I heard that if a company uses a cloud communications provider that is not HIPAA, PCI DSS or SOX compliant, it...
makes the company itself noncompliant. Assuming one or more of these standards apply to the company, is this true?
A company is obligated to ensure that all of its operations are compliant with any applicable laws and regulations. This includes only using cloud service providers that allow the company to remain fully compliant. However, it's not as simple as saying every provider must be compliant with every regulation. It comes down to the purpose of the service provider and the applicable regulations.
First, examine the specific services offered by the cloud communications provider. Is it hosting the company website? Providing the email service? Offering VoIP telephony? Assess whether the services it provides the company are actually part of the regulated business processes. For example, if a company is subject to PCI DSS but does not allow the use of electronic mail for credit card information, the email provider does not need to be PCI DSS compliant. In fact, electronic mail shouldn't be used for credit card information in the first place.
Second, determine whether the service provider's process has any contact with unencrypted regulated data, such as credit card numbers, PII or PHI. If not, then it's probably out of scope for the company's compliance efforts. If it does have access to this information, whether in storage or transit, the company will need to consider the service provider's compliance when evaluating its own compliance program.
It's important to note that the criteria above are general information only. The exact definition of the scope of a regulated entity is a complex process that should only be undertaken by individuals with in-depth knowledge of the regulation(s) at play, business operations and technology infrastructure of the company.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Take a look at the connection between enterprise compliance and security in this E-handbook.
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.