SOC 2 data center compliance is becoming mandatory for many facilities throughout North America that offer basic co-location to fully managed services offerings. It’s critically important to gain a comprehensive understanding of the following 5 important point regarding SOC 2 data center compliance, brought to you by NDNB Accountants & Consultants.
1. SOC 1 vs. SOC 2. While a large number of data centers still undertake SOC 1 SSAE 16 compliance, a gradual shift is occurring whereby SOC 2 is now being required also by interested parties. Because of the large and ever-growing technology landscape within data centers, SOC 2 compliance has long been considered a natural fit for compliance purposes, and this theme seems to be taking firm root. In fact, many data centers are now opting solely for SOC 2 compliance, or at the very least, undertaking a limited scope SOC 2 assessment in accordance with their annual SOC 1 SSAE 16 reporting. Both SOC 1 and SOC 2 are beneficial for data center reporting – and they each have strong supporters – the key is adhering to client demands and overall expectations of what customers, prospects – and other intended users of the report – are seeking regarding compliance reporting.
2. The Trust Services Principles. SOC 2 data center compliance includes using the comprehensive Trust Services Principles (TSP), which consist of the following five (5) criteria based provisions:Security: The system is protected, both logically and physically, against unauthorized access. Availability: The system is available for operation and use as committed or agreed to.Processing Integrity: System processing is complete, accurate, timely, and authorized.Confidentiality: Information that is designated “confidential” is protected as committed or agreed.Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants
3. Which TSP’s to Utilize? A big debate for SOC 2 data center compliance is which of the actual TSP’s to use. Auditors, practitioners and other interested parties all have their opinions and assumptions, which to no surprise, often vary. The most important element to understand is that all five (5) of the TSP’s have applicability when it comes to SOC 2 data center compliance, thus it’s important to identify client reporting needs and how they correlate to a data center’s services offered. Speak to a trusted, proven expert regarding SOC 2 data center compliance, and that’s NDNB Accountants & Consultants.
4. Deliverables from the Service Organization. Management of the service organization – specifically – the company undertaking SOC 2 reporting, will need to develop a written description of its “system”, along with providing the auditors with a written statement of assertion. Both the description of the “system” and the assertion can be developed in conjunction with assistance from the CPA firm hired to perform the actual SOC 2 assessment. Contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, to obtain a competitive, fixed fee for SOC 2 Type 2 compliance. NDNB also offers PCI DSS services, along with HIPAA, FISMA, and many other regulatory compliance assessments.