Our security organization, Rackspace Global Security Services, is responsible for setting objectives for information security management to preserve our commitment to our customers. This includes setting policies in the following areas:
Security policy
The policy establishes Rackspace's direction and support for information security and sets a risk management framework that is in accordance with business requirements and relevant laws and regulations.
To download our Commitment To Security Policy, click here.
Asset management
This area focuses on achieving and maintaining appropriate protection of Rackspace's critical infrastructure required for its service delivery.
Human resources security
Controls to ensure that all Rackspace employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered.
Physical and environmental security
To prevent unauthorized physical access, damage, and interference to our organization's premises and information.
Access control
Framework to ensure only approved users are granted access to appropriate systems and resources.
Information security incident management
Policies and processes aimed at making sure information security events and weaknesses are communicated in a manner allowing timely corrective action.
Security vulnerability reporting
Our team gives immediate attention to any report of security issues. Learn about our security disclosure process and how to submit a security vulnerability report.
To execute the plans defined in the control objectives above, Rackspace uses the best practices described in the ISO 27002 security standard. This standard is recognized globally as the most comprehensive framework for establishing and maintaining information security best practices within an organization. As these controls are essential to our security posture, we refrain from describing them in detail on publicly available documents. For further insight into these controls, customers and prospects can view this information on our Service Organization Control 1 (SOC 1) report, which is available under the appropriate confidentiality agreements.
The compliance and validation phase is an important collection of audit and review activities that provide assurances that our implemented controls are designed and operating effectively and aligned with the policies set by the security organization. Learn more about the compliance certifications that Rackspace currently maintains.
Security certifications and standards
Rackspace adheres to the following information security and related certifications and standards.
ISO 27002
ISO/IEC 27002 (formerly known as ISO/IEC 17799:2005, based on BS 17799) is the standard for information security controls published by the International Organization for Standardization (ISO). The standard includes advice on aims and implementation of the controls, but does not mandate specific controls because each organization will have unique requirements based on a specific risk assessment. The Rackspace information security program is based on ISO/IEC 27002 policies and procedures.
ISO 27001
The ISO/IEC 27001 standard provides a framework for managing a business’ security responsibilities and provides external assurance for customers as to the scope and scale of our secure environment via our Business Security Management System.
Since 2011, our system has provided the foundation for an integrated and sustainable security model working in tandem with our other security controls such as PCI-DSS. It is subject to ongoing external assessments with a full reassessment every three years.
Our ISO 27001 certification scope of coverage is for all of our US, UK, Hong Kong, and Sydney data centers.
PCI-DSS (PAYMENT CARD INDUSTRY DATA SECURITY STANDARD)
The Payment Card Industry Data Security Standard is a global information security standard defined by the Payment Card Industry Security Standards Council (PCI-SSC). The purpose of the standard is to reduce credit card fraud. This is achieved through increased controls around data and its exposure to compromise. The standard applies to all organizations which process, store or transmit cardholder information.
You have to secure your network, implement secure data management policies, maintain a vulnerability management program and implement strong access-control measures. And then you have to monitor, manage and test these policies.
We’re here to help you navigate this challenging process. Relying on our breadth of experience, we can provide you with infrastructure and solutions that can help reduce the complexity of compliance.
Compliance can be a complex and costly undertaking that involves everything from infrastructure to processes.
Rackspace is accredited with MasterCard Europe* and Visa USA accredited Rackspace Hosting as compliant to the following levels:
Level 1 Payment Card Industry (PCI) PCI Service Provider
Rackspace's PCI certification scope of coverage is for the following locations:
- All US & UK offices
- US data centers (DFW1, DFW2, DFW3, IAD1, IAD2, IAD3, and ORD1)
- All UK data centers
- Hong Kong data center
- Sydney data center
Please note that although Rackspace is a PCI compliant service provider, this does not automatically make our customers PCI compliant. Customers should consult with a Qualified Security Assessor and their Merchant Bank to clarify any PCI obligations and steps to achieve customer compliance.
We offer a full range of PCI security solutions, to help you keep your customers safe. Learn more.
“Rackspace is definitely a trusted partner considering we have to be PCI compliant.”
Technical Operations Manager, Coastal.com
“It is probably true to say that without the considerable amount of help from Rackspace we could not have passed the exceptionally stringent PCI audit. Rackspace certainly went above and beyond their remit to ensure that everything was perfect for us.”
Technical Lead, Oyster Card
SSAE16
SSAE16 is an AICPA (American Institute of Certified Public Accountants) auditing standard intended to provide customers and prospects with third party validated visibility of a service provider's controls.
Rackspace went through a SSAE16 Type II SOC1, SOC2 (Security and Availability Only), and SOC3 audits covering all data center facilities globally. The report is available to current and potential customers subject to signature of appropriate Non-Disclosure Agreements.
SOC 1
- Reports are to be conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, the AICPA attest standard, which is an audit conducted over internal controls over financial reporting, management of the user organizations, and management of the service organization.
- Service Organizations' continue to define their control objectives and controls, but the service auditor is responsible for evaluating those control objectives to ensure they are reasonable.
- A Type 2 report also includes the service auditor's opinion on whether the controls were operating effectively and describes tests of the controls performed by the service auditor to form that opinion and the results of those tests.
SOC 2
- Reports on controls at a service organization relevant to Security, Availability, Privacy, Confidentiality and Processing.
- SOC 2 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations, as well as the requirements and guidance in AT Section 101, Attest Engagements, of SSAEs.
- These reports are intended to meet the needs of a hosting provider customer that needs to understand the internal controls at a service organization.
- SOC 2 framework is a reporting option specifically designed for entities such as data centers, IT managed services, software as a service (SaaS) vendors, and many other technology and cloud computing based businesses.
- A Type 2 report also includes the service auditor's opinion on whether the controls were operating effectively and describes tests of the controls performed by the service auditor to form that opinion and the results of those tests.
SOC 3
Due to the restrictions of distribution to current and potential customers for the SOC 1 and SOC 2 reports, Rackspace has obtained a SOC 3 report. The difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report contains a detailed description of the service auditor's tests of controls and results of those tests as well as the auditor's opinion on the description of the service organization's system. A SOC 3 report provides only the auditor's report on whether the system achieved the trust services criteria. There is no description of tests and results or opinion on the description of the system.
You can view/download the Rackspace SOC3 report here: Rackspace SOC3 Report.
SAFE HARBOR
Safe Harbor is the US Department of Commerce framework for meeting the European Union's Data Protection requirements. Rackspace complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. Rackspace has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement, with respect to the personal data we collect from EU and/or Swiss data subjects or receive from our affiliates located in the EU and/or Switzerland, such as information regarding service requests, service orders, handling orders, delivering services and processing payments.
For more information about Rackspace's Safe Harbor status see the Rackspace Privacy Center.
CONTENT PROTECTION AND SECURITY STANDARD (CPS)
The Content Protection and Security Standard (CPS) is sponsored by the Content Delivery & Security Association (CDSA). CDSA is an international association that advocates the innovative and responsible delivery and storage of entertainment, software, and information content. CDSA has focused its activities on anti-piracy and content protection standards to protect the security and integrity of intellectual property and related assets.
The Content Protection and Security Standard assists organizations in managing its security and piracy risks. The CPS framework focuses primarily on the security management of media content in all of its forms across the entire supply chain. It is comprised of an independent and impartial audit of risk management, personnel resources, asset management, logical and physical security, and disaster recovery planning.
Rackspace is accredited until the last day of February 2015 with the Content Protection and Security certification covering:
- Rackspace's headquarters in San Antonio, TX
- Chicago Data Center
Rackspace has invested significant resources to ensure it can detect and respond to security events and incidents that impact its infrastructure. It is key to point out that this function does not involve actively monitoring individual customer solutions, but the overarching networking and physical environment including the monitoring of internal networks and employee access customer environments.
Security operations at Rackspace ensure that:
- Incidents are responded to in a timely manner and communication is disseminated to the relevant parties
- Corrective actions are identified and executed
- Root cause analyses are performed
- Lessons learned are fed back to the policy and planning functions
This function of our security management system drives continuous improvement of the practices and models we implement to protect Rackspace infrastructure.
An effective mitigation of risks of a cloud solution requires a combination of a secure application architecture and security management disciplines within the service provider. Security Management at Rackspace involves the coordination of the security organization, security controls, and compliance and security operations.
“Card providers, banks and financial bodies now demand a stringent level of security on all remote transactions and the totally secure storage of transaction data. It was with this in mind that we chose Rackspace® Hosting as our hosting partner for the project. We had already gained experience of Rackspace capabilities from within Deloitte and involvement with other high level projects. Their PCI compliance and Fanatical Support® promise sealed the partnership.”
Technical Lead, Oyster Card