Laserfiche WebLink
SOLICITATION # CH16012 <br />customer data. The overriding requirement of the assigned classification is that customer data <br />remains hosted in the private cloud until the customer terminates their subscription. It is never <br />stored anywhere apart from the private cloud. <br />Customers remain the data owner and data controller for all data placed into their instance. <br />ServiceNow does not examine, inspect, monitor or analyze customers' data. <br />Customers apply access controls to restrict access to data within their instances based on their <br />own requirements and needs, including their own data classification. <br />QTS <br />QTS understands the growing number of requirements along with the complexity of managing the <br />high cost -risk if you are not in compliance, and makes compliance a top priority. Our dedicated <br />QTS Internal Audit team is focused on helping you define controls and processes to meet your <br />ever-expanding compliance requirements. We are steadfast in protecting your data with the <br />commitment to allocate required resources, technology and controls to not only help you achieve <br />and maintain compliance today, but to expertly support your needs as they inevitably grow and <br />change in the future. <br />QTS tackles compliance differently. We provide a flexible, integrated approach to meet the IT <br />compliance and regulatory needs across a wide variety of industries — from Payment Card <br />Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and <br />Accountability Act (HIPAA) to U.S.—EU Safe Harbor. Our approach reduces the complexity and <br />workload to effecti ely support their compliance efforts. <br />SAP <br />Ariba <br />Our security framework, which consists of semi-annual independent third party <br />AICPA audit under the Trusted Services Principles of security, confidentiality, <br />process integrity and availability as well as annual certification by an <br />independent Qualified Security Assessor for PCI DSS, is highly aligned with <br />the NIST controls. <br />Our security framework and cloud services are designed to receive process <br />and store data sets of a commercial business -to -business nature and are <br />multi -tenant and international in scope. FISMA/NIST is designed to protect US <br />government data that can include classified information as well as sensitive <br />PI such as ePHI and SSN's or government identifiers. <br />We practice data avoidance where these data sets are concerned primarily to <br />reduce the risk to us and to our customers but also to avoid additional <br />regulatory compliance which has onerous reporting and high costs which <br />would have to be passed on to our customers. Where FISMA regulated <br />entities can take advantage of our solutions, the data sets they expect to store <br />must be validated to avoid being under regulatory requirements beyond what <br />we can provide in terms of both security as well as reporting. <br />Fieldglass <br />Fieldglass has based its security program on the ISO 27002 security standard <br />and has maintained its ISO 27001 certification since February 2011. <br />However, to ensure that a robust security framework was developed, <br />additional controls were added and/or modified based on COBIT DS5 Ensure <br />Systems Security, specific NIST special publications, and vendor specified <br />best practices. Fieldglass uses a SSAE 16 audit with a twelve-month audit <br />cycle to validate that the controls defined within the security framework are <br />operating effectively. <br />Hanna <br />SAP will show the compliance with the SAP Cloud Security Framework by the <br />compliance audits and/or certification audits only as it pertains to the HANA <br />Enterprise Cloud. SAP Cloud and Infrastructure Delivery's Security, Risk & <br />Compliance Office has developed the Integrated <br />carahsoft carahsoft <br />