An SSAE 16 Type II data center compliance checklist is essential for ensuring your facility fundamentally comprehends and understands all critical issues considered in-scope for today’s data centers and managed services providers. From providing basic “ping, power, and pipe” to essential managed O/S and application practices, data center SSAE 16 Type II assessments can vary widely, so take note of the following tips, guidelines and recommendations for reporting, provided by NDB Accountants & Consultants.
1. SOC 1 vs. SOC 2 for Data Centers. A growing debate amongst practitioners in the world of regulatory compliance is “what’s a better fit” for data center compliance, SOC 1 SSAE 16 reporting or SOC 2 AT 101 reporting? This debate has intensified in recent years, as both sides put forth credible merits for using either SOC 1 or SOC 2. Interestingly, many CPA firms now actually issue both SOC 1 and SOC 2 reports for data centers, with the SOC 2 report many times limited to just one or two of the actual five (5) Trust Services Principles. Whichever reporting option you choose, you should be fine (provided your SOC 1 report includes ICFR control tests), just remember to educate your clients on why you’ve chosen one over the other. If you decide to follow the trend of conducting both SOC 1 and SOC 2 reports, then you’re obviously fine.
2. Important Scope Considerations. Data centers are a business model like no other, offering a multitude of products and services for meeting customer’s needs and demands. It’s critically important to develop an audit scope that covers the minimum industry accepted baseline controls, while also providing any additional scope parameters for specialized services, such as managed hosting, cloud platforms. As for the “minimum industry accepted baseline controls”, a data center should include testing for the following operational and information security areas:
a. Executive Tone | Senior Management Initiatives.
b. Human Resources.
c. Customer Contract and Provisioning Process (Legal, administrative and all “onboarding” processes).
d. Change Management (for internal systems and customer facing environments).
e. Incident Response | Customer Support Services.
f. Shipping and Receiving Activities.
g. Logical Security (Access rights to both internal systems and customer facing environments).
h. Physical Security.
i. Environmental Security.
j. Backup, Replication, and Archival.
k. Business Continuity and Disaster Recovery Planning (BCDRP).
3. Managed Services. Many data centers offer much more than just traditional “ping, power, and pipe” - specifically - growing service lines include that of managed services for O/S and even application levels. Depending on customer needs, requirements, and overall expectations, SSAE 16 Type II data center compliance should include testing of these environments in regards to any number of control considerations, ranging from user access, network monitoring and performance, backups, etc. This is where’s it’s critical to communicate with all intended parties regarding the contents of such a report as expectations need to be met for comprehensive reporting.
4. SOC 1 SSAE 16 Reporting Platform. “Flexibility” – it’s probably one of the best words to describe the SSAE 16 reporting platform as it allows service organizations to essentially develop and test for controls they deem in-scope and relevant. Ultimately, this allows data centers to test a wide-array of control objectives for compliance, which provides tremendous value – according to supporters of the SSAE 16 standard for data centers.
5. SOC 2 AT 101 Reporting Platform. “Prescriptive” – without question the best term used to describe SOC 2 reporting as the Trust Services Principles (TSP) provide clear language on the relevant “criteria” to test for. Supporters of SOC 2 compliance reporting for data centers see this as comprehensive framework for testing a wide-array of technology related platforms, especially considering that there’s five (5) TSP to choose from.
6. Audit Efficiencies for SOC 1 | SOC2, PCI, HIPAA, and more. With an ever growing list of regulatory compliance mandates, it’s critically important to begin undertaking audit efficiencies – specifically – collecting essential evidence for overlapping areas of today’s main compliance initiatives. Hiring a proven and trusted audit firm – such as NDB Accountants & Consultants – can make all the difference in time and money spent on what’s becoming known as the Big Three: (1). SOC Audits, (2). PCI Assessments, and (3). HIPAA Security | Privacy Compliance. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
Interested in learning more about NDB’s SSAE 16 Type II data center compliance checklist and other services? Looking for a competitive, fixed fee for SOC reporting, PCI, and HIPAA? Call Chris Nickell at 1-800-277-5415, ext. 706 or email him at firstname.lastname@example.org today.