Compliance & Certifications
Practice Protect address a wide range of international, country, and industry-specific regulatory requirements. By providing compliant, independently verified cloud services, In addition, an extensible compliance framework that enables Practice Protect to design and build services using a single set of controls to speed up and simplify compliance across a diverse set of regulations and rapidly adapt to changes in the regulatory landscape. The Practice Protect Cloud is certified with SOC 2 and TRUSTe.
SOC 2 SSAE 16/ISAE 3402 Attestations
Practice Protect has successfully passed an independent audit against the rigorous SSAE 16 SOC 2 Type II standard and achieved compliance, a prestigious accomplishment showcasing Practice Protect’s longstanding commitment to securing customer data. Information security is far reaching and ingrained into Practice Protect’s culture and is evident from design of the service and infrastructure to the processes and people. Furthermore, achieving compliance demonstrates Practice Protect’s dedication to both its existing high security standards and Practice Protect’s ability to quickly and effectively raise the bar and adapt to the changing information security climate.
Audits are conducted in accordance with the Statement on Standards for Attestation
Engagements (SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the American
Institute of Certified Public Accountants (AICPA) and International Standard on Assurance
Engagements (ISAE) 3402 put forth by the International Auditing and Assurance Standards
Board (IAASB). In addition, the SOC 2 Type 2 audit included an examination of the Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA).
Customers should contact their Practice Protect representative to request a copy of the SOC 2 reports.
Practice Protect also complies with the U.S. — E.U. Safe Harbor framework and the U.S. — Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding collection, use and retention of personal data from European Union member countries and Switzerland. You can learn more about the Safe Harbor program and view our certification by visiting the Safe Harbor website.
Cloud Security Alliance Cloud Controls Matrix
Practice Protect has been audited against the Cloud Controls Matrix (CCM) established by the Cloud Security Alliance (CSA). The audit was completed as part of the SOC 2 Type 2 assessment, the details of which are included in that report. This combined approach is recommended by the American Institute of Certified Public Accountants (AICPA) and CSA as a means of meeting the assurance and reporting needs of the majority cloud services users.
The CSA CCM is designed to provide fundamental security principles to guide cloud vendors and to assist prospective customers in assessing the overall security risk of a cloud provider. By having completed an assessment against the CCM, Practice Protect offers transparency into how its security controls are designed and managed with verification by an expert, independent audit firm.
ISO/IEC 27001:2005 Audit and Certification
Microsoft is committed to annual certification against the ISO/IEC 27001:2005, a broad international information security standard. The ISO/IEC 27001:2005 certificate validates that Azure has implemented the internationally recognized information security controls defined in this standard, including guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.
Federal Risk and Authorization Management Program (FedRAMP)
Azure has been granted a Provisional Authorities to Operate (P-ATO) from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB).
Following a rigorous security review, the JAB approved a provisional authorization that an executive department or agency can leverage to issue a security authorization and an accompanying Authority to Operate (ATO). This will allow US federal, state, and local governments to more rapidly realize the benefits of the cloud.
FedRAMP is a mandatory U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.
Practice Protect’s Cloud is in the process of FedRAMP certified for the application layer.
United Kingdom G-Cloud Impact Level 2 Accreditation
In the United Kingdom, Azure has been awarded Impact Level 2 (IL2) accreditation, further enhancing Azure and its partner offerings on the current G-Cloud procurement Framework and CloudStore. The IL2 rating will benefit a broad range of UK public sector organizations, including local and regional government, National Health Service (NHS) trusts and some central government bodies, who require ‘protect’ level of security for data processing, storage and transmission.
Family Educational Rights and Privacy Act (FERPA)
FERPA imposes requirements on U.S. educational organizations regarding the use and disclosure of student education records. Educational organizations can use Windows Azure to process data, such as student education records, in compliance with FERPA. Microsoft will only use Customer Data to provide organizations with the Windows Azure service and will not scan Customer Data for advertising purposes.