Published by David Angotti on February 7, 2014.
Statement on Standards for Attestation Engagements (SSAE) No. 16 may not be a term you’re familiar with, but it is an auditing standard that replaced it’s older predecessor, Statement on Auditing Standards No. 70 (SAS 70), and has direct implications to business owners who are paying for data center services, or are a data center services provider themselves.
Historically SAS 70 was primarily designed to audit controls that had been put in place by a particular service provider, but had gaps in that it wasn’t as compatible with international audit controls as it needed to be, which is a growing concern as U.S markets continue shifting towards international accounting standards such as IFRS. But the marketplace as a whole needed an audit standard that was flexible enough to cover a wide variety of services and service solutions while still providing responsible parties with the necessary confidence required to know that appropriate controls were in place and being applied consistently by 2nd and 3rd party service providers.
SSAE 16 is a Business Owners Advocate
SSAE 16, created by the International Auditing and Assurance Standards Board (IAASB), is, in it’s most basic form, an attestation standard to report on the controls provided to customers by service providers, while the antiquated SAS 70 standard was more of a ‘prescriptive’ auditing standard that is no longer sufficient for modern day business processes and international accounting standards.
SSAE 16 allows more freedom in the service provider (in our case a data center) to design the appropriate systems and processes that are necessary to provide acceptable levels of security and protection to your most mission critical data, while also being able to revisit those standards and improve upon them as the market inevitably changes. This flexibility met with rigorous yearly audits by 3rd party auditing firms provides great benefits to the service providers customers in that it assures customers that as technology and businesses change and evolve, security measures and policies are able to adjust in step to maximize the efficiency that security and controls are being applied in the data center for maximum customer protection.
The SSAE 16 standard also requires the data center to write a “description of the system”, which is by far more expansive than previous SAS70 requirements and provides a detailed exposé into what processes, policies, procedures, personnel and operational activities are taking place to provide the core activities relevant to their customers than anything ever required by SAS 70 standards. This is a major leap forward for customers when you consider that SAS 70 only required you to describe the ‘controls’ that were in place, without ever truly describing the overall ‘system’ (processes, people, procedures, etc.) that were working as the whole to provide the necessary control structure for the service providers – This could leave a lot of room for error and ignorance.
Even better for customers is that yearly during the SSAE 16 Audit, the management team of the data center must write what is commonly known as the “management’s assertion”, whereby the management team asserts in writing that the description of the ‘system’ they have provided is not only accurate, but that these systems and controls were operating effectively during the prior year with the appropriate criteria in place to measure their effectiveness. As a business owner paying for 3rd party data services this is a huge win as it helps safeguard against fraudulent activity and it typically results in management of the data center taking their processes, procedures and controls even more seriously since they have to back it up with a written statement from their desk – not a light matter when you’re a large organization servicing hundreds and even thousands of customers who all have valuable data and significant privacy and security concerns.
Built for the Future and Transparency
But SSAE 16 is bigger than just a set of guidelines to provide a more flexible, future-proof auditing standard for 3rd party service providers – SSAE 16 is about providing a new level of transparency to it’s customers. Because SSAE 16 requires that a detailed description of all the systems and controls that are in place to provide consistent, acceptable levels of security and conformity to policies and procedures be written and then attested to, SSAE 16 helps prevent much of the ‘after the fact’ finding that typical auditing standards provide. It also signals a commitment by the management team to be proactive, not reactive, in it’s application of best practice security, procedures and controls, offering the highest level of service and satisfaction to it’s customers.
So Does SSAE 16 Compliance Matter?
The answer is a resounding yes.
Any data center that is maintaining it’s SSAE 16 compliance year after year should communicate that the data center is operating at a high level of commitment to security, quality service, and protection of your most valuable data and data center needs. Does that mean that data centers who are not maintaining SSAE 16 compliance for their customers are not committed to high qualities of service, security, policies and procedures? Not necessarily, but as a business owner and customer, it should certainly be reason enough to pause and research the company heavily, ensuring their ability to meet your rigorous corporate policies, controls, and provide proof that they were adhered too, before signing on the dotted line.
Have questions about how the SSAE 16 auditing process works at ColocationGuard? Contact us – we’d love to speak with you about our industry leading HIPPA and SSAE 16 Type II compliant colocation services as well as the stringent systems and processes we have in place to ensure top tier security for your data.