How do data center security validate to customers that their facility is secure?
By getting it audited and certified.
This is good for both the data center and its customers.
According to the Ponemon Institute’s 2017 Cost of Data Breach Study, the average total cost of a data breach is $3.62 million. And the size of data breaches has gone up 1.8% since last year.
You want to prevent that from happening. That’s why you use a security audit.
Let’s take a look at the most well-known auditing standard used around the world and then we’ll see how it’s been updated and what you need to know about the new standard.
The U.S. Data Center Auditing Standard: SAS 70
Statement on Auditing Standards No. 70 (SAS 70) is been the audit/compliance certification of data centers since 1992.
SAS 70 was developed by the American Institute of Certified Public Accountants (AICPA) which is an association made up of 370,000 CPA members in 128 countries who work in various industries.
SAS 70 became the auditing standard for the United States and for many companies and organizations in other countries.
When an examination is performed in accordance with SAS 70, it means that an organization has undergone a rigorous and in-depth inspection of their objectives, activities, and controls.
A CPA firm and a data center security expert typically perform this audit together.
Within SAS 70 there are two types of audits:
- Type 1
- Type 2
A Type 1 test will assess an organization’s controls along with the accuracy and integrity of their system or service as it pertains to a specific date or single point in time.
A Type 2 test includes the Type 1 audit but goes further and examines the operating effectiveness of the controls during a specified period of time, often 6-12 months. Throughout the time period of a Type 2 test, auditors will visit your organization and review your controls to ensure they’re in place.
But SAS 70 is no longer the standard…
It’s become SSAE 16.
What is SSAE 16?
While SAS 70 was important, SSAE 16 updated its audits for the modern age.
Since 2010, the Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization officially became the data center auditing standard and replaced SAS 70.
SSAE 16 relies on the SAS 70 Type 1 and 2 audits, but it adds the Service Organization Control (SOC) reporting framework, which is broken down into SOC 1, 2, and 3.
SOC 1 is used to report on an organization’s financial accounting and reporting practices. Basically, everything that has to do with your financial reports. SOC 1 is the least relevant to data security.
SOC 2 and 3, on the other hand, focuses on the following criteria:
- Processing Integrity
The SOC framework was seen as critical to put in place by the AICPA because of the rise in data center hosting, SaaS, and cloud hosting.
If you want to make sure your facility is secure and your customers' information is protected, then consider having an SSAE audit performed on your data center.