Sergey Nivens - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Does enterprise compliance rely on cloud service provider compliance?

Enterprise compliance with standards such as HIPAA, PCI DSS and SOX is tricky to maintain. How much of it relies on cloud service provider compliance? Expert Mike Chapple explains.

I heard that if a company uses a cloud communications provider that is not HIPAA, PCI DSS or SOX compliant, it makes the company itself noncompliant. Assuming one or more of these standards apply to the company, is this true?

A company is obligated to ensure that all of its operations are compliant with any applicable laws and regulations. This includes only using cloud service providers that allow the company to remain fully compliant. However, it's not as simple as saying every provider must be compliant with every regulation. It comes down to the purpose of the service provider and the applicable regulations.

First, examine the specific services offered by the cloud communications provider. Is it hosting the company website? Providing the email service? Offering VoIP telephony? Assess whether the services it provides the company are actually part of the regulated business processes. For example, if a company is subject to PCI DSS but does not allow the use of electronic mail for credit card information, the email provider does not need to be PCI DSS compliant. In fact, electronic mail shouldn't be used for credit card information in the first place.

Second, determine whether the service provider's process has any contact with unencrypted regulated data, such as credit card numbers, PII or PHI. If not, then it's probably out of scope for the company's compliance efforts. If it does have access to this information, whether in storage or transit, the company will need to consider the service provider's compliance when evaluating its own compliance program.

It's important to note that the criteria above are general information only. The exact definition of the scope of a regulated entity is a complex process that should only be undertaken by individuals with in-depth knowledge of the regulation(s) at play, business operations and technology infrastructure of the company.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Take a look at the connection between enterprise compliance and security in this E-handbook.

This was last published in December 2014

Dig Deeper on Security audit, compliance and standards

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.