As the recent Target hacking demonstrated, it is vital for private information to stay that way. For Data102 and other datacenters that house large amounts of private and sensitive information, it is crucial to maintain appropriate controls and security, as well as to be able to deliver such reassurance to clients.
To give customers peace of mind, there are a number of standards that have been implemented to ensure that a datacenter can be trusted; these are outlined in the Statement on Auditing Standards No.70 (SAS70) and the Statement for Standards for Attestation Engagements No. 16 (SSAE16).
A service organization or service provider that is SAS70 and SSAE16 compliant is showing that they have been through a thorough audit examination and that control objectives and control activities—which typically include controls over information technology and corresponding processes—as well as safeguards have all been demonstrated to be adequate and effective.
Though SAS70 is a widely recognized auditing standard, it does not provide a list of pre-determined criteria; auditors must still follow standards set by the American Institute of Certified Public Accountants (AICPA) for fieldwork, quality control, and reporting. So, as of June 15, 2011, SSAE16 was created by AICPA with the goal of upgrading the US service organization’s standard of reporting so that it adheres with the new International Service Organization standard (ISAE3402). Since then, SSAE16 has managed to replace SAS70 as the top guide for reporting on service organizations.
A compliant datacenter provides a measure of benefits and value to its customers. They can retrieve reports and thus obtain valuable knowledge regarding the established controls and the effectiveness of those controls, which are known as Service Auditor’s Reports. There are two types of these reports:
- Type 1 provides a description of controls at a specific and particular point;
- Type 2 includes this description and provides details regarding the testing of controls over a period of six months. With a Type 2 report, customers can also determine whether these controls were in operation, satisfactorily designed, and operating productively. Without this report, there will be an assortment of requests for an audit and multiple visits can put a strain on resources. With a Service Auditor’s Report, customers and their auditors have access to the same information, which should be satisfactory to both parties.
A SAS70 & SSAE16 compliant datacenter proves a lot by having these examinations made. It sets itself apart from its peers by showing the installation of control objectives and adequately designed control activities. If customers use a datacenter that is not SAS70 & SSAE16 compliant, they will have to arrange for an auditor to pay a visit to that organization to examine its controls and operations, an action that will likely cost the customer money. More than that, though, you can be sure that a datacenter that is compliant, like Data102, can be trusted with your data.