PCI DSS is to protect cardholder data so customers can be confident in using their credit cards. Cardholder data must be encrypted when transmitted across public or open networks, and while stored data should be encrypted as well, companies can ensure maximum security by steering clear of storing data in the first place. In fact, the standard prohibits the storage of the most sensitive authentication data, such as PINs and card validation codes (the three digits on the back of a credit card).

PCI DSS calls for limiting access to cardholder data to those in the organization who need it to perform their duties. The fewer people who have access to sensitive data, the lower the risk. Like ISO 27001, PCI DSS requires periodic testing of systems and procedures to maintain security.

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act was passed by Congress in 2002 and updated in 2014. It provides security guidelines for federal government agencies and contractors. Any colocation facility that stores government data or works with financial services companies that deal with the government in some substantive way must comply with its standards.

FISMA requires government partners to create and regularly revise a security system plan, institute baseline security controls, and develop an inventory of information systems that categorizes the systems according to risk level.

A High-Potential Partner

In many ways, the financial services industry has been a leader in operational digitization. This is likely to continue in the years to come—especially as finance-oriented artificial intelligence and blockchain tools start to become viable—meaning the IT sector will play a pivotal role in the financial services industry’s future success.

By taking steps to comply with the three security standards outlined above, colocation facilities will be ideally positioned to secure a wealth of business from financial services organizations.

About the Author

As Colocation America’s Director of Business Development, Albert A. Ahdoot leads the company’s sales efforts by gathering intelligence, drafting and enforcing sales policies and procedures, and implementing new business strategies.