SOC 2 data center compliance is becoming mandatory for many facilities throughout North America that offer basic co-location to fully managed services offerings. It’s critically important to gain a comprehensive understanding of the following 5 important point regarding SOC 2 data center compliance, brought to you by NDB Accountants & Consultants.
1. SOC 1 vs. SOC 2. While a large number of data centers still undertake SOC 1 SSAE 16 compliance, a gradual shift is occurring whereby SOC 2 is now being required also by interested parties. Because of the large and ever-growing technology landscape within data centers, SOC 2 compliance has long been considered a natural fit for compliance purposes, and this theme seems to be taking firm root. In fact, many data centers are now opting solely for SOC 2 compliance, or at the very least, undertaking a limited scope SOC 2 assessment in accordance with their annual SOC 1 SSAE 16 reporting. Both SOC 1 and SOC 2 are beneficial for data center reporting – and they each have strong supporters – the key is adhering to client demands and overall expectations of what customers, prospects – and other intended users of the report – are seeking regarding compliance reporting.
2. The Trust Services Principles. SOC 2 data center compliance includes using the comprehensive Trust Services Principles (TSP), which consist of the following five (5) criteria based provisions:Security: The system is protected, both logically and physically, against unauthorized access. Availability: The system is available for operation and use as committed or agreed to.Processing Integrity: System processing is complete, accurate, timely, and authorized.Confidentiality: Information that is designated “confidential” is protected as committed or agreed.Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants
3. Which TSP’s to Utilize? A big debate for SOC 2 data center compliance is which of the actual TSP’s to use. Auditors, practitioners and other interested parties all have their opinions and assumptions, which to no surprise, often vary. The most important element to understand is that all five (5) of the TSP’s have applicability when it comes to SOC 2 data center compliance, thus it’s important to identify client reporting needs and how they correlate to a data center’s services offered. Speak to a trusted, proven expert regarding SOC 2 data center compliance, and that’s NDB Accountants & Consultants.
4. Policies and Procedures are a Must for SOC 2 Data Center Compliance. That’s right, SOC 2 data center compliance requires a large number of documented information security and operational specific policies and procedures to be in place, no exceptions. To be fair, for any type of business undertaking SOC 2 compliance, policies and procedures are a big and growing component of the Trust Services Principles. The key is working with a well-qualified, PCAOB CPA firm that can provide such policies and procedures, for which NDB can. In fact, whether it’s SOC compliance, HIPAA, PCI DSS, or any other compliance mandate, policies and procedures are a must-have.
5. Deliverables from the Service Organization. Management of the service organization – specifically – the company undertaking SOC 2 reporting, will need to develop a written description of its “system”, along with providing the auditors with a written statement of assertion. Both the description of the “system” and the assertion can be developed in conjunction with assistance from the CPA firm hired to perform the actual SOC 2 assessment.
Contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, to obtain a competitive, fixed fee for SOC 2 Type 2 compliance. NDB also offers PCI DSS services, along with HIPAA, FISMA, and many other regulatory compliance assessments. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.