Data Centre Standards and Compliance
CenturyLink is dedicated to continuously improving and maintaining compliance and standards that are critical to customers.
CenturyLink provides an annual Statement on Standards for Attestation Engagements (SSAE) No. 16 and International Standard on Assurance Engagements (ISAE) 3402 combined examination. The certification validates CenturyLink’s commitment to operational excellence and client satisfaction. The SSAE 16 (SOC 1) Type II report covers October 1 to September 30 annually for the network, colocation and managed services in CenturyLink's data centres A Type II examination means that an independent service auditor formally evaluated and issued an opinion on the description of selected CenturyLink systems and the suitability of the design and operating applicable controls' effectiveness. This audit report includes controls related to managed security services, change management, service delivery, support services, environmental services, physical security and facilities management, managed hosting services, and managed storage and backup services in CenturyLink's data centres in Asia, EMEA, and North America. A mid-year SOC 1 report geared toward colocation customers is also available, the report covers July 1 to June 30 and includes physical security, facility and environmental protection services.
CenturyLink also provides an annual SOC 2 report which meets the requirements of a broad range of users that must understand internal controls at a service organization as it relates to the Trust Service principles framework. The SOC 2 Type II report covers October 1 to September 30 for the network, colocation and managed services. The report is relevant to the non-financial reporting controls related to the security and availability principles modeled around four broad areas: Policies, Communications, Procedures, and Monitoring. This audit report includes: managed security services, change management, service delivery, support services, environmental services, logical and physical security, managed hosting services, and managed storage and backup services controls in data centres in Asia, EMEA, and North America.
PCI DSS Reports on Compliance (ROCS)
CenturyLink has achieved PCI compliance as service provider for the following services:
- Data Centre Services (Japan, Singapore, UK, Germany, North America, and Canada):Physical and administrative security controls in the majority of CenturyLink branded data centres.
- Managed Firewalls and NIDS Services (not location specific):Cisco ASA and Check Point firewalls, and Network Intrusion Detection Systems (NIDS).
- iQ Private Port (not location specific): MPLS based on WAN platform for customer provisioning and management on the network.
- Network Integrated Cloud Contact Centre Solutions: Hosted Interactive Voice Response and Network Common Area contact centre solutions.
The auditors provide a Reports On Compliance "ROC Letter" and Attestation of Compliance (AOC) that confirms CenturyLink's compliance with specific PCI controls and the applicable locations and services. ROC Letters and AOCs are available upon request, subject to CenturyLink's Non-Disclosure Agreement.
CenturyLink has implemented an information security program for the services subject to essential elements of the Health Insurance Portability and Accountability Act Security Rule of 2003 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH"), enacted as part of the American Recovery and Reinvestment Act of 2009. CenturyLink engaged an independent third party auditor to conduct the Type 1 examination in accordance with AT-101 attestation standards established by the American Institute of Certified Public Accountants (AICPA). The report covers CenturyLink's processes and services used to support our Colocation Services, Managed Hosting Services, Managed Security Services and Managed Backup and Storage Services customer environments. This includes Administrative (risk management, security policies, training, Business Associates Agreements, etc.), Physical (data centre security, media handling, etc.), Technical (access administration) and Breach Notification Controls (security incident management). The report provides an assessment of CTL processes and services and how they meet those HIPAA Security Rules and Breach Notification requirements.
CenturyLink will evaluate Business Associate Agreement requests on a case-by-case basis within the context of the customer’s specific services and solutions.
ISO 27001 Certified
CenturyLink currently maintains ISO 27001 certification for managed hosting operations and data centres in Singapore, United Kingdom, Germany, and Japan. The certificate also addresses colocation services (including physical security and facilities management) for data centres in Asia, EMEA, and North America. ISO 27001 is an International Standard providing a model for establishing, operating, monitoring, andimproving an Information Security Management System (ISMS). The ISO 27001 certificatizon demonstrates CenturyLink complies with and enforces information security processes. ISO 27001 conducts interim audits annually to support a three year renewal cycle.