SSAE16, or maybe not…?

February 3rd, 2012 by Jon Greaves

Carpathia has a pretty unique vantage point when looking at the compliance landscape. We support such a diverse group of customers across many parts of the government - DoD, Intel, Civilian agencies, as well as a wide array of commercial customers covering both common requirements like HIPAA/HITECH, PCI, SOX and other more niche requirements like those required by the FDA. For that reason, we followed along with much interest as the venerable SAS70 reached the end of its shelf life, and the industry prepared for its replacement. We’ve never been the kind of organization to issue press releases on our SAS70 audits like a lot of other hosting companies do -- even on a slow news day. It kind of seems like table stakes to us.

So as we were finalizing our own compliance reports this past period, I watched with interest as many hosting companies and auditors rushed to issue or claim they had SSAE16-SOC2. If you Google who has SSAE16-SOC2, it’s a pretty interesting group to include some big name auditors. (Note: check Google cache on the releases, many have now been corrected.)

What’s wrong with a SSAE16-SOC2? Well, for starters, it doesn’t exist. In layman's terms, SSAE16 comes in a couple of flavors, but was designed much like the original SAS70 to show controls in support of financial audits and not designed at all for data center operations.

In talking with our auditor, SSAE16 is very applicable if you were processing payroll, payment clearing, etc. It’s also designed in such a way that if a control is lax (e.g., "we lock our doors at night") and the management team attests to the control, you can claim an SSAE16 audit. Since many organizations don’t disclose what controls they have implemented, it’s really a house of cards from its value. There is no such thing as SSAE16-SOC2. You could have an SSAE16 SOC1 report, issued as a Type 1 or Type 2.

SSAE16's cousin is SOC2. SOC is the Service Organization Controls and also comes in a few flavors and focuses on security, availability, process integrity, confidentiality and privacy. SSAE16 on the other hand, is all about financial controls. What most hosting providers – including Carpathia - work on is SOC2, which offers a good fit for a hosting organization.

So what does Carpathia have? Well technically, our report is an AT101 Type 2 examination with ISAE3000 and SOC2 TSP 100 adaptations. This is available to our customers by request.

If you're a buyer of services who is using such standards to see the fit for an organization, forget the alphabet soup of the standards for a moment, and take my advice:

1. Ask for the full report, not just the summary or cover letter. Folks who do not wish to release the full report in our experience are worried about the depth of the audit or its relevance to the customer. Using "it’s confidential" in this day and age should not be an excuse.

2. Read the details of the controls and pay special attention to the section that defines "test of operating effectiveness and results.” This is where auditors test, look for evidence and cast opinions on the controls. Pay attention to any deficiencies noted and the remediation of those.

3. Be careful to ensure the reports you are looking at cover the facilities you are interested in deploying to if your hosting provider offers multiple facilities. All of the above mentioned reports are specific to locations, not the company as an entity.

My feeling is as usual, if there is an easy way and a hard way, we tend to take the more confusing path as an industry. I would imagine for the next 12 months, we will be explaining the differences between these standards and the applicability of them.

There is a lot of good reading on this topic. Please check out @ragjonlong or his blog for one of the more enlightening folks talking publicly about the standards and their evolution.

Write a comment

Required fields are marked with *.

ymtgmsfukz
Posts: 4

fCluqQdbA
Reply #4 on : Thu March 15, 2012, 17:33:46

bIlpGZ , [url=http://rniolvjpgdij.com/]rniolvjpgdij[/url], [link=http://usbnfisdntqm.com/]usbnfisdntqm[/link], http://lfacqivsnetg.com/

johnmelvin
Posts: 4

slxhKCDCzRDmLDx
Reply #3 on : Wed March 14, 2012, 21:30:31

Scott,Cloud isn't the problem. As long as there are autldabie records of the security your cloud provider users, and adequate documentation of the controls in place, there should be no issue. I have no issues with ours, and we've been doing this since the service bureau days. Auditors, in my experience, want to make sure that any system uses the proper security controls and methods, cloud or not, and that the right agreements are in place.If your auditors are going to be wary of cloud, they should be more wary of Iron Mountain or Scantek. That would make more sense.

Laurie Head
Posts: 4

Thanks
Reply #2 on : Wed February 08, 2012, 14:23:23

Good blog, Jon. More education like this needs to be set forth. It's worth noting that SSAE 16 more closely mirrors the European standard (unlike SAS 70), which is important to some companies. Look forward to meeting you one day here in VA. - Laurie Head, AIS Network

Jon Long
Posts: 4

Thanks for the mention!
Reply #1 on : Fri February 03, 2012, 11:15:59

Great article, and I really appreciate you mentioning my blog!