F5 Distributed Cloud Services Compliance

What is Payment Card Industry Data Security Standard (PCI-DSS) Compliance and Why is it Important

F5 Distributed Cloud Services are PCI-DSS Compliant as a Level 1 Service Provider 

The Payment Card Industry Data Security Standard (PCI DSS) encourages and enhances payment card account data security and facilitates a broader adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.

PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment card account processing — including merchants, processors, acquirers, issuers, and other service providers.

Compliance with PCI DSS also ensures that businesses adhere to industry best practices when processing, storing, and transmitting credit card data. In turn, PCI DSS compliance fosters trust among customers and stakeholders.

PCI DSS comprises a minimum set of requirements for protecting account data and may be enhanced by additional controls and practices to further mitigate risks. The below table lists the PCI DSS requirements at a high level, F5 qualifies as Level 1 Service Provider and while it does not process, store, or transmit CHD/SAD; it could impact the security of the cardholder data environment (CDE) of our customers.

What is SOC 2 Type II Compliance and Why is it Important

F5 Distributed Cloud Services are SOC2 Type II Compliant

A SOC 2 Type II report is a Service Organization Control (SOC) report that focuses on the American Institute of Certified Public Accountants (AICPA) trust principles. It generally examines a service provider’s internal controls and systems related to security, availability, processing integrity, confidentiality, and privacy of data. These reports can play an important role in providing oversight of an organization, vendor management programs, and regulatory oversight. A type 2 report covers both the suitability of an organization's controls and its operating effectiveness over a period of time.

At F5, the SOC 2 Type II report helps meet the needs of our customers who need detailed information and assurance about the controls at F5. It offers evidence to our customers that we are implementing the security controls that we say we do and that those controls are working as intended. Without eyes and ears across the cloud, it is difficult to assess how secure the information is in the hands of third-party vendors and a SOC 2 Type II report offers this peace of mind.

Of the five trust principles that an organization can choose to follow, SDC is certified for the security, availability, and confidentiality of the information processed by our systems.

Each trust principle lists control objectives which the organization decides how it wants to meet these control objectives. SOC 2 trust principles are modeled around:

• Policies
• Communications
• Procedures
• Monitoring

What is HIPAA Compliance and Why is it Important

Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy by legally enforcing rigorous technical, administrative, and physical security controls on healthcare businesses who electronically transmit sensitive health data and their business associates.

F5 Distributed Cloud Services’ SOC 2 Type II report includes attestation of compliance with  HIPAA controls. For our services, we must comply with:

• Do Not process or identify Personal Health Information (PHI).
• Report Breaches to specific regulators.
• Protect the privacy of our customers’ customers.
• Have specific internal controls around employee behavior.

HIPAA only covers USA residents within the USA. 

What is ISO 27001, ISO 27017 and ISO 27018 Compliance and Why is it Important

F5 Distributed Cloud Services are ISO 27001 Certified with an extension of ISO 27017 and ISO 27018 

Global Support is ISO 27001 certified only

ISO 27001 is an international standard to manage information security. It is the world's best-known standard for information security management systems (ISMS). The ISO 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.

Conformity with ISO 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the organization, and that this system respects all the best practices and principles enshrined in this International Standard.

ISO 27001 promotes a holistic approach to information security by vetting people, policies, and technology. An information security management system implemented according to this standard ensures risk management, cyber-resilience, and operational excellence.

ISO 27001 is the only auditable international standard that defines the requirements of an ISMS that must be met. 

ISO 27001 is made up of –

93 Controls broken into 4 domains:

• Organizational
• People
• Physical
• Technological        

ISO 27017 is a Code of Practice for Information Security Controls based on ISO 27001 for Cloud Services and is an information security framework for organizations using cloud services. Cloud service providers need to comply with this standard because it keeps their cloud service customers (and others) safer by providing a consistent and comprehensive approach to information security.

ISO 27017 includes 37 controls based off the ISO 27002 guidelines.

ISO 27018 is Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting is PII Processors. This standard outlines best practices for public cloud service providers (CSPs) on how to better protect personally identifiable information (PII) that it processes.

ISO 27018 includes 16 Controls based off 27002 as well as 25 new privacy and security controls.

What is GDPR Compliance and Why is it Important

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It applies to all organizations, regardless of their location, that process the personal information of European citizens. This includes companies established outside the EU that offer goods or services to EU data subjects or monitor their behavior within the EU.

The GDPR has several key provisions, including:

• Consent: Organizations must obtain clear and explicit consent from individuals before collecting their personal data.
• Right to Access: Individuals have the right to know what data is being collected about them and how it is being processed.
• Right to be Forgotten: Individuals have the right to request that their data be deleted.
• Data Portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format.
• Breach Notification: Organizations must notify individuals and authorities within 72 hours of a data breach.
• Privacy by Design: Organizations must consider data protection and privacy issues from the outset when designing systems, rather than as an afterthought.
• Data Protection Officers: Organizations must appoint a Data Protection Officer (DPO) to oversee GDPR compliance if they process large amounts of personal data.
• The GDPR also imposes strict penalties for non-compliance. It carries tremendous fines for non-compliance, up to 10% of F5’s total global revenue.

F5 Distributed Cloud Services’ SOC 2 Type II report has control mapping to the GDPR chapter/article.