Everyone knows there’s a new sheriff in town when it comes to reporting on security controls for data centers. Last year, the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) replaced the outdated Statement on Auditing Standards No.70 (SAS 70 Type II). So, how is SSAE 16 different from SAS 70, and what makes it better for data centers?
Traditionally, service organizations working toward standardized and compliant security controls would publish an audit to report on operating effectiveness every six months. Colocation customers rely on these reports to demonstrate their data center provider meets regulations and shows proof of compliance for Sarbanes-Oxley, PCI, etc.
As is true with any “changing of the guards,” data center providers must learn to articulate the differences between the standards and what it means to our customers.
Problems with SAS 70
The problems with SAS 70 arise from discrepancies in audit scope and analysis procedures, the qualifications of the auditors, and loose interpretations of the final report. Also, the audit was not specifically designed to focus on information systems frameworks, especially complex infrastructures.
For a fresh approach and to keep pace with evolving accounting standards, the Auditing Standards Board of the American Institute of Certified Public Accountants released SSAE 16 in 2010, which officially replaced SAS 70 in summer of 2011.
Key Attributes of SSAE 16
- Attestation – The new standard is not an audit, but an attestation. “Audit” is reserved for accounting purposes and financial statements.
- Description of System – Service providers must now describe the entire system instead of only controls. System is described in an online SSAE 16 resource guide as “the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization’s core activities that are relevant to user entities.” The time period in which all components of the system are reported on is the same.
- Management Assertion – The new standard requires a written assertion by the service organization’s management to the CPA firm conducting the SSAE 16 process. This includes a description of the system, the suitability of the design, operating effectiveness and application of controls.
- Subservice Organizations – Organizations who use other service providers to perform some or all work within the system are now required to include them in the description of the system. This is handled in one of two ways. The first includes a description of the control objectives of the subservice provider in the description of the system. The other excludes the controls but demonstrates the monitoring of their effectiveness.
What Does this Mean for Data Center Customers?
Increased accountability for your service provider. By reviewing the controls in place AND the effectiveness of the controls, your service provider must be accountable for how they use the tools at their disposal.
It’s one thing to have sophisticated software to monitor data center access, but it’s another to prove you can effectively use it when needed and that you have contingencies for a disruptive event.
Secondly, the attestation is not a comparative rating, but when making a leasing decision, it can be a beneficial aid. If allowed, a business may review the attestation to determine whether a data center’s processes and competency are sufficient to meet its needs.
For example, if you were to encounter an inconsistency in a colocation provider’s security protocols, and security is of tantamount importance to your organization, you can pass for another who can reliably provide for those needs.
SSAE 16 Disclaimer
Many data centers claim to be SSAE 16 certified, which is not correct. SSAE 16 is not a certification. It’s an attestation as of a specific date. Service providers should not represent themselves as SSAE 16 “certified” or SSAE 16 “compliant. They should say they are compliant with SSAE 16.