cheap michael kors | discount Michael Kors 1266

Written by on June 23, 2015

Data Center Audit Standards

Hosting providers are quite frequently the operators of data centers, but they are much more frequently the customers of data centers, at the cage, rack or even server level. And for customers of data centers, an understanding of not just the facility’s design and the infrastructure that went into building out that design,
cheap Michael Kors but the processes that dictate a facility’s operation, are important tools in effectively weighing data center options.

Of course, it isn’t just service providers that have specific demands around the performance, security, and other aspects of a data center’s infrastructure and operation. Industries that handle sensitive data customer financial information, health care details, credit card data all have created their own standards for evaluating both data centers and hosted services. And compliance with industry specific reporting standards is generally considered shorthand for evaluating the services themselves.

We hear the health care industry’s HIPAA standard, and the credit card industry’s PCI DSS standard, referenced regularly. The Uptime Institute’s tier system is a reliable means of classifying data centers. And for many years, the American Institute of Certified Public Accountants Statement on Auditing Standards No. 70 has been one of the primary
Michael Kors handbags measures by which the data center business assures its data security practices and certainly one publicized by the individual data centers.

The problem with SAS 70 was the fact that, according to the AICPA, it was never intended to be used by data centers to verify security. It was meant to measure internal controls over financial reporting, whereas data centers have used it to measure their technical processes around security.

The Confusion Around "Certification"

One of the big problems with the SAS 70 report was the fact that while it was frequently represented, or interpreted, as a kind of "certification," it is not, in fact, a certification. More importantly, it doesn’t objectively measure anything about the level of security (or anything else) maintained at a data
Michael Kors discounts center.

HostingCon Global 2015 Early Bird Rates extended until June 19th. This is your final chance to save $100!

What it does measure is whether a data center operator adheres to the controls it has established for itself. There is no minimum standard for those process or benchmark for security. So, in order to glean anything from a SAS 70 audit, a customer of the data center would have to read the report themselves, and would have to know how to evaluate the quality of the processes being adhered to.

"In all of the organizations we’ve built for years, our primary auditing standards have been around SAS70 and PCI," he says. "With the SAS 70 controls, we’ve all had to develop basically our own control framework to report on, that is unique for each of us. Everyone is still doing reasonable responsible auditing of their security controls and reporting it back to the customers. It’s just that we now have the ability to step up to a report that was designed specifically for data center and
discount Michael Kors IT service providers, and has a baseline metric for achieving compliance."

The Modern AICPA Data Center Audit: SOC1, SOC2, SOC3 and SSAE16

The AICPA updated SAS 70 back in 2011 with a new set of audits and controls, including some that apply explicitly to service provider operational procedures.

SAS 70 has been replaced with the Statement on Standards for Attestation Engagements No. 16 as the new standards for auditing organizational controls. The Service Organization Control 1 report is
replica Michael Kors handbags the result of a SSAE 16 audit. In the data center business now, SSAE 16 and SOC 1 are, for the purposes of data center customers, more or less synonymous. They refer to a process that, like SAS 70, validates that an organization adheres to the controls it has laid out, and, like SAS 70, are specific to financial reporting. The process is similar, with a few minor changes, and one additional step requiring management to supply more information.

To alleviate the confusion around financial reporting audits being used to audit data center processes, the AICPA also created the SOC 2 and SOC 3 reports, which, unlike the rest, uses the AT101 standard, which includes a baseline set of IT security requirements called the Trust Services Principles.

SOC 2 and SOC 3 are more or less the same audit, but differ in the type of report produced. The SOC 2 report includes all the details of the systems audited, whereas the SOC 3 report
replica Michael Kors outlet is more of a generic certification (and yes, the word "certification" actually applies in this case).

Back when the new standards were introduced, Online Tech Co CEO Mark Klein wrote a pretty thorough description of SSAE 16, SOC 2 and SOC 3 for Data Center Knowledge.

Adoption of the New Data Center Audit Standards

Bruton says data center companies haven’t necessarily been quick to adapt to the new standards, with many companies likely continuing with the framework they already had in place though he reiterates that it’s unlikely there’s any deception or data center mismanagement going on as a result.

He says the SOC 2 audit requires a minimum reporting period of six months, so becoming compliant requires at least six months of data showing the company has met
fake Michael Kors its control objectives.

Other hosting providers have made the move to the new auditing standards and certification over the last year and a half.

Online tech has also announced SOC 2 and SOC 3 compliance.

In February of 2012, managed hosting provider iNetU announced that it had completed the SOC 2 and SOC 3 audits.

Cbeyond announced compliance with the SOC 2 standard in February of 2011.

Hosting provider DBSi announced in January 2012 that its Pennsylvania data centers had completed the SOC 2 and SOC 3 audits.

How Customers Respond to Data Center Audit Info

Bruton says customers almost across the board know to look for SAS 70 or SSAE 16 audits, but most aren’t looking for all the specific details of the report, as much as they are just checking off that box.

"But when you get into the larger organizations public companies, government and other sensitive organizations that have brought in a third party to help them assess which service providers they’re going to leverage," he says, "those are the ones that are really going to leverage going over the report with a fine toothed comb and really making sure the way you’ve conducted your assessment is in line with their expectations."

For hosting providers placing their infrastructure inside those data centers, the latter might be true, especially if they’re attempting
michael kors handbags outlet to serve customers with strict compliance or regulatory requirements of their own.Articles Connexes:

Articles Connexes:

Posted Under: Elizabeth Potter