When I See a Can in the Road All I Want to do is Smash It

Jon Long's Profile
Jon Long (The Risk Assurance Guy - Google Me, CompliancePoint)
Profile
Jon Long
Title: The Risk Assurance Guy - Google Me
Company: CompliancePoint
| Feb 3, 2012

Right now, the "can" I really want to smash, is the notion that SSAE16 provides assurance about Security, Availability, Processing Integrity, Confidentiality, and Privacy.  The AICPA has been clear that SSAE 16 is not designed to provide assurance about these things from the beginning, but somehow the message was not understood by the market last year.  For anyone that missed the video by Barry Melancon, President of the AICPA, please take a couple minutes to watch.

 

I have my Tweet Deck configured to alert me when anyone tweets about SSAE16.  Despite the AICPA's best efforts to educate the masses about the changes in the standards, here are few of the ways SSAE 16 has been portrayed over the past few weeks:

  •  We proved our data is secure by getting SSAE 16 certification

  • Achieving this certification validates our operation at all levels
  • SSAE 16 confirms that our clients are receiving the most reliable solutions
  • The SSAE 16 report validates our success in following industry standards
  • SSAE 16 compliance provides an extra measure of confidence that our managed services provider meets and exceeds the highest industry and regulatory standards
  • Successfully completing the SSAE 16 audit symbolizes maturity, safety, and security
  • Provides tangible proof of our commitment to delivering unsurpassed value, performance and security 

All of these quotes can be found in the press releases under the SOC1 (aka SSAE16) heading at the bottom of this post.  There's just one problem, none of the statements above are true.  As Barry Melancon explains in the video I linked to above, there is no such thing as a SSAE16 certification, it is not an industry standard, and SSAE16 is not designed provide assurance about any of the things listed above.

 

The news is not all bad though.  The five service organizations listed under the SOC2/3 heading understood the changes in the standards, and got it right the first time.  Here are a few of their quotes:

  • By meeting the criteria set forth in the Trust Services Availability Principle, the SOC2, Type II Report confirms that Internap’s data center security and operational procedures have been reviewed and tested by an independent certified auditor and validates that controls and processes are suitably designed and operate effectively to protect and safeguard customers’ equipment and data.
  • The SOC 2 examination evaluated the design and operating effectiveness of the Cbeyond Louisville data center controls for compliance with the security and availability criteria set forth in the American Institute of Certified Public Accountants Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Cbeyond Cloud Services processes, procedures and controls have been formally evaluated and tested by an independent auditing firm. This examination demonstrates that Cbeyond Cloud Services is compliant with the relevant security and availability criteria and that its customers are served and hosted in a secure, controlled facility.  

We need to collectively smash the "can" of junk assurance, that is using SSAE16 for making assertions about security, availability, processing integrity, confidentiality, and privacy by understanding the following:

  1. SOC1 (aka SSAE16) does not include any industry standards.  Each organization gets to decide which controls they want to be tested on, and the service auditor performs tests to validate that only those controls are effective.  SSAE16 itself is a standard, but only one that governs service auditors.
  2. SOC2 is based on the Trust Services Principles and Criteria (TSPC) which address five domains; Security, Availability, Processing Integrity, Confidentiality, and Privacy.  The TSPC provide an objective common denominator of comparing service organizations.  Once these standards have been met by the service organization, they can honestly say they comply with them.

I can't wait for that satisfying feeling I will get when I will hear the CRUNCH sound of service organizations asking their service auditors for SOC2 reports rather than SOC1 (aka SSAE16) reports when they need to provide their customers assurance about their Security, Availability, Processing Integrity, Confidentiality, and Privacy.  Please also see my post on combining other criteria such as the Cloud Security Alliance's Control Matrix, the Payment Card Industry's Data Security Standards, and ISO 27001 with a SOC2 engagement to reduce compliance costs.

SOC2/3

Internap Completes Transition from SAS 70 to SOC2 at Premium Data Center Facilities http://bit.ly/w85oRo

CBEYOND ONE OF FIRST SOC 2 COMPLIANT CLOUD COMPANIES  http://bit.ly/yT70rX

First Midwest Data Centers Achieve SOC 2 Compliance http://bit.ly/wBFycs

ViaWest Receives SSAE 16 Type II SOC 1 Report, SOC 3 Report, and PCI Report on Compliance  http://bit.ly/w41vic

DBSi Data Centers Successfully Complete Type II SOC 2 and SOC 3 Examinations http://bit.ly/A6teF1

U.S. Micro Earns Prestigious SOC 2SM Designation http://bit.ly/xij7rA

To Be Continued…

SOC1 (aka SSA16)

Planet Data proves to clients their data is as secure as possible by getting SSAE 16 certification! http://bit.ly/yCQZUI  ELMSFORD, N.Y.

RagingWire Gains Certifications for Data Centers: Announces LEED Gold, Energy Star, SSAE 16 and PCI. http://bit.ly/x3dOPR  Sacramento, C

QTS moves to SSAE 16 accreditation | We’re proud to announce that our #datacenters have successfully transitioned from #SAS70 to #SSAE16 http://bit.ly/AjzjHK  Atlanta, GA

Earthnet, Boulder’s Data Center and Consulting Firm, Completes SSAE16 Type II Certification http://bit.ly/xO7L7q    Boulder, Colorado

TEAM Data Centers: Out with SAS 70 and in with SSAE 16 http://bit.ly/wqmXIs

Agile-1 Successfully Completes Annual SSAE 16 Type II Audit http://bit.ly/xeSc2m  TORRANCE, CA

Rising Medical Solutions Successfully Completes SSAE 16 http://bit.ly/x9u3MK  Chicago, IL

CoreXchange Announces Successful Completion of SSAE 16 Compliance http://bit.ly/wCc1Pa  Dallas, Texas

ePlus Completes Type 2 SSAE 16 Examination for Managed Services Center http://bit.ly/AbedGC  HERNDON, VA

KineticD Demonstrates Operational Excellence and Commitment to Cloud Security with SSAE 16 Audit http://bit.ly/wO40IC  TORONTO, CA

Lucernex Completes SSAE 16 Audit of Cloud Service Quality http://bit.ly/A203gk  Dallas, TX

OneNeck, achieves SSAE 16 compliance in its Arizona Data Centers http://bit.ly/xNq0NO  SCOTTSDALE, Arizona

Skytap Announces Compliance With SSAE 16 (SOC 1) Standards http://bit.ly/x6PM4U  SEATTLE, Washington

ViaWest Receives SSAE 16 Type II SOC 1 Report, SOC 3 Report, and PCI Report on Compliance  http://bit.ly/w41vic  Denver, Colorado

Windstream Hosted Solutions announces advanced data center compliance, providing customers with a higher level of protection http://bit.ly/yg9fPq  RALEIGH, North Carolina

XMission Achieves SSAE 16, Type 2 Audit Certification http://bit.ly/zVGrtX  Salt Lake City, UT

First To File Passes New SSAE 16 Audit for Third Year, without Exception, to Ensure Operational Visibility and Security Assurance for Clients http://bit.ly/zawLA9 San Mateo, CA

NaviSite Announces SSAE 16 SOC 1 Compliance Compliance Demonstrates Commitment to Provide Custome. http://bit.ly/xk9D9B   Andover, MA

IO Receives SSAE 16 Type 2 Certification for Modular Data Centers  http://bit.ly/A8UeFX  Phoenix, Arizona

VUE Software Completes Rigorous SSAE 16 Evaluation  http://bit.ly/yTs6nw  COCONUT CREEK, Florida

Taulia Achieves SSAE 16 Compliance | Company Strengthens Its Commitment to Data Privacy with Latest Certification http://bit.ly/zP7Ymz  SAN FRANCISCO, CA

DuPont Fabros Technology, Inc. Announces Successful Completion of 2011 SSAE 16 Audits http://prn.to/wawKhD  WASHINGTON, DC

Equinix Announces SSAE 16 Standards Compliance for 39 Data Centers in North America http://bit.ly/ygWfrd  Redwood City, CA

Secure Data Recovery Services is a SSAE 16 / SAS 70 Certified data recovery provider located in Virginia  http://bit.ly/xAUb4G  Richmond, VA

nGenx, LLC Passes New SSAE 16 Service Organization Control (SOC) Exam http://bit.ly/ypF7nY Overland Park, KS

OATI Successfully Completes SSAE 16/ISAE 3402 Audit http://bit.ly/zPXzUM  Minneapolis, MN

Integrated Logistics is very proud to be SSAE 16 Certified and Sarbanes-Oxley Compliant.   http://bit.ly/wd2LPD Alpharetta, GA

To Be Continued…

 

Original Location: 
http://riskassuranceguy.blogspot.com/
Topics: