Why Your Data Center Needs to be SOC 2 Type II Compliant
By: Rob Morris on July 23, 2019
When evaluating colocation providers, there are few questions more important than data center compliance standards. Data center certifications and attestations help demonstrate to potential customers that the facility is dedicated to upholding high standards of service and has the appropriate systems and controls in place to protect their valuable data.
A Service Organization Control (SOC) report is an important data center compliance standard, but the terminology surrounding them can be a bit confusing for anyone unfamiliar with data center certifications, especially since a SOC report isn’t “technically” a certification. Perhaps the most critical type of SOC report, especially for colocation data centers, is an SOC 2 Type II.
What is SOC 2?
SOC 2 is an attestation report demonstrating that a service provider has the appropriate information security policies and procedures in place to protect customer data. An SOC 2 report is considered a technical audit in that it examines security systems, but it is more focused on the organizational structure that implements and manages those systems. It is designed primarily for cloud service providers or organizations that store sensitive customer data in an environment where it could potentially be handled by other organizations (such as third-party vendors) or exposed due to mismanagement.
While many people frequently refer to SOC 2 “compliant” or SOC 2 “certified,” this isn’t really an accurate description. An SOC 2 report is known as an “Attestation of Compliance.” It contains an auditor’s assessment of whether or not an organization’s security procedures and controls will function as intended and if they meet specific Trust Services Criteria (TSC) set out by the Association of International Certified Professional Accountants (AICPA). An organization may not have to include every TSC in their report since not all of them apply to every business.
SOC 2 Trust Services Criteria
Security: Controls must be in place to guard against unauthorized access. All SOC 2 reports must include an attestation on this criterion.
Availability: A service provider must have reasonable controls in place to ensure their system is available and can be used under the terms of service.
Processing Integrity: Any transactions must be processed in a timely and accurate fashion, with no errors or unauthorized processing.
Confidentiality: Confidential or proprietary data must be protected according to standards laid out in service agreements.
Privacy: All personal information must be managed in accordance with relevant privacy regulations and according to the standards of service agreements or privacy notices.
SOC 2 Type I vs Type II
There are two different forms of SOC 2 attestations. A Type I report is an assessment of an organization’s system and security controls at a particular point in time. It focuses primarily on processes and procedures as laid out in documentation and if they are designed appropriately to meet the intended TSC.
A Type II report is much more thorough and useful to a potential customer. Rather than taking a snapshot to assess control design, an SOC 2 Type II report examines how those controls function over a period of time, usually between six months to a year. The report provides an evaluation of operating effectiveness, examining how well the security controls put in place (and likely reviewed by an SOC 2 Type 1 report) actually work in practice. If there are recurring problems, this report will identify them and recommend changes.
An SOC 2 Type II audit is an expensive procedure, but it provides prospective customers with documented evidence of whether or not a service provider’s security processes have functioned effectively over time.
SSAE 18 and SOC 2 Type II
No mention of SOC reports would be complete without a brief overview of SSAE 18. The Statement on Standards for Attestation Engagements provides the AICPA’s guidelines for the way organizations assess, evaluate, and report on their compliance controls, with careful attention paid to how they evaluate risks associated with third-party vendors.
The provisions of SSAE 18 have a major impact on the way organizations prepare and create their SOC reports. Prior to the adoption of the first version of SSAE, SAS 70 certifications were used to report on internal risk management controls. SOC reports were introduced in 2011 and incorporated under SSAE 18 guidelines soon afterward. Although all SOC reports utilize SSAE 18 reporting standards, SOC 1 reports are sometimes referred to as SSAE 18 reports.
SOC 1 vs SOC 2 vs SOC 3
An SOC 1 report focuses on internal controls a service organization has in place that may be relevant to a client’s financial reporting. They are typically conducted to demonstrate that the proper controls and procedures are in place to safeguard a customer’s financial data, making them incredibly important for cloud providers and data centers, both of which process transactions. Like an SOC 2 report, SOC 1 attestations are available as a Type I or Type II report.
SOC 3 reports differ from the first two types in that they provide an attestation to security controls without revealing any specific details. SOC 1 and SOC 2 reports are intended for a service provider’s customers, while SOC 3 reports are meant for the general public. They allow prospective customers to review compliance information without revealing any proprietary information.
SOC 2 Type II reports are one of the most important compliance attestations that a data center can provide for its customers. Far more useful than a checklist of standards, they provide documented evidence that a facility not only has the appropriate security controls in place, but also that it has a track record of success. While these reports are expensive and challenging to obtain, they should be considered absolutely essential for any colocation provider.
About Rob Morris
Rob Morris is the Director of Program Management and the ISMS Manager. Rob chairs the vXchnge Information Security Council and manages the compliance campaigns and is our customer liaison.
Subscribe to vXchnge Blog
Speak to an Expert About Your Company's Specific Data Center Needs