SOC 2 for managed services organizations, such as those offering managed network, O/S, and application specific services, is a growing trend, ultimately requiring many organizations to become compliant with the AICPA Service Organization Control (SOC) reporting framework. It’s thus critically important to understand scope considerations for SOC 2 managed services reporting, along with other essential issues for ultimately ensuring an efficient and cost-effective assessment process. Learn more about NDNB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance. As such, take note of the following critical points regarding SOC 2 managed services assessment reporting.
1. Properly define scope. Keep in mind that the SOC 2 framework allows service organizations to report on up to five (5) of the Trust Services Principles. Some organizations simply report on one, maybe a few, while others undertake assessments with all five of the TSP’s. What dictates how many of the TSPs are to be included for reporting are simply the services one is seeking to include within the scope of the assessment. This essentially comes down to your managed service offerings. From a minimum baseline perspective, expect to include the following TSP’s in a SOC 2 managed services assessment: (1). Security. (2). Availability. Together, these two (2) TSP’s encompass critical security measure applicable to a managed services entity.
SOC 2 data center compliance is becoming mandatory for many facilities throughout North America that offer basic co-location to fully managed services offerings. It’s critically important to gain a comprehensive understanding of the following 5 important point regarding SOC 2 data center compliance, brought to you by NDNB Accountants & Consultants.
1. SOC 1 vs. SOC 2. While a large number of data centers still undertake SOC 1 SSAE 16 compliance, a gradual shift is occurring whereby SOC 2 is now being required also by interested parties. Because of the large and ever-growing technology landscape within data centers, SOC 2 compliance has long been considered a natural fit for compliance purposes, and this theme seems to be taking firm root. In fact, many data centers are now opting solely for SOC 2 compliance, or at the very least, undertaking a limited scope SOC 2 assessment in accordance with their annual SOC 1 SSAE 16 reporting. Both SOC 1 and SOC 2 are beneficial for data center reporting – and they each have strong supporters – the key is adhering to client demands and overall expectations of what customers, prospects – and other intended users of the report – are seeking regarding compliance reporting.
2. The Trust Services Principles. SOC 2 data center compliance includes using the comprehensive Trust Services Principles (TSP), which consist of the following five (5) criteria based provisions:Security: The system is protected, both logically and physically, against unauthorized access. Availability: The system is available for operation and use as committed or agreed to.Processing Integrity: System processing is complete, accurate, timely, and authorized.Confidentiality: Information that is designated “confidential” is protected as committed or agreed.Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants
3. Which TSP’s to Utilize? A big debate for SOC 2 data center compliance is which of the actual TSP’s to use. Auditors, practitioners and other interested parties all have their opinions and assumptions, which to no surprise, often vary. The most important element to understand is that all five (5) of the TSP’s have applicability when it comes to SOC 2 data center compliance, thus it’s important to identify client reporting needs and how they correlate to a data center’s services offered. Speak to a trusted, proven expert regarding SOC 2 data center compliance, and that’s NDNB Accountants & Consultants.
4. Deliverables from the Service Organization. Management of the service organization – specifically – the company undertaking SOC 2 reporting, will need to develop a written description of its “system”, along with providing the auditors with a written statement of assertion. Both the description of the “system” and the assertion can be developed in conjunction with assistance from the CPA firm hired to perform the actual SOC 2 assessment. Contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, to obtain a competitive, fixed fee for SOC 2 Type 2 compliance. NDNB also offers PCI DSS services, along with HIPAA, FISMA, and many other regulatory compliance assessments.
SOC 2 compliance for data centers has become a common reporting platform due to the five (5) Trust Services Principles used for SOC 2 reporting, many of which are ideally suited for reporting on today's growing number of technology oriented service providers. With Software as a Service (SaaS) and on demand technology offerings growing larger every year, data centers are quickly becoming the main provider of core network infrastructure supporting such platforms.
From critical network layer protection – such as firewall, web filtering, and IDS services, along with managed O/S and managed application offerings – data centers are front and center in today's growing world of technology services. As such, heavy regulatory compliance burdens are continued to be placed on such facilities, with traditional assurance reporting being the historical SAS 70 auditing standard, along with the current AICPA SSAE 18 standard.
SOC 2 Compliance for Data Centers is Growing - Learn Why
But a shift has occurred, one that started in 2012 with more and more data centers and managed services providers opting for SOC 2 reporting, either in conjunction with SOC 1 SSAE 18 reporting, or simply requesting only SOC 2 compliance alone. Why – because all parties involved in third-party assurance reporting (i.e., auditors, clients, intended users of such reports, regulators, etc.) have become more informed, educated, and aware of the benefits of the SOC 2 framework and the five (5) Trust Services Principles.
It means clients and other interested parties utilizing data center services will continue the push for requesting SOC 2 reporting – and that's good for the industry – as the SOC 2 framework is an excellent platform for testing and validating critical areas within a data center's daily operational practices. With that said, take note of the following critical points when relating to SOC 2 compliance for Data Centers, brought to you by NDNB Accountants & Consultants, national providers of SOC compliance and numerous other assessment services.
1. Which Trust Services Principles (TSP) to use? There are five (5) Trust Services Principles that can be technically used for SOC 2 reporting, yet for data centers – at a minimum – the"security" and "availability" TSP's should be included as they highlight essential controls and best practices used by such entities.
3. SOC 2 compliance is flexible and adaptable. Though the Trust Services Principles put forth specific language regarding each such "principle" and the related "criteria", it still allows for a fair amount of flexibility as to what suffices for meeting the intent, rigor and spirit of the underlying framework. It's prescriptive in nature, yet still flexible and adaptable, making it an excellent choice for reporting on today's complex technology service providers. From data centers to Software as a Service (SaaS) entities, SOC 2 is becoming a familiar face, and for very good reasons. More specifically, it means SOC 2 is an excellent framework for reporting on basic data center "ping, power and pipe" controls, to those relating to managed services, such as managed O/S and managed applications.