UPsafety, a T2 Systems company, and all of our partners utilize state of the art security such as SHA-2, (designed by the National Security Agency for data encryption), STS Secure Token Service (security for user information), PCI DSS Auditing (for credit card transactions), Federal Information Security Management Act (FISMA), and our Cloud has obtained the ISO/IEC 27001:2005 certification for Information Security Management. Our Cloud and mobile devices are FIPS Compliant.
Our Cloud utilizes the Microsoft Global Foundation Services (GFS) data centers. The data center is physically secured with fire, flood protection, high security locks, closed circuit cameras, biometric devices, electronic ID card readers and alarms. All access is secured with positive ID Access Control Lists.
The UPsafety Cloud utilizes the Microsoft Azure services to deliver the highest level of back office security.
Our Microsoft Azure Cloud has been granted a Provisional Authorities to Operate (P-ATO) from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB). Following a rigorous security review, the JAB approved a provisional authorization that an executive department or agency can leverage to issue a security authorization and an accompanying Authority to Operate (ATO). This will allow US federal, state, and local governments to more rapidly realize the benefits of the UPsafety Cloud using Microsoft Azure.
ISO/IEC 27001:2005, a broad international information security standard, validates that the Microsoft Azure Cloud has implemented the internationally recognized information security controls defined in this standard, including guidelines and general principles for initiating, implementing, maintaining, and improving information security management.
The certificate issued by the British Standards Institution (BSI) is publicly available.
HIPAA and the HITECH Act are United States laws that apply to healthcare entities with access to patient information (called Protected Health Information, or PHI). To ensure compliance with HIPAA and the HITECH Act, Microsoft Azure offers a BAA to customers as a contract addendum.
The Microsoft Azure Cloud is Level 1 compliant under the Payment Card Industry (PCI) Data Security Standards (DSS) as verified by an independent Qualified Security Assessor (QSA), allowing merchants to establish a secure cardholder environment and to achieve their own certification.
The PCI DSS is an information security standard designed to prevent fraud through increased controls around credit card data. PCI certification is required for all organizations that store, process or transmit payment cardholder data. Customers can reduce the complexity of their PCI DSS certification by using compliant Azure services.
The Microsoft Azure PCI Attestation of Compliance is available for immediate download.
FERPA imposes requirements on U.S. educational organizations regarding the use and disclosure of student education records. Educational organizations use UPsafety’s Microsoft Azure Cloud to process data, in compliance with FERPA. Both United Public Safety and Microsoft will not scan Customer Data for advertising purposes.
Azure has been audited against the Service Organization Control (SOC) reporting framework for both SOC 1 Type 2 and SOC 2 Type 2. Both reports are available to customers to meet a wide range of US and international auditing requirements.
The SOC 1 Type 2 audit report attests to the design and operating effectiveness of Azure controls. The SOC 2 Type 2 audit included a further examination of Azure controls related to security, availability, and confidentiality. Azure is audited annually to ensure that security controls are maintained.
Audits are conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) and International Standard on Assurance Engagements (ISAE) 3402 put forth by the International Auditing and Assurance Standards Board (IAASB). In addition, the SOC 2 Type 2 audit included an examination of the Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA).
Microsoft Azure has been audited against the Cloud Controls Matrix (CCM) established by the Cloud Security Alliance (CSA). The audit was completed as part of the SOC 2 Type 2 assessment, the details of which are included in that report. This combined approach is recommended by the American Institute of Certified Public Accountants (AICPA) and CSA as a means of meeting the assurance and reporting needs of the majority Cloud services users. The CSA CCM is designed to provide fundamental security principles to guide Cloud vendors and to assist prospective customers in assessing the overall security risk of a Cloud provider. By having completed an assessment against the CCM, Azure offers transparency into how its security controls are designed and managed with verification by an expert, independent audit firm.
Detailed information about how Azure fulfills the security, privacy, compliance, and risk management requirements defined in the CCM is also published in the CSA’s Security Trust and Assurance Registry (STAR). A detailed paper discussing Azure’s compliance with the specific controls in the CCM can be found here.
In addition, the Microsoft Approach to Cloud Transparency paper provides an overview of how it addresses various risk, governance, and information security frameworks and standards, including the CSA CCM.
In the United Kingdom, Azure has been awarded Impact Level 2 (IL2) accreditation, further enhancing Microsoft and its partner offerings on the current G-Cloud procurement Framework and CloudStore. The IL2 rating will benefit a broad range of UK public sector organizations, including local and regional government, National Health Service (NHS) trusts and some central government bodies, who require 'protect' level of security for data processing, storage and transmission.