For companies needing to meet Sarbanes-Oxley compliance, vendor selection is often filtered to those who have passed a SAS 70 audit, or its successor, the SSAE 16 audit and attestation (also called the SOC 1 audit and attestation).
While the SSAE 16/SOC 1 adds an attestation by management about the existence and functionality of controls, most of the SAS 70 and SSAE 16 audits are very similar. If SAS 70 and SSAE 16/SOC 1 are so similar, it’s a natural assumption that the SOC 2 audit must also be closely related to the SOC 1 (SSAE 16). Don’t be misled: the SOC 2 audit is a completely different measurement of a service organization’s control.
Few are aware that the SOC 2 audit introduces the first, and only, Sarbanes-Oxley compliance audit that provides a predefined and consistent set of criteria. Did you know that the SAS 70 and SSAE 16/SOC 1 audits are completely arbitrary?
Each company gets to choose the controls that they are audited against; it’s kind of like choosing your final exam questions. This means that no two SAS 70 and SSAE 16/SOC 1 audits are the same. You have to read the fine details of the documented controls to know how one company compares to another. Some company specify a handful of controls; others specify dozens. Both can pass a SAS 70 or SSAE 16/SOC 1 audit. See the problem?
SOC 1, SOC 2 & SOC 3 Report Comparison
In April 2010, the AICPA (American Institute of Certified Public Accountants) announced the replacement of SAS 70 by a new and refined auditing standard, the Statement on Standards for Attestation Engagements or SSAE 16. While SAS 70 was originally intended for financial and accounting auditing, the SSAE 16 audit was established to verify data center operational and security excellence.
In addition to SSAE 16, three new reports have also been established as the framework for examining controls at a service organization, aptly named Service Organization Control (SOC) reports.
Why Is A PCI Compliant Environment So Expensive?
Because it’s worth it. It’s the one that really helps an executive sleep at night.
We’ve done HIPAA, SAS 70, SSAE 16, SOC 1/SOC 3 audits, but PCI DSS does the deepest dive, by far. PCI includes source code reviews, requires custom penetration testing and well-documented procedures, policies and change management processes.
PCI is also very prescriptive about the technology you must deploy, compared to other compliance standards. For example, HIPAA requires you to logically secure data, but it doesn’t specifically state the use of a firewall.
The PCI audit specifically states that you must use a firewall and numerous other technologies to logically protect cardholder data. It’s those prescriptive solutions that drive up the cost of passing an audit.Read More >
2011 Ann Arbor Data Center Open House
Thank you to everyone that attended our 2011 Ann Arbor Open House!
For photos of presenters, data center tours and more, view our OT Flickr page for glimpses of the event. All photographs were taken by Noah Wolff of our Operations team.Read More >