The real problems in an SSAE 16 data center may be the ones you don’t see.
The reason is that SSAE 16 compliance takes different forms, financial and operational. These two areas are different, and compliance in each one is not interchangeable with the other.
Where SSAE 16 Comes From
SSAE 16, also called “Statement on Standards for Attestation Engagements 16,” was created by the Auditing Standards Board (part of the American Institute of Certified Public Accountants). It follows on from the earlier SAS (Statement on Auditing Standards) 70.
In general, it defines how service companies report on compliance. For an SSAE 16 data center, it gives assurances to customers about standards adhered to by that data center. But what kind of assurances?
The Key Differences between SSAE 16 SOC 1 and SOC 2
SSAE exists in different versions for data centers or other service organizations. The ones most commonly used are SOC (Service Organization Controls) 1 and SOC 2.
- SOC 1 deals with internal controls over financial reporting. It is destined for customers’ financial statement audits, as were the preceding SAS 70 reports. It exists in two different sub-varieties: Type I and Type II. A Type I report is a report on policies and procedures concerning a specified point in time. A Type II report covers a period of time (a minimum of six consecutive calendar months.)
- SOC 2 was specifically created for technology-related service organizations, including data centers, cloud computing, and SaaS (Software as a Service). It can also be Type I or Type II, and cover any number of the so-called Trust Services Principles: security, availability, processing integrity, confidentiality, and privacy.
For an objective measure of how well a data center provides an operational solution, the fullest report is the SSAE 16 SOC 2 Type 2. This is the guarantee that a data center will perform to expectations in areas such as:
- Security: protection of systems against unauthorized access, use, or change
- Availability: respect of service level agreements for system operation and use
- Processing integrity: complete, accurate, authorized, timely, and valid system processing
- Confidentiality: data specified as confidential is protected to agreed levels
- Privacy: personal information is handled in conformity with the service organization’s privacy notice and with the Generally Accepted Privacy Principles (GAPP)
Problems and Their Impact on Customers
If a data center cannot satisfy customers on the important Trust Services Principles, this is an issue.
Whether or not real problems and damage occur, the risk alone already has an impact. It can prevent customers from fulfilling their own compliance obligations or put their own business goals in jeopardy. In the absence of a statement about SSAE 16 SOC 2 compliance, customers cannot tell if there will potentially be problems or not.
A data center that is audited and found to fall short on one or more of the Trust Services Principles cannot claim compliance with those principles. However, it can work to improve its resources and processes to achieve audited compliance as an SSAE 16 data center afterward.
How do you rate SSAE 16 compliance compared to that of other standards, like ISO 27001? Give us your point of view in the space for comments below.