Five SSAE 16 Myths Pertaining to Data Centers

SSAE 16 regulations, though not mandatory, have become very popular with both data centers and their clients in recent times, thanks to the slew of legislations, such as the Sarbanes Oxley Act of 2002 (SOX), Gramm-Leach Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). These legislations mandate that service organizations have to have effective internal control over their information technology and related processes. The SSAE 16 standard assures clients that a strong control system is in place at the data center by disclosing the systems in place to meet security and privacy obligations.

However, there are differences in how a company sees these systems and how they implement them. Here are five myths regarding SSAE 16:

Five SSAE 16 Myths Pertaining to Data CentersMyth #1: SSAE 16 compliance means control.

SSAE 16 standards do not recommend any specific methods, nor do they insist on controlling how you do it. Compliance is flexible and adaptable. More than dictating any rigid policies to follow, SSAE 16 is a standard of how well the company has documented its available processes and standards.

Myth #2: SSAE 16 regulations simply verify the systems the data center has in place.

While the first myth indicate that SSAE 16 attestation standards place rigid controls on a data center, the second myth says that SSAE 16 fosters a free-for-all environment by providing credibility to whatever security measures the data center chooses to implement.

The SOC 2 set of standards, which are applicable to data centers, incorporate the five trust principles:

  • Security: The physical and logical protections in place at the data center to prevent unauthorized access
  • Availability: The extent to which the servers are available versus the time committed or agreed
  • Processing Integrity: An evaluation of whether system processing is complete, accurate, timely and authorized
  • Confidentiality: The systems and processes in place to protect and classify information, as agreed or advertised
  • Privacy: Systems and procedures related to collection, use, retain and transfer of personal information

The audit is based on these standards or the extent to which the data center has systems and procedures in place to meet these standards. Only the method to achieve these standards remains flexible.

Myth # 3: SSAE 16 Standards are all pervasive.

SSAE 16 standards pertain to internal controls, not product evaluations. Many data centers assume that application software complies with these standards as well. Although application software developers may have made the software compliant to SSAE 16 standards, data centers make this assumption at their own peril. The auditor’s review of the data center is specifically for the internal control procedures in place, which excludes the workings of the software used to enforce these controls.

Myth #4: SSAE 16 attestation is valid for one year.

A SSAE 16 audit report is valid for one year from the date of issue. However, this does not necessarily mean that the data center complies with the attestation for one year. SSAE 16 reports hold true only at the time of issue, and the data center is free to make any change to its systems and procedures at any time thereafter. When controls change following the issuing of the audit report, the report may either understate or overstate the ground reality, regardless of the one year time limit.

Myth #5: Compliance entails costs without providing any value in return.

Audits may be costly, but SSAE 16, specifically SOC 2 data center standards, offers something tangible in return that more than makes up for the investment. The five-trust principle framework offers an excellent platform for testing and validating critical areas within a data center’s daily operational practices. Data centers working towards modeling their security based on the five trust principles will be in good shape to meet most compliance and security requirements. This isn’t even counting the credibility that this attestation offers to the data center.

If you’re looking for a compliant data center, look no further than Lifeline Data Centers. We keep up to date with compliance issues and regulations so you don’t have to. Contact us today for more information.

Alex Carroll

Alex Carroll

Managing Member at Lifeline Data Centers
Alex, co-owner, is responsible for all real estate, construction and mission critical facilities: hardened buildings, power systems, cooling systems, fire suppression, and environmentals. Alex also manages relationships with the telecommunications providers and has an extensive background in IT infrastructure support, database administration and software design and development. Alex architected Lifeline’s proprietary GRCA system and is hands-on every day in the data center.