Why Should Data Centers Have to Choose Between SSAE 16 and SOC 2?

Tuesday, April 17, 2012

Jon Long

Ee445365f5f87ac6a6017afd9411a04a

There was a debate between two auditors about whether data centers need SSAE 16 or not captured in these two articles on Infosec Island: Why Datacenters Need SSAE 16 and Why Data Centers Don't Need SSAE 16.

Well the jury is in, and the market decided definitively that data centers need SSAE 16.

imageMy question, however,  is this, "Why do Data Centers Have to Choose Between SSAE 16 and SOC 2?"  

If SSAE 16 is applied correctly, non-ICFR controls should not be included in the report.

This means that at the very least Physical Security and Environmental controls have to be removed from the SSAE 16 report.  

For more information about how to determine if a control is non-ICFR, please refer to my post titled, "Use Degrees of Risk Separation (DoRS™) to Determine ICFR / non-ICFR":

  • If Physical Security and Environmental controls are removed from SSAE 16 reports, customers are going to need to receive assurance about security and  availability from another source.    
  • That is where SOC 2 comes in.  SOC 2 is designed to provide assurance regarding both security and availability whereas, SSAE 16 is not designed to, nor can it provide assurance regarding security and availability.
  • While the market was trying to figure out which was the right report, the answer was right there in front of us.  Data centers need both an SSAE 16 report and a SOC 2 report.  

Remove non-ICFR controls from most data center SSAE 16 reports, and you will be left with a very thin report.  This will create the need for a SOC 2 in order for data centers to provide their customers the assurance that they will not cause a material misstatement (SSAE 16), and assurance regarding security and availability (SOC 2).  

Some may be thinking..."What about cost?  Won't two reports cost more than one?" The answer I give is that it will not cost more if the controls that were tested under SAS 70, and incorrectly under SSAE 16, map to the Trust Services Principles and Criteria.

The reports themselves do not take much effort to compile, and therefore should not cost much, if any more than one report.  Where the additional cost comes in is when there are additional controls that need to be tested because of gaps between the existing report and the TSPC.    

A DoRS analysis can help data centers separate out non-ICFR controls, and a TSPC mapping exercise can help data centers determine whether they will need to implement missing controls.  

Doing these two things can help data centers determine whether to expect to have to pay additional audit fees moving forward.  If anyone needs any help, please let me know.

Jon Long, CISA, QSA is a Senior Manager and Practice Builder at CompliancePoint  and is currently championing an audit approach that allows organizations to combine multiple compliance requirements into a single SOC2 engagement.

Cross-posted from The Risk Assurance Guy

6228
General
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.