With the confusion regarding what audits and auditor reports apply to certain aspects of data center standards, I felt the need to create a basic data center/hosting solution audit cheat sheet to simplify matters. Here’s your comprehensive guide to data center audits and reports.
Mandated by the U.S. Health and Human Services Dept., the Health Insurance Portability and Accountability Act of 1996 specifies laws to secure protected health information (PHI), or patient health data (medical records).
When it comes to data centers, a hosting provider needs to meet HIPAA compliance in order to ensure sensitive patient information is protected.
A HIPAA audit conducted by an independent CHP (Certified HIPAA Practitioner) and CHSS (Certified HIPAA Security Specialist) can provide a documented report to prove a data center operator has the proper policies and procedures in place to provide HIPAA hosting solutions.
No other audit or report can provide evidence of full HIPAA compliance.
The Statement on Auditing Standard No. 70 was the original audit to measure a data center’s financial reporting and record keeping controls. Developed by the AICPA (American Institute of CPAs, there are two types:
- Type 1 – Reports on a company’s description of their operational controls
- Type 2 – Reports on an auditor’s opinion on how effective these controls are over a specified period of time (six months)
The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June 2011. A SSAE 16 audit measures the controls relevant to financial reporting. SSAE 16 itself was replaced by SSAE 18 on May 1, 2017. Read auditor David Barton of UHY’s blog post about the differences between SSAE 18 and SSAE 16 here.
- Type 1 – A data center’s description and assertion of controls, as reported by the company.
- Type 2 – Auditors test the accuracy of the controls and the implementation and effectiveness of controls over a specified period of time.
The first of three new Service Organization Controls reports developed by the AICPA, this report measures the controls of a data center as relevant to financial reporting. It is essentially the same as a SSAE 16 audit.
This report and audit is completely different from the previous. SOC 2 measures controls specifically related to IT and data center service providers. The five controls are security, availability, processing integrity (ensuring system accuracy, completion and authorization), confidentiality and privacy. There are two types:
- Type 1 – A data center’s system and suitability of its design of controls, as reported by the company.
- Type 2 – Includes everything in Type 1, with the addition of verification of an auditor’s opinion on the operating effectiveness of the controls.
This public-facing report includes the auditor’s opinion of SOC 2 components with an additional seal of approval to be used on websites and other documents. The report is less detailed and technical than a SOC 2 report.
The Payment Card Industry Data Security Standard was created by the major credit card issuers, and applies to companies that accept, store process and transmit credit cardholder data.
When it comes to data center operators, they should prove they have a PCI compliant environment with an independent audit. They should also know what services can help your company fulfill the 12 PCI requirements.