SAS 70, SSAE 16, SOC 2 and SOC 3 Data Center Standards
Written by Mike Klein of Online Tech
I just got off the phone with our data center auditors, UHY LLP, with an update on what's going on in the world of SAS 70, SSAE 16, SOC 2 and SOC 3 auditing standards for data centers.
SAS 70 (Statement on Auditing Standards No. 70) has been around for nearly 20 years. First released in 1992, it has been the gold standard for data center users to assure that their data center is secure and operating under proper control systems. The problem with the SAS 70 standard according to the American Institute of CPAs (AICPA) is that SAS 70 was never designed to be used by service organizations that offer colocation, managed servers or cloud hosting services. It was focused on internal controls over financial reporting.
A SAS 70 audit only verifies that the controls and processes that the data center operator has in place are followed. There is no minimum bar that the data center operator has to achieve and no benchmark to hold data center operators accountable to. A data center with strong controls and processes can claim the same level of audit as a data center operator with weak controls and systems. The only way a user can tell the difference is to read through the detailed audit report.
A prevalent misunderstanding about SAS 70 is that after completing a SAS 70 audit, a data center or other service organization becomes "SAS 70 Certified". No such official certification exists for SAS 70, so many service providers that have survived a SAS-70 audit have created their own logo, indicating the need for such certification by outside auditors.
Enter SSAE 16, SOC 2 and SOC 3 auditing standards.
SSAE 16 (Statements on Standards for Attestation Engagements No. 16) is the next generation of AICPA standards for reporting on controls at service organizations (including data centers) in the United States. SSAE 16 goes beyond SAS 70 by requiring the auditor to obtain a written assertion from management regarding the design and operating effectiveness of the controls being reviewed. SSAE 16 also provides better alignment with the international audit standard ISAE 3402.
New Reporting Options
Under the new AICPA reporting standards, an audit that is conducted under SSAE 16 will result in a Service Organization Control (SOC) 1 report. These reports are still focused on controls relevant to internal control over financial reporting. In essence, a SOC 1 report will be the form of reporting once the SSAE 16 audit is complete.
As with the old SAS 70, SOC 1 reports will be available as Type 1 or Type 2 reports. Type 1 reports present the auditors' opinion regarding the accuracy and completeness of management's description of the system or service as well as the suitability of the design of controls as of a specific date. A Type 2 SOC 1 report includes the Type 1 criteria AND audits the operating effectiveness of the controls throughout a declared time period, generally between six months and one year. Like SAS 70, there is no official SSAE 16 or SOC 1 certification.
SOC 2 and SOC 3 provide much more stringent audit requirements with a stronger set of controls and requirements specifically designed around data center service organizations. SOC 2 and SOC 3 provide a standard benchmark by which two data center audits can be compared against the same set of criteria. In contrast to an SSAE-16 engagement, where the data center operator defines the criteria for an audit, the SOC 2 Report uses specifically pre-defined control criteria related to 1) security, 2) availability, 3) processing integrity, 4) confidentiality or 5) privacy of a system and its information.
SOC 2 provides what was missing in the SAS 70 and SSAE 16 – a standard benchmark by which two data center audit reports can be compared and the reader can be assured that the same set of criteria was used to evaluate each.
SOC 3 reports provide the same level of assurance about controls over security, availability, processing integrity, confidentiality and/or privacy as a SOC 2 report, but the report is intended for general release and does not contain the detailed description of the testing performed by the auditor, but rather, a summary opinion regarding the effectiveness of the controls in place at the data center or service organization.
SOC 3 also meets the demand that high tier data center operators have been screaming for – Certification! Once the auditor is assured that the data center operator has achieved the trust services criteria, the company can display the SOC 3: SysTrust for Service Organizations seal.
SOC 3 Certification
While this seal still looks like it was designed by a CPA, it's a huge step in the right direction. (I'm guessing that unless the AICPA adds some marketing flair to the certification logo, companies will create their own logos that clients and users can more readily understand.)
Now, high quality colocation, cloud hosting and Software-as-a-Service (SaaS) providers have a standard and certification process they can adhere to. SOC 2 and SOC 3 provides data center users a high level of assurance that their data center is secure, highly available and operating under a consistent set of high integrity processes.
SOC 2 and SOC 3 – Welcome Standards to the Data Center Industry
SOC 2 and SOC 3 are welcome standards to our industry. They will raise the bar for some, and allow others to shine under the stringent processes they are already running under. Users will get what they've been looking for – a standard benchmark against which to compare data center operators.
High quality colocation, managed server, cloud hosting and SaaS providers will get what they've been looking for – a certification process that provides their users a high level of assurance about the quality of their data center security, availability and process integrity.
Questions and Answers
We're in the final vigil for SAS 70. The oxygen has been brought out and the last rites are being given, and while a few data centers are scrambling to get a SAS 70 audit before the bell tolls, on June 15, 2011, SAS 70 will be dead. Auditors will no longer conduct SAS 70 audits or issue SAS 70 audit reports, as the AICPA (American Institute of CPAs) switches to SSAE 16 and SOC 2/SOC3 reporting.
Investing in HIPAA and HITECH privacy and security safeguards is worth the time and money, as prevention is the best way to reduce breaches and unnecessary costs. Many companies are considering partnering with a PCI or HIPAA hosting provider that already has the appropriate controls and infrastructure in place with independent, third party audits that verify compliance.
When you need space, power and bandwidth and an ideal data center to house your servers, there are certain aspects you should consider while researching colocation hosting providers. Get informed in order to make the smart decision for optimal server uptime, security and service.
PCI is also very prescriptive about the technology you must deploy, compared to other compliance standards. For example, HIPAA requires you to logically secure data, but it doesn't specifically state the use of a firewall. The PCI audit specifically states that you must use a firewall and numerous other technologies to logically protect cardholder data. It's those prescriptive solutions that drive up the cost of passing an audit. Here's an explanation of Web Access Firewall (WAF) and the Annual
When it comes to conducting a cost-benefit analysis of hosting your servers with a third party versus maintaining your own servers, take note that benefits lie primarily in security, support, reliability and scalability. Leaving IT up to the experts can save you time and money better spent on growing your business.
What do you know about virtualization? Do you care very much about it? If you are a business owner or manager who deals with lots of data and data storage, it might be a good idea to get yourself familiarized.
Making business is a big task that you get into. You should have the idea of how you can increase the traffic of your store and make it more popular. But how? Because of what modern technology can do to us, having your own website online would be such a good idea. You will no longer going to somewhere else to promote your business.
Most CEOs may not realize that data disasters occur every day, and the repercussions can be devastating.
Small business IT support services provide you a real network with proper guidance, realistic ideas, updates, advice so as to maintain your work and competition in the present market.
Sometimes, the DBCC CHECKDB Repair command of SQL Server fails to open Microsoft SQL Server database and database remain unrepaired then, in such situations, the user has to use a third party named SQL Recovery to fix MDF file.
If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don't use the cloud service.
The latest 2012 HIMSS Analytics Report: Security of Patient Data released in April outlines survey statistics related to data breaches, including preventative measures taken and degree of due diligence with third-party vendors.
A recent study by KPMG on federal cloud adoption reveals main drivers, demotivators and tips for what to look for in a cloud hosting provider for both private and the public sector. The study reported findings on governments, citizens, cloud service providers and IT leaders.
The PCI sub-requirements and testing procedures 12.8-12.84 concern the relationship between merchants and their service providers, including PCI compliant hosting providers.
We had a few questions of our own when it comes to specific technologies used to meet HIPAA security requirements and standards. To help clear up any confusion, our Certified HIPAA Practitioner (CHP) and Certified HIPAA Security Specialist (CHSS) Joe Dylewski of ATMP Solutions answered our questions, as seen below:
Discuss this Article
