When evaluating colocation providers, there are few questions more important than data center compliance standards. Data center certifications and attestations help demonstrate to potential customers that the facility is dedicated to upholding high standards of service and has the appropriate systems and controls in place to protect their valuable data.
A Service Organization Control (SOC) report is an important data center compliance standard, but the terminology surrounding them can be a bit confusing for anyone unfamiliar with data center certifications, especially since a SOC report isn’t “technically” a certification. Perhaps the most critical type of SOC report, especially for colocation data centers, is an SOC 2 Type II.
SOC 2 is an attestation report demonstrating that a service provider has the appropriate information security policies and procedures in place to protect customer data. An SOC 2 report is considered a technical audit in that it examines security systems, but it is more focused on the organizational structure that implements and manages those systems. It is designed primarily for cloud service providers or organizations that store sensitive customer data in an environment where it could potentially be handled by other organizations (such as third-party vendors) or exposed due to mismanagement.
While many people frequently refer to SOC 2 “compliant” or SOC 2 “certified,” this isn’t really an accurate description. An SOC 2 report is known as an “Attestation of Compliance.” It contains an auditor’s assessment of whether or not an organization’s security procedures and controls will function as intended and if they meet specific Trust Services Criteria (TSC) set out by the Association of International Certified Professional Accountants (AICPA). An organization may not have to include every TSC in their report since not all of them apply to every business.
There are two different forms of SOC 2 attestations. A Type I report is an assessment of an organization’s system and security controls at a particular point in time. It focuses primarily on processes and procedures as laid out in documentation and if they are designed appropriately to meet the intended TSC.
A Type II report is much more thorough and useful to a potential customer. Rather than taking a snapshot to assess control design, an SOC 2 Type II report examines how those controls function over a period of time, usually between six months to a year. The report provides an evaluation of operating effectiveness, examining how well the security controls put in place (and likely reviewed by an SOC 2 Type 1 report) actually work in practice. If there are recurring problems, this report will identify them and recommend changes.
An SOC 2 Type II audit is an expensive procedure, but it provides prospective customers with documented evidence of whether or not a service provider’s security processes have functioned effectively over time.
No mention of SOC reports would be complete without a brief overview of SSAE 18. The Standard on Standards for Attestation Engagements provides the AICPA’s guidelines for the way organizations assess, evaluate, and report on their compliance controls, with careful attention paid to how they evaluate risks associated with third-party vendors.
The provisions of SSAE 18 have a major impact on the way organizations prepare and create their SOC reports. Prior to the adoption of the first version of SSAE, SAS 70 certifications were used to report on internal risk management controls. SOC reports were introduced in 2011 and incorporated under SSAE 18 guidelines soon afterward. Although all SOC reports utilize SSAE 18 reporting standards, SOC 1 reports are sometimes referred to as SSAE 18 reports.
An SOC 1 report focuses on internal controls a service organization has in place that may be relevant to a client’s financial reporting. They are typically conducted to demonstrate that the proper controls and procedures are in place to safeguard a customer’s financial data, making them incredibly important for cloud providers and data centers, both of which process transactions. Like an SOC 2 report, SOC 1 attestations are available as a Type I or Type II report.
SOC 3 reports differ from the first two types in that they provide an attestation to security controls without revealing any specific details. SOC 1 and SOC 2 reports are intended for a service provider’s customers, while SOC 3 reports are meant for the general public. They allow prospective customers to review compliance information without revealing any proprietary information.
SOC 2 Type II reports are one of the most important compliance attestations that a data center can provide for its customers. Far more useful than a checklist of standards, they provide documented evidence that a facility not only has the appropriate security controls in place, but also that it has a track record of success. While these reports are expensive and challenging to obtain, they should be considered absolutely essential for any colocation provider.