Compliance with LokkBox Online Backup

Overview

Regulatory compliance has become an enormous component of many businesses and often takes significant money and resources to achieve and maintain compliance. LokkBox online backup helps you to meet and exceed compliance requirements as they relate to the backup and storage of your valuable business data.

Achieving compliance is critical and we've made that simple and worry-free.

Sarbanes Oxley (SOX)

By choosing online backup, our customers ensure that stringent off site storage requirements are met automatically. Data is uploaded to a SAS 70 Type II data center (and can also be simultaneously backed up to local storage using the same encryption) thus meeting such common regulatory requirements such as Sarbanes Oxley. Media based backup systems require the media (tapes, disks) to be collected, stored and retrieved (in the case of a required restore) at great expense.

In addition, all of your data is compressed and encrypted using 256-bit security before being delivered to our servers. Your LokkBox Online Backup Manager password serves as your encryption key and can be changed at any time. All encryption takes place on your local server and encryption keys are never transmitted as part of your backup job. Transmission of your data to the LokkBox servers is done over 128-bit encrypted SSL links. Decryption of your data is only possible using the encryption key so no one will ever have access to your data but you; not even us.

All of LokkBox's facilities are fully redundant N+1 data centers that have achieved SAS 70 Type II certifications. We maintain redundant hardware, hot spares, and continuous replication to ensure the protection and availability of your valuable data. We also employ multiple, redundant internet connections that are secured using industry-leading hardware and software.

Payment Card Industry (PCI)

In response to the increase in identity theft and security breaches, major credit card companies collaborated to create the Payment Card Industry Data Security Standard (PCI DSS) for merchants, processors, and point-of-sale providers handling and storing sensitive account information. PCI DSS is a standard that is applied to organizations and their security practices rather than to individual products. Though the LokkBox Online Backup Service is not a component of credit card processing transactions and is not directly storing credit card processing data, LokkBox recognizes that some customers may choose to back up sensitive information.

Organizations processing credit cards and storing credit card information are responsible for establishing, testing, and maintaining security practices that keep sensitive information safe. While there are no penalties levied by the PCI Security Standards Council responsible for managing the requirements, credit card issuers and financial institutions can enforce PCI DSS compliance by offering incentives and issuing fines. The current PCI DSS Version 1.2 outlines 12 procedures and system requirements to secure Primary Account Number (PAN) information.

Payment Card Industry Data Security Standard (PCI DSS) Requirements

The 12 PCI DSS requirements are organized into six main categories and mandate the proper use of firewalls, message encryption, access controls, network monitoring and the need for an information security policy. To be fully compliant, an organization must satisfy all 12 requirements.¹

Maintain a Secure Network: Requirements 1 and 2

*Install and maintain a firewall configuration to protect cardholder data
*Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data: Requirements 3 and 4

*Protect stored cardholder data
*Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program: Requirements 5 and 6

*Use and regularly update anti-virus software
*Develop and maintain secure systems and applications

Implement Strong Access Controls: Requirements 7, 8, and 9

*Restrict access to cardholder data by business need-to-know
*Assign a unique ID to each person with computer access
*Restrict physical access to cardholder data

Regularly Monitor and Test Networks: Requirements 10 and 11

*Track and monitor all access to network resources and cardholder data
*Regularly test security systems and processes

Maintain an Information Security Policy: Requirement 12

*Maintain a policy that addresses information security

While there is no PCI certification process for products, as a leading Online Backup service provider serving many industries that must adhere strictly to PCI standards, LokkBox takes these guidelines very seriously. Customers who have gone through their own PCI DSS compliance process understand that PCI does not mandate that they store credit card data, but does mandate that sensitive data is stored in a secure, encrypted manner.² Any data stored with LokkBox will also be protected by network security measures validated by PCI DSS. With LokkBox Backup, you also have the option to maintain as much of that sensitive data onsite as you like. In addition, LokkBox offers the following security features to protect all data that is backed up and sent offsite:

*Before being sent offsite, data is encrypted using a very secure AES 256 bit algorithm
*Data is transferred to and from LokkBox data centers using 128 bit encryption
*Access to data is determined only by the designated LokkBox administrator(s) in your company
*Storage networks at the LokkBox data centers are on a secure network and protected behind firewalls
*All transfers of backup data into and out of LokkBox are encrypted and authorized.

For more information about PCI DSS Compliance, please visit the PCI Security Standards Council Web site at http://www.pcisecuritystandards.org.

¹ “About the PCI Data Security Standard (PCI DSS)” PCI Security Standards Council https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
² “Ten Common Myths of PCI DSS” PCI Security Standards Council LLC https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf June 2008

Healthcare Insurance Portability and Accountability Act (HIPAA)

The HIPAA (Health Insurance Portability and Accountability Act of 1996) was enacted to improve the access and portability of patient health records while maintaining strict privacy and security of electronically transmitted private information. Health agencies that fail to comply with HIPAA's regulations now face strict fines and penalties.
How Lokkbox helps you comply with HIPAA’s Privacy Rule:

*Secure Transmission - LokkBox uses bank-level 128-bit AES encryption to transmit and store your data using a personalized encryption key that you choose, and (unlike our competitors) only you have access to.
*Physical Access - Using LokkBox ensures secure, offsite data storage. Our SAS 70 Type II certified data center features the tightest physical and technical safeguards to prevent unauthorized access to our mirrored data center. Both are hardened facilities with limited administrative access, restrictions for physical access and motion detectors and camera tracking.
*Logical Access - Logical access to backed up data is controlled with a secure user interface. Users can choose a custom encryption key as another layer of security or change the password if they feel the original has been compromised.

How Lokkbox helps you comply with HIPAA's Security Rule:

*Using LokkBox helps reduce your Security "Media Control" risks by eliminating insecure methods of data handling that result from traditional disk or tape backup techniques.
*Files are securely transmitted to LokkBox's data centers using encryption and Secure Socket Layer (SSL) authentication, access controls, auditing mechanisms, and event reporting as required by HIPAA's Security Policy.