What does that mean for service providers and their customers?
SAS 70 is the long-time audit standard that has been a “must” for service providers (data center operators, cloud providers, etc.) who have a need to test and validate their security controls. A SAS 70 compliancy rating has been the gold standard for data center users to gain assurance that their data center is secure and operating under proper control systems.
A SAS 70 audit verifies that the “defined” controls and processes that a service provider has implemented are followed. Note that I said the defined controls because a service provider with weak controls and processes can claim the same level of audit compliance as a service provider with strong controls and systems. So with a SAS 70 audit, one must thoroughly read through the details within the audit report to understand the level of controls and processes being used and audited.
Now, if you believe that you’ve mastered SAS 70 audits, I’m sorry to say that it has been superseded by the Statement on Standards for Attestation Engagements 16 (SSAE 16). The good news is the information required to complete the SSAE 16 is not totally different from SAS 70 because the latter was the base from which SSAE 16 was built.
What is different?
The main difference between SAS 70 and SSAE 16 is the depth of information the service provider will now have to provide, including (among other things):
- A management attestation of their overall service offering and underlying control structure
- Verification that appropriate criteria are used for system evaluation
- Evidence for every control during each assessment, rather than reusing prior evidence
The main reason SSAE 16 requires management attestation of its control structure is because SSAE 16 is an attest standard rather than an audit standard. Instead of only the auditors opining on the controls within the service provider, its management is included in the assessment. The idea is that the attestation process will hold management accountable with their statements on their company’s service delivery system, controls and control objectives. What’s more, SSAE 16 prohibits the use of prior evidence established in previous audits. By comparison, SAS 70 allows auditors to use evidence gathered in prior audits, which saved some companies a lot of time, but didn’t account for changes that could have impacted a data center’s security posture.
What Remains the Same?
SSAE 16, just like SAS 70, does not dictate the controls that must be covered by the assessment. It is for the service provider to decide which controls are essential to the services provided. The service provider must understand what industry control best practices are as well as what their customers’ auditors would consider to be essential controls to support the services being offered when determining the scope of the assessment.
From a provider’s perspective, a potential starting point for defining the scope of a SSAE 16 assessment would be to begin with their service contracts. The contractual obligations around the offered services would help draw the boundaries that define the systems and the controls that support the offering(s).
An SSAE 16 assessment should fulfill the requirements of a service provider’s clients, including publicly-traded clients, and it can save service providers time and resources in supporting a customer’s audit request. SSAE 16 is an assessment a service provider completes only one time–providing the same assessment report to any customer’s auditor who requests it.
For more information on SSAE 16, you can visit:
SSAE16.com – http://www.ssae-16.com/