We provide security and compliance services designed to help protect Rackspace information and physical resources. This effort also focuses on ensuring that Rackspace has controls in place to manage the risk of interruptions that may impact our service level commitments to you.
Our security organization, Rackspace Global Security Services, is responsible for setting objectives for information security management to preserve our commitment to our customers. This includes setting policies in the following areas:
The policy establishes Rackspace's direction and support for information security and sets a risk management framework that is in accordance with business requirements and relevant laws and regulations.
This area focuses on achieving and maintaining appropriate protection of Rackspace's critical infrastructure required for its service delivery.
Controls to ensure that all Rackspace employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered.
To prevent unauthorized physical access, damage, and interference to our organization's premises and information.
Framework to ensure only approved users are granted access to appropriate systems and resources.
Policies and processes aimed at making sure information security events and weaknesses are communicated in a manner allowing timely corrective action.
Our team gives immediate attention to any report of security issues. Learn about our security disclosure process and how to submit a security vulnerability report.
To execute the plans defined in the control objectives above, Rackspace uses the best practices described in the ISO 27002 security standard. This standard is recognized globally as the most comprehensive framework for establishing and maintaining information security best practices within an organization. As these controls are essential to our security posture, we refrain from describing them in detail on publicly available documents. For further insight into these controls, customers and prospects can view this information on our Service Organization Control 1 (SOC 1) report, which is available under the appropriate confidentiality agreements.
The compliance and validation phase is an important collection of audit and review activities that provide assurances that our implemented controls are designed and operating effectively and aligned with the policies set by the security organization. Learn more about the compliance certifications that Rackspace currently maintains.
Rackspace adheres to the following information security and related certifications and standards.
ISO/IEC 27002 (formerly known as ISO/IEC 17799:2005, based on BS 17799) is the standard for information security controls published by the International Organization for Standardization (ISO). The standard includes advice on aims and implementation of the controls, but does not mandate specific controls because each organization will have unique requirements based on a specific risk assessment. The Rackspace information security program is based on ISO/IEC 27002 policies and procedures.
ISO/IEC 27001 is the only auditable international standard, and defines the requirements for an Information Security Management System (ISMS). The standard is designed to select adequate and proportionate security controls.
In November 2011, the management of information security in the design, implementation, and support of Hosted Systems at our DFW1 and ORD data center facilities was certified as compliant to ISO 27001:2005. A full reassessment is required every 3 years, and surveillance audits that review a section of the ISMS are performed every 6 months.
The Payment Card Industry Data Security Standard is a global information security standard defined by the Payment Card Industry Security Standards Council (PCI-SSC). The purpose of the standard is to reduce credit card fraud. This is achieved through increased controls around data and its exposure to compromise. The standard applies to all organizations which process, store, or transmit cardholder information.
Rackspace is accredited with MasterCard Europe* and Visa USA accredited Rackspace Hosting as compliant to the following levels:
Rackspace's PCI certification scope of coverage is for the following locations:
Please note that although Rackspace is a PCI compliant service provider, this does not automatically make our customers PCI compliant. Customers should consult with a Qualified Security Assessor and their Merchant Bank to clarify any PCI obligations and steps to achieve customer compliance.
“Rackspace is definitely a trusted partner considering we have to be PCI compliant.”
SSAE16 is an AICPA (American Institute of Certified Public Accountants) auditing standard intended to provide customers and prospects with third party validated visibility of a service provider's controls.
Rackspace went through a SSAE16 Type II SOC1, SOC2 (Security and Availability Only), and SOC3 audits covering all data center facilities globally. The report is available to current and potential customers subject to signature of appropriate Non-Disclosure Agreements.
Due to the restrictions of distribution to current and potential customers for the SOC 1 and SOC 2 reports, Rackspace has obtained a SOC 3 report. The difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report contains a detailed description of the service auditor's tests of controls and results of those tests as well as the auditor's opinion on the description of the service organization's system. A SOC 3 report provides only the auditor's report on whether the system achieved the trust services criteria. There is no description of tests and results or opinion on the description of the system.
To view Rackspace's SOC 3 Report, please click on the SOC 3 logo and you will be redirected to the Rackspace SOC 3 Report.
Safe Harbor is the US Department of Commerce framework for meeting the European Union's Data Protection requirements. Rackspace complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. Rackspace has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement, with respect to the personal data we collect from EU and/or Swiss data subjects or receive from our affiliates located in the EU and/or Switzerland, such as information regarding service requests, service orders, handling orders, delivering services and processing payments.
For more information about Rackspace's Safe Harbor status see:
The Content Protection and Security Standard (CPS) is sponsored by the Content Delivery & Security Association (CDSA). CDSA is an international association that advocates the innovative and responsible delivery and storage of entertainment, software, and information content. CDSA has focused its activities on anti-piracy and content protection standards to protect the security and integrity of intellectual property and related assets.
The Content Protection and Security Standard assists organizations in managing its security and piracy risks. The CPS framework focuses primarily on the security management of media content in all of its forms across the entire supply chain. It is comprised of an independent and impartial audit of risk management, personnel resources, asset management, logical and physical security, and disaster recovery planning.
Rackspace is accredited until the last day of February 2014 with the Content Protection and Security certification covering:
Rackspace has invested significant resources to ensure it can detect and respond to security events and incidents that impact its infrastructure. It is key to point out that this function does not involve actively monitoring individual customer solutions, but the overarching networking and physical environment including the monitoring of internal networks and employee access customer environments.
Security operations at Rackspace ensure that:
This function of our security management system drives continuous improvement of the practices and models we implement to protect Rackspace infrastructure.
An effective mitigation of risks of a cloud solution requires a combination of a secure application architecture and security management disciplines within the service provider. Security Management at Rackspace involves the coordination of the security organization, security controls, and compliance and security operations.
"Card providers, banks and financial bodies now demand a stringent level of security on all remote transactions and the totally secure storage of transaction data. It was with this in mind that we chose Rackspace® Hosting as our hosting partner for the project. We had already gained experience of Rackspace capabilities from within Deloitte and involvement with other high level projects. Their PCI compliance and Fanatical Support® promise sealed the partnership."