Home > IT controls, SAS 70, SOC 1, SOC 2, SOC Audits, SSAE 16 > How to know if your Data Center is Serious About Controls

How to know if your Data Center is Serious About Controls

Every day I get an alert from Google for any new press releases about SSAE 16 reports.  The vast majority of the alerts come from co-location and “cloud” data center providers.  I believe I have already beaten the “SSAE 16 is not intended for general IT controls” horse to death in other blogs so I won’t go into that.  What I will continue to bring up is the colo, data center,  and cloud industry’s apparent unwillingness to recognize the importance of the SOC 2 report, especially now that the AICPA and Cloud Security Alliance have endorsed SOC 2, along with the Cloud Controls Matrix, as “likely to meet the assurance and reporting needs of the majority of users of cloud services”.  http://www.journalofaccountancy.com/News/20137424.htm

I’m sure that many readers will jump all over the semantics of cloud vs. data center vs. colo.  But conceptually all three house IT infrastructure at a facility that is not controlled by the customer.  As a result, IT general controls (non-ICFR) are extremely important.  The reason SOC 2 exists is to address all those IT general controls.  A customer of a colo, data center, or cloud provider that maintains responsibility for the initiation, processing, and reporting of transactions through IT infrastructure housed at a remote facility should be asking their provider for a SOC 2.  The Trust Services Principles and Criteria are the pre-established general controls criteria that have been missing from SAS 70 and SSAE 16 reports.  Without some type of framework, SSAE 16 reports are subject to all manner of missing and irrelevant controls.  The inconsistency in both structure and content is one of the primary reasons that information security professionals laugh at the mention of SSAE 16 and SAS 70.

Does your data center, colo, cloud provider offer a SOC 2 report?  If so, you can be a lot more confident that they are serious about providing you with meaningful information regarding their IT general controls.  They have taken the time to understand the new AICPA standards for SOC reporting and have made the decision to provide the appropriate report to their customers.  If your provider is still providing  only the SSAE 16 report, you really need to read the report and ask yourself “What’s missing?” because chances are, there are important controls being glossed over or ignored.

An easy way to test your provider’s SSAE 16 report is to compare the controls being tested and described to any number of controls frameworks, including the Trust Services Principles and Criteria or the Cloud Controls Matrix or COBIT or whatever you think is the best and most appropriate for the services being provided.  Chances are you will find that the report is missing important details.


  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: