Carpathia has a pretty unique vantage point when looking at the compliance landscape. We support such a diverse group of customers across many parts of the government - DoD, Intel, Civilian agencies, as well as a wide array of commercial customers covering both common requirements like HIPAA/HITECH, PCI, SOX and other more niche requirements like those required by the FDA. For that reason, we followed along with much interest as the venerable SAS70 reached the end of its shelf life, and the industry prepared for its replacement. We’ve never been the kind of organization to issue press releases on our SAS70 audits like a lot of other hosting companies do -- even on a slow news day. It kind of seems like table stakes to us.
So as we were finalizing our own compliance reports this past period, I watched with interest as many hosting companies and auditors rushed to issue or claim they had SSAE16-SOC2. If you Google who has SSAE16-SOC2, it’s a pretty interesting group to include some big name auditors. (Note: check Google cache on the releases, many have now been corrected.)
What’s wrong with a SSAE16-SOC2? Well, for starters, it doesn’t exist. In layman's terms, SSAE16 comes in a couple of flavors, but was designed much like the original SAS70 to show controls in support of financial audits and not designed at all for data center operations.
In talking with our auditor, SSAE16 is very applicable if you were processing payroll, payment clearing, etc. It’s also designed in such a way that if a control is lax (e.g., "we lock our doors at night") and the management team attests to the control, you can claim an SSAE16 audit. Since many organizations don’t disclose what controls they have implemented, it’s really a house of cards from its value. There is no such thing as SSAE16-SOC2. You could have an SSAE16 SOC1 report, issued as a Type 1 or Type 2.
SSAE16's cousin is SOC2. SOC is the Service Organization Controls and also comes in a few flavors and focuses on security, availability, process integrity, confidentiality and privacy. SSAE16 on the other hand, is all about financial controls. What most hosting providers – including Carpathia - work on is SOC2, which offers a good fit for a hosting organization.
So what does Carpathia have? Well technically, our report is an AT101 Type 2 examination with ISAE3000 and SOC2 TSP 100 adaptations. This is available to our customers by request.
If you're a buyer of services who is using such standards to see the fit for an organization, forget the alphabet soup of the standards for a moment, and take my advice:
1. Ask for the full report, not just the summary or cover letter. Folks who do not wish to release the full report in our experience are worried about the depth of the audit or its relevance to the customer. Using "it’s confidential" in this day and age should not be an excuse.
2. Read the details of the controls and pay special attention to the section that defines "test of operating effectiveness and results.” This is where auditors test, look for evidence and cast opinions on the controls. Pay attention to any deficiencies noted and the remediation of those.
3. Be careful to ensure the reports you are looking at cover the facilities you are interested in deploying to if your hosting provider offers multiple facilities. All of the above mentioned reports are specific to locations, not the company as an entity.
My feeling is as usual, if there is an easy way and a hard way, we tend to take the more confusing path as an industry. I would imagine for the next 12 months, we will be explaining the differences between these standards and the applicability of them.