Archive for the ‘SSAE 16 Type II’ Category

PRIMER: How are Disaster Recovery and Backups Different?

April 16th, 2013
Posted by: Donna Hemmert

So, you are working through your go-forward IT strategy and need to make sure that you have things covered should something go wrong. Pretty quickly, you notice that the terms “Backup” and “Disaster Recovery” are quite often being used interchangeably. But, the truth is, they are different. Related, yes, but different.

Backup

Backup really can be defined very simply. Backup is just a copy of your files on another disk (or tape, cloud, etc.). In fact, if you copied each and every file to a DVD (and we are not sure why you would do that), that would be a backup. Having a full backup that is up-to-date means that when you lose a few files or a whole drive or more, you can take the time it takes to copy those files back once your systems are ready to rock. But, it can be a time-consuming disruption. You will likely need to setup a new server(s), re-install the OS, and reinstall all the applications, etc. There are two ways to backup your systems:

  • Onsite Backup: This is when you backup locally to some kind of physical storage option. These solutions are capable of imaging servers and storing data locally so you can recover from incidents.
  • Offsite Backup: This is when you backup your data to an entirely different location. This, of course, helps protects you in the case of an entire geographic location being affected by a disruption. Also, often organizations need offsite backup to be in line with compliances such as those rules defined by Sarbanes-Oxley, HIPAA, FISMA, NASD and NYSE, etc.

Disaster Recovery

So, what is Disaster Recovery? Disaster recovery is beyond backup. The big benefit of disaster recovery is that rather than taking what may be days or months to recover for an unplanned outage, Disaster Recovery will greatly shorten that time.

With Disaster Recovery, a complete image of your disk drives and servers are mirrored. This is sometimes referred to as a “bare-metal” backup, meaning the backup isn’t just the files, but the OS and everything. For example, with AISN’s Disaster Recovery service, we replicate the “bare-metal” backup image to another geographic site so in the event of a disaster in one geographic location, it can be restored from an entirely different geographic location. This gives you added protection and the image(s) allows you to restore systems more quickly – there is no need to reinstall an OS and copying files. The amount of time it takes to actually continue operations after a disaster also depends on whether you choose “Hot Site” or “Cold Site.” So what is the difference?

  • “Hot Site”: Environments are available at a moments notice. So, in the case of an outage, all data processing can quickly be moved to the “Hot Site” and operations continue.
  • “Cold Site”: Critical applications are available at a secondary location. This is similar but is supplied as basic office space, but with “Cold Site” the customer provides and installs all the equipment needed to continue operations. It is less expensive but will take longer for full operations to continue.

So, that’s really all there is to it from a high level. You really need to understand what your goals and objectives are. Do you need systems available in minutes, hours or would days be just fine? Is backup just fine, or do you need Disaster Recovery? And what level of Disaster Recovery do you need? There are lots to consider, but remember, we are always here to help you think through your IT plans.

TAGS:

CATEGORIES:

No Comments »

Top 10 Security Risks Found by Your Auditor

February 21st, 2013
Posted by: admin

GUEST BLOG

By Sarah Morris
KirkpatrickPrice

At KirkpatrickPrice, we strive to provide the proper assurance and resources to help our clients maintain security within their organization.  Recently, we held a client webinar focused on the “Top Ten Security Risks” that your auditor finds during your auditing process.  Below is a summary of the most common risks that we find.

1.      No Formal Policies and Procedures

Formal guidelines of policies and procedures help provide your employees with clarity of what’s expected of them.  They define the accountability for each employee and also establish necessary training. Information security policies are mandated by the FTC Safeguards Rule, PCI Data Security Standards, and the HIPAA Security Rule. This means they are mandatory.

2.      Misconfigurations

Standards need to be applied consistently. Organizations should utilize benchmark configuration standards from a recognized entity such as: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS) Institute, and the National Institute of Standards Technology (NIST).

3.      No Formal Risk Assessment

Assessment should cover assets that are critical to your enterprise to continue business operations for the following: hardware, software, human resources, and processes (automated or manual). Some important things to consider when thinking about risk assessment are the threats to your assets as well as the likelihood of vulnerability being compromised. Threats can be both internal (employees or third party contractors or partners) as well as external (natural events or social engineering). Developing a proper risk assessment can help to mitigate potential risks that you face.

4.      Undefined Incident Response

It is always important to have clear instructions on reporting procedures when determining incident response. It is suggested to build a culture within your work environment that encourages reporting of all incidents the moment they present themselves.

5.      Lack of Disaster Planning

Disaster planning is important in a situation where written plans were available for others to follow in the event that key personnel are not available. A business impact analysis can help quantify what level of redundancy is required for disaster planning. Proactive arrangements should be made to care for the staff and to communicate with third parties. Walkthroughs and training scenarios can benefit organizations so employees are properly prepared in the event of a disaster.

6.      Lack of Testing

The concept of testing applies to all areas of your security. If your security is not tested, there is no way to determine whether or not vulnerabilities are present.

7.      Insecure Code

Developing secure coding is something we find lots of companies struggling with. To develop secure coding, training must be implemented as well as specific development standards and quality assurance.

8.      Lack of Monitoring/Audit Trails

Log Harvesting, parsing, and alerting methods must be determined to efficiently deal with massive event logs. The responsibility for review must be formally assigned as part of daily operations.  Audit trails should be stored in such a way that system administrators cannot modify without alerting someone with and oversight role.

9.      Data Leakage

Some things we often forget are where the data is located and how long should it be retained? How is encryption implemented and verified? How is access to data granted and audited?  These things are all very important, and if not corrected, can keep you from complying with federal and industry standards and regulations.

10.  Lack of Training

A lack of training can prove to be a striking blow to the security of your organization. Employers should recognize the importance of properly training all employees on safety and security best practices. Standards and guidelines should be clearly set and determined in each organization. Several training opportunities are offered through KirkpatrickPrice to properly train you and your company on the basics of security awareness, awareness for managers, awareness for IT professionals, and awareness for credit card handling.

Determining your individual risks is the first step toward the mitigation process.  Maximum security of your sensitive information is KirkpatrickPrice’s number one priority.

If you’re ready to get started with your assurance process, you’ve come to the right place. We’re ready to help. Let’s work together.

Sarah Morris is a technical writer for KirkpatrickPrice, a provider of world-class audit services. Visit www.kirkpatrickprice.com.

 

TAGS:

CATEGORIES:

No Comments »

Cloud Computing Benefits for Accounting Firms

August 19th, 2012
Posted by: Julia Uglietta


By Julia Uglietta
Associate, Marketing and Sales

Accounting firms deal with data day in and day out. The volume of numbers that go through an accounting office each day is unimaginable. The number of emails that go in and out of the offices is inundating.

It’s not only the size issue that challenges accounting offices every day.  Rather, it’s also the need to work faster while remaining efficient – in addition to improving better client and interoffice communications. These goals sound fairly standard for a successful business, right?  But in fields such as accounting, where large amounts of data are being received and stored, achieving these goals can be onerous.  The good news is, however, that new technology known as cloud computing is helping accounting firms attain these goals and save money too.

AIS Network accounting

Taking business to the cloud allows accountants to work from anywhere, at any time.

Taking accounting firms to the cloud is a way to reduce costs, improve efficiency and make data more accessible.  Throughout the industry, the discussions about cloud computing and how many accounting practices are moving to an outsourced cloud computing model has people thinking.  Accountants can see clearly that cloud computing is moving up and moving fast.  Now, more firms are looking into cloud solutions before they buy that next new sever.  They’re performing a cost benefit analysis, and in the process, they’re discovering that the operational expenditure associated with implementing an outsourced model is more desirable than the large capital expenditure associated with buying and maintaining all those new servers.

Not only does migrating to a cloud-based, paperless environment cut costs for accounting firms, but it also introduces new efficiencies.  When you put your data and applications in the cloud and entrust a cloud provider to care for them round-the-clock, you’re achieving IT efficiencies such as:

  • Eliminating the need for physical storage (throw out those old filing cabinets!)
  • Upgrading to industrial strength physical security (including partial or full fault tolerance, fire protection, etc.)
  • Improving backup and disaster recovery processes
  • Enhancing data security
  • Increasing availability (through improved power redundancy,  etc.)
  • Extending IT resources with a 24x7x365 team of hosting experts

For many accounting firms, this makes the decision to switch to the cloud even easier.

The most brilliant feature of the cloud is, in my opinion, its “anywhere” accessibility – which is an aspect that most accounting firms will find appealing.  When your data and your applications are in the cloud, they are accessible via any Internet-enabled device whenever you need them and wherever you are.  It just makes life easier.  Allowing the staff to work faster (and, I might add, without necessarily increasing billable rates) allows them more time to focus on the clients’ needs.

Most customers prefer communicating with their accountant via the Internet, and in many ways, the new cloud-based dashboards, reporting applications and unified communications systems that are now available only make this easier.  By enabling better collaboration and communication among geographically diverse staff and clients, accounting firms’ processes and workflows are vastly improved and the work gets done much faster – often with greatly reduced travel costs.

Life in the cloud has changed many industries’ ways of operating.  Slowly but surely, accounting firms will ease into cloud computing and reap benefits that were previously unachievable any other way.

 

 

TAGS:

CATEGORIES:

1 Comment »

AISN’s Redundant Power and Connectivity Protect Customers From Power Outages in Aftermath of Massive DC Storm

June 30th, 2012
Posted by: admin

By Jay Atkinson
AIS Network CEO

data center reliability

Unplanned outages are costly. Redundant power and connectivity are critical values that managed hosting providers offer.

Can the AIS Network data center reliably maintain data availability when a massive storm hits?  Yes!

Last night, the Washington, DC, metropolitan area suffered a massive, highly destructive storm replete with high winds, thunder, lightning and heavy rains.  This afternoon, more than 1.3 million households and businesses across the area are still without power.  In fact, power company officials are predicting a “multi-day outage.”  All this bad news comes in the middle of a heat wave when weather forecasters are calling for dangerous heat levels and still more storms.  We sympathize with those who are still without power and who have suffered property loss.

Last night’s storm, which crippled many businesses with a primary utility power outage, underscores why it’s tremendously advantageous to host your mission critical data in an SSAE 16 Type II-compliant data center.  Outages are costly.  Customers don’t really care if there was a storm, an earthquake, a rolling blackout or some other issue responsible for an outage.  They  simply expect perfect availability of and connectivity to their data, and that is understandable.

Reliable, redundant power and redundant IP connectivity are two of the most important safeguards that a managed hosting provider can offer its customers, especially when a natural disaster strikes.  Yet, what many hosting providers offer falls short of that.  AIS Network’s Tier III data center in Virginia came through with flying colors and kept our customers’ data up and running.  No hiccups, just solid availability.

Choosing to move your mission critical applications and data from an on-premise hosted environment to a fully managed hosted environment within a secure data center definitely makes good economic sense but it’s also a decision that provides for more reliable protection against power and Internet connection outages.  That’s a critical value proposition.

Managed hosting support systems must be predictably available, and system availability is only as predictable as the availability of power to those systems.  When you host your data in AISN’s data center, you are choosing to add a level of built-in redundancy for failover protection during common and extreme conditions.  AISN facilities are designed for redundancy and high availability of power to our clients’ critical server systems, and high density Internet connections.  Clearly, to build this sort of environment for your data on-premise would be cost-prohibitive.

Some data centers promise redundant/ backup systems, but nonetheless, it’s still very important for a prospective customer to confirm precisely what that promise entails.  In some cases, a physical inspection may be necessary or advisable.  If you’d like to learn more about AISN’s data centers or take a technical tour, please contact us.

TAGS:

CATEGORIES:

5 Comments »

HIPAA-Compliant Cloud: Why Health Care CIOs Are Moving Toward Cloud Computing for EMRs

May 21st, 2012
Posted by: admin

By Desaray Granzow
AIS Network, Director of Sales

Cloud computing (or shared computing resources) is becoming more and more attractive to the CIOs of health care organizations. Why?

Health care providers need to keep track of digital copies of paperwork for each patient — such as the patient’s history, digital copies of diagnostic tests and the patient’s insurance record.  These are called electronic medical records (EMRs); you may also sometimes hear them referred to as electronic health care records (EHRs).

Health care CIOs are moving toward HIPAA-compliant cloud hosting because it provides numerous advantages.

Health care providers that store EMRs on-premise (meaning in the office) continually have to buy more server space to make room for all of the files that they must store. Cloud computing, offered through cloud hosting providers, allows these health care businesses to delegate the task of storing EMRs and other files to a team of cloud hosting experts.  For their cloud hosting service, the providers pay only a predictable monthly fee.  It then becomes so much more economical than paying thousands of dollars a year to continually purchase, install, patch and maintain servers and storage space themselves. Best of all, the superior uptime and 100% availability offered by the best hosting providers, like AISN, ensures that the network is always up.

For health care CIOs considering cloud computing/ cloud hosting, here are some of the advantages:

Cloud hosting helps reduce staffing needs. Hospitals and physician practices that switch to cloud computing no longer need to hire additional staff to manage computerized patient records.  The cloud provider takes care of this.  This saves health care organizations money; in addition, understaffed service centers will have one less item to worry about.

Cloud hosting provides better disaster recovery. If a health care organization loses records in a fire, earthquake or other disaster, it’s easy to retrieve and rebuild records stored in the cloud.  Rebuilding from physical copies stored on-premise may not be possible.

Cloud storage provides better security. Cloud computing providers located within the United States must be HIPAA compliant if they want to serve the health care industry.  That means they must follow HIPAA directives for electronic file storage, so doctors never have to worry about patient information being compromised. In the end, storing EMRs on an external server, rather than in the office, adds a level of security because visitors to the office won’t have ready access to files that belong to somebody else.

Cloud computing makes it easier to collaborate. Some medical schools are turning to cloud computing systems to allow students to work together more easily on class assignments. Similarly, hospitals and physician practices can elect to share EMRs with specialists or consultants.  Allowing health care providers the opportunity to collaborate with one another more easily serves to improve patient care.

Cloud computing is a viable and effective alternative for meeting health care EMR storage and collaboration needs.  Movement toward cloud computing has been slow but steady among health care CIOs.  Some CIOs worry about privacy concerns; however, if a cloud hosting provider is located within the United States and has a clear privacy policy written into its Service Level Agreement (SLA), health care organizations can use cloud computing without fear of violating HIPAA regulations.

Bottom line, the upside to cloud computing for health care providers is tremendous. The cost reduction, increased compliance and increased protection of patient privacy all let health care providers focus on their core business – providing the best medical care possible for every patient.

TAGS:

CATEGORIES:

2 Comments »

Why Is Compliance in the Cloud Important?

May 7th, 2012
Posted by: Donna Hemmert

GUEST BLOG

By Joseph Kirkpatrick
Managing Partner, KirkpatrickPrice

The world’s digital infrastructure is a constantly growing industry.  This is why the use of data centers has become exceedingly popular.  What is the scary thing about collecting and storing highly sensitive information?  The risk of a security breach.

When a company utilizes a data center, such as for cloud computing and hosting, it’s important that they are aware of the security of their organization’s data, especially because data centers often times outsource to other vendors.  What does this mean to you?  This means they may also have access to your data.  This is why cloud hosting providers must be in compliance with all applicable privacy laws when it comes to keeping data secure during the collection, storage and use of your sensitive information.

How is compliance measured?  Compliance is measured by how well organizations meet the data security standards and regulations that are meant to help you keep your information confidential and secure.  The use of data centers is very resourceful as long as you’re sure your service provider is complying with these industry accepted security standards and regulations.  Some of the companies that comply with SSAE 16, PCI Data Security Standards, and Trust Services Principles and Criteria have already taken these steps and have been audited by third parties, such as Certified Public Accountants (CPAs) and Quality Security Assessors (QSAs).

So, what steps should you be taking?  Start taking your organization’s security into consideration and ensure compliance in the cloud.

(more…)

TAGS:

CATEGORIES:

1 Comment »

Top 6 Benefits of AIS Network’s Managed Private Cloud

May 3rd, 2012
Posted by: admin

By Jay Atkinson
AIS Network CEO

You want to spend more of your IT dollar on the innovation that your customers expect.  So in order for you to focus on your business, the ratio of what you build out “new” versus what you spend time maintaining and running has to improve measurably.  Plus, you want maximum control over your IT environment with the least hit to your organization’s bottom line.

You’re sure you get every bit of that and more by moving from a traditional deployment to AIS Network’s Managed Private Cloud architecture.  But, how do you persuade the C-Suite to let go of the current environment?

What are the six most compelling benefits for AISN’s Managed Private Cloud?

  1. Security. Industrial strength security and integrity of data are paramount.  AISN’s Managed Private Cloud offers the benefits of cloud technology, but keeps all your data on hardware dedicated to and controlled by you.  Under the umbrella of a security framework that you define, you can best address your customers’ security needs and meet the most stringent of compliance requirements – a big enhancement, when compared with open, more heterogeneous systems.
  2. Compliance. Stringent compliance is a priority.  A key component of any high-level compliance program such as SOX, PCI, HIPAA/HITECH or FISMA is the ability to segregate your data from others.  With AISN’s Managed Private Cloud, you control your own SAN, which eliminates the possibility of database cross pollination.  For PCI compliant solutions, we can easily provide you with your own dedicated firewall.  AISN is SSAE 16 Type II-compliant and our methods are explicitly documented and verified by an independent auditor.
  3. Scalability. Managing growth confidently is critical.  As the pure IT content of your business grows, so does the ability to have a flexible – and essentially infinite – expandable computing base.  With an AISN Managed Private Cloud, you don’t have to purchase and maintain additional hardware.  We manage the technology so that you can focus on business strategy.
  4. Cost. Saving money is smart business.  Deploying an enterprise-scale system in AISN’s Managed Private Cloud can cost significantly less than others would charge you to implement the same system in a public cloud or a hybrid cloud.  And, as you grow, you get the benefits of economies of scale, meaning your per virtual machine cost decreases.
  5. Performance. Speed matters.  Since you’re in your own AISN Managed Private Cloud, you don’t have to share resources with other customers and worry whether another customer’s application failure will impact you. Faster response times and a healthier infrastructure is a good thing.
  6. High Availability. 100% uptime rocks.  AISN’s Managed Private Clouds have both physical and virtual redundancy built in to ensure High Availability.  Our SSAE 16 Type II-certified data centers safeguard your data against natural and man-made disasters, including physical security breaches.  Our rock-solid Service Level Agreement guarantees it.

AISN’s Managed Private Cloud positions you at a competitive advantage by accomplishing your business need to go FASTER – confidently.   For more details, get in touch with us.  We’d love to help.  (Jay Atkinson, jay.atkinson@aisn.net).

TAGS:

CATEGORIES:

No Comments »

Does Third Party Hosting for SharePoint 2010 Make Sense?

April 13th, 2012
Posted by: admin

By Jay Atkinson
AIS Network CEO

“To cloud or not to cloud?” is rapidly emerging as the technical question of the decade.

Industry analyst Gartner, Inc., expects 43 percent of companies to have most of their IT efforts running in the cloud in as little as four years. Due to that expected boom in cloud adoption, Gartner ranks cloud computing as the No. 1 tech priority for chief information officers.

Placing a mission-critical platform into the hands of an independent, third-party hosting services provider can uniquely position that

SharePoint 2010 Cloud

Should you host your SharePoint 2010 in the cloud?

organization to combine some of the best elements of on-premise hosting and Office 365 delivery. For many organizations, SharePoint is mission critical and the decision to shift from on-premise hosting to third-party hosting is not entered into lightly.  However, the benefits of doing so are increasingly appealing.  In comparison to on-premise hosting, third-party hosting offers superior flexibility, greater reliability and a better value.

Why a better value?  Ultimately, if an organization were to attempt to replicate the hosting infrastructure built by a third-party provider, it would become abundantly clear to that organization that outsourcing to a third party provides a much better value.  It is usually cheaper for an organization to host SharePoint on-premise – unless they want to do it right.  Replicating an on-site infrastructure that equals the performance, reliability, scalability, security and compliance environment that “comes standard” with a solid, Microsoft hosting partner’s services would be cost prohibitive.

Here, it is also important to note that for public companies or others that are audited, Sarbanes-Oxley (SOX) also drives the case for outsourced hosting.  SOX identified the Type II SAS 70 report (today’s equivalent is SSAE 16 Type II) as the only acceptable method for a third party to assure a service organization’s controls.  Many reputable hosting companies are SSAE 16 Type II-audited, which means the audit of the hosting company can be incorporated into the audit of the public company.  Relying on the audit performed on a third-party hosting company, at the hosting company’s cost, may be much more cost-effective than ensuring your own facilities and processes are SSAE 16-compliant.

Hosted SharePoint Specialists

Organizations contemplating a SharePoint deployment should recognize that there are applications hosting providers and then there are a handful of hosting providers that specialize in hosting SharePoint.  Many have Microsoft and additional compliance certifications, and that enhanced capability and level of service may be imperative to an organization requiring customized SharePoint hosting configurations, Microsoft-certified talent, and top-grade security and disaster compliance.

The hosting provider’s infrastructure is supported by many clients, thus enabling it to deliver a broad range of services at a substantially lower price (than managing identical services on-premise).

For the customer, there is little upfront capital expense and the monthly payments to the hosting company are predictable operational expenses.  The IT staff is freed up from spending precious resources and time on designing its own hosting solution architecture.  Stressing about managing backups, software licenses, hardware/software upgrades, and patching schedules is all in the hands of seasoned hosting experts who monitor the customer’s SharePoint solution in a disaster-resistant data center.

In addition to cloud hosting services, there are two general types of SharePoint hosting that a third-party provider may offer:

Shared hosting. An organization’s applications and data are deployed on a server that is shared by several other organizations.

Dedicated hosting. An organization either deploys its own servers or the hosting provider deploys servers dedicated for exclusive use by that organization.  Dedicated hosting may be provided by either dedicated physical servers or dedicated virtual servers.

Benefits and Drawbacks of Third-Party Hosting
A SharePoint hosting provider frees up an organization’s entire IT staff to focus on tasks that will help grow their business.  In their Service Level Agreements, most top-tier hosting providers offer disaster-resistant data centers, temperature and access controls, 24x7x365 monitoring and response, excellent connectivity, reliable uptime and availability, managed hardware/software upgrades and maintenance, routine backups and fail-over capability in the event of disaster.

The best providers develop a solid, personalized relationship with each customer, listening carefully to their needs and integrating their team of experts into the organization’s IT staff.

Benefits include the following:

Customization. The hosting provider is capable of configuring highly complex SharePoint installations.

Low upfront costs. Capital outlays are minimized. Outsourced hosting becomes an operational expense.  The hosting provider typically buys and manages the servers and provides the licenses.

Staff. Highly trained hosting experts strive to integrate seamlessly with an organization’s team, thus helping to strengthen the relationship through personalized service.

Security. An organization’s servers are typically highly secured, backed up and sitting in a disaster-resistant data center.  Many providers have SSAE 16 Type II designations as well as other compliance certifications.

Scalable. Spikes in traffic can be sustained without the accompanying worry that the organization’s network will crash.

Drawbacks include the following:

Portability. SharePoint hosting is complex, and organizations must enter into long-term contractual commitments with their hosting provider.  Switching providers in mid-contract, or reverting back to self-hosting, is not easy and the process of migrating data to a new hosting arrangement can be onerous.

Slower deployments. Deploying the physical infrastructure is managed and thus not as turn-key as cloud-based hosting.

In addition to cloud hosting services already addressed by this paper, there are two general types of SharePoint hosting that a third-party provider may offer:

Change management. Changes – either hardware or software – to the SharePoint configuration may require the hosting provider’s review and approval, so organizations must plan in advance.

Flexibility. While third-party hosting may not recreate the level of flexibility associated with on-premise hosting, in most cases, the degree to which an organization loses out on flexibility and control is less than the degree by which it will save on capital outlays.

Just as with on-premise hosting, there is a large emphasis on customization and flexibility in the world of third-party hosting providers.  An organization will have full access to its own SharePoint environment – the way it should be – and any kind of software application that compliments its SharePoint (customer relationship management software, data mining programs, etc.) can be integrated.

Have more questions about hosting SharePoint in the cloud?  Download the “To Cloud or Not to Cloud” whitepaper and/or speak with someone in our office.

TAGS:

CATEGORIES:

12 Comments »

SSAE 16 Type II Compliance: The New High Bar for Hosting

November 1st, 2011
Posted by: admin

SSAE 16 Type II

What does it mean to be SSAE 16 Type II-compliant?

By Jay Atkinson
AIS Network CEO

Goodbye, SAS 70.  Hello, SSAE 16.

SSAE 16?  That’s somewhat new terminology among hosting providers and their customers and investors.  SSAE 16 certification has officially replaced the SAS 70 certification process.

This week, AIS Network announces its favorable completion of the SSAE 16 Type II audit, which was conducted by the independent auditing firm, KirkpatrickPrice, LLC.  AISN is now “SSAE 16 Type II compliant.”

So, of what significance to hosting customers is the switch from SAS 70 to SSAE 16?  And, why now?

SAS 70:  A Brief History

For almost 20 years, hosting customers, who were forced to comply with stringent regulatory or auditing standards, actively sought out hosting services providers that had completed SAS 70 (more formally known as the U.S. Statement on Auditing Standards No. 70) infrastructure and internal control examinations by independent auditors.

Until mid-June, SAS 70 was the leading standard for assurance reports for hosting providers and other service organizations.  Customers and investors relied upon independent auditors’ SAS 70 reports to understand what internal controls a hosting provider used and gain confidence that the hosting provider was implementing those controls properly.

But while a SAS 70 auditing report was helpful in providing transparency to customers or investors who needed certain assurances about a hosting provider’s internal controls, the audit itself lacked consistency with international standards.  Moreover, there was no standard or set of criteria for hosting companies to use in defining their internal controls for the purpose of the SAS 70 audit.

SSAE 16:  Setting the Bar Higher

This spring, a new standard took effect for U.S.-based colocation, cloud, managed hosting and other services providers — the Statement on Standards for Attestation Engagements No. 16, the SSAE 16.

Created by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), the SSAE 16 replaces the SAS 70 for periods ending after June 15, 2011.

Why a new standard? Largely, SSAE 16 reflects AICPA’s efforts to converge the U.S. auditing standard with the international standard (not merely regional or national standards), and in the process, set a higher bar by refining the procedures for auditing a service provider’s internal controls.

SSAE 16 mirrors more closely the international audit standard, known as International Auditing and Assurance Standards Board (IAASB) International Standard on Assurance Engagements 3402 (ISAE 3402).  It also levels the playing field for companies by adding a new attestation standard and two more Service Organization Control (SOC) reports, all of which allow independent auditors to audit service providers more consistently – and with a standard set of criteria.  For more details, see AICPA’s discussion of SSAE 16 audits.

As with the SAS 70 audit reports, the SSAE 16 audit reports come in two flavors:  Type I and Type II.  According to the standards put forth by AICPA, Type I reports document the independent auditors’ opinion regarding the design of controls as of a set date. Type II reports go further; they include Type I criteria and audit the effectiveness of the controls over a minimum six-month period.  AISN, for example, has a SSAE 16 Type II report because it provides the highest level of assurance.

So what’s new about the SSAE 16? Like the SAS 70, SSAE 16 still reports on controls related to security, availability, confidentiality, processing integrity and privacy.  However, the primary difference between SAS 70 and the SSAE 16 is that SSAE 16 includes a new attest standard (not a new audit standard), which requires the auditor to include in its report the hosting company management’s written description (“attestation”) of the design and operating effectiveness of the internal controls to be audited and the suitable criteria used for its assessment.  A similar requirement is made of any subservice organization (for example, a data center) involved in the audit.

How will SSAE 16 impact the hosting industry? Most top-tier hosting providers have already implemented internal controls around security, availability, confidentiality, processing integrity and privacy.  They have also likely gone through the SAS 70 auditing process more than a few times.  For them, transitioning to the higher SSAE 16 standard will be painless.  However, the transition may prove more challenging for competitors that may have set less stringent controls during previous SAS 70 audits.

What does this mean for customers or investors with Sarbanes-Oxley Act (SOX) requirements? In a word, accountability.  The fact that a hosting company’s management must now make certain written attestations about their internal controls – and then include those in the independent auditors’ report – further underscores that they must take full responsibility for the controls in operation.

In this way, SSAE 16 is better aligned with SOX, which primarily impacts publicly traded companies and those who service them.  SOX mandates that a publicly traded company’s management team be held accountable for the veracity and completeness of its financial report attestations.  To achieve this, the company must have quality internal controls in place.

By using an SSAE 16-compliant hosting provider, the company is assured that the hosting company, which is more than likely hosting their mission-critical data, also maintains the same level of accountability.  The independent auditor’s SSAE 16 report essentially saves the SOX-affected customer the trouble of auditing the hosting company’s critical internal controls for SOX compliance.

What is the future of SSAE 16? We at AISN applaud the transition from SAS 70 to SSAE 16.  It represents a more meaningful audit standard that:

  • achieves parity with international standards and helps us better meet our international customers’ needs,
  • enhances our ability to provide customers with assurances about our internal controls, and
  • sets higher the bar for accountability and professionalism within our industry.

Be sure to check out AISN’s SSAE 16 Type II certification statement.  If you have any questions, we’d love to hear from you.  Contact us!

TAGS:

CATEGORIES:

5 Comments »