What is SOC 2?
Making it Make Sense for Everyone
SAS 70 is now SSAE 16
In April 2010, the AICPA (American Institute of Certified Public Accountants) announced the end of SAS 70 and replacement of SAS 70 with a standard based on international standards in mind, as well as AICPA standards, the “Statement on Standards for Attestation Engagements” or SSAE 16.
So an SSAE 16 audit can now report in three standards and two types: SOC 1, 2 and 3, Type I and Type II
Further, SSAE 16 report is sometimes referred to as SOC 1.
Why is SOC 2 better for your data than SOC 1?
- SOC 1 (SSAE 16) reports on an organization’s financial reports standards.
- SOC 2 report was designed for technology companies that like to keep their security private and includes auditor testing and results and requires a signed NDA (Non-Disclosure Agreement) to view the results.
- SOC 3 is for public use and provides a system description and the auditor’s opinion and is designed more for marketing.
- SOC 1: Internal Controls over Financial Reporting (ICFR).
- SOC 2: Controls at a service organization that are relevant to security, availability, processing integrity, confidentiality, or privacy.
Type I report focuses on the system design of an organization’s controls.
Type II report focuses on the operating effectiveness of an organization’s controls and includes all of Type I (the auditor verifies that the reported controls work as stated).
The importance of a SOC 2 Type II Data Center
A SOC 2 Data Center can provide you with a feeling of trust knowing that your data is protected by a facility, a group of employees and a company that adheres to a standard of excellence.
Trust Services Principles of a SOC 2 facility
The system is protected against unauthorized access (both physical and logical).
The system is available for operation and use as committed or agreed.
- Processing Integrity
System processing is complete, accurate, timely, and authorized.
- The Confidentiality
Information designated as confidential is protected as committed or agree.
- The Privacy of Personal Information
The service organization collects, uses, retains, discloses, and disposes of for user entities.
- Compliance Reports on request with NDA (Non Disclosure Agreement).