Data Center Compliance 101: What’s What?
SAS 70, SSAE 16, SOC, HIPAA—what does it all mean? Data center compliance and security standards are important for businesses to understand when choosing an appropriate provider to house their sensitive information. To make things easy, here’s a super quick guide to common data center compliances and what they mean.
The Statements on Standards for Attestation Engagements No. 16 (SSAE 16) data center compliance describes the level of internal controls a service organization has. Since their outsourcing services affect the operations of their clients, these organizations are subject to regulatory data center compliance audits. The audit reports are generally used by the users’ auditors, the users’ controller’s office, management, regulators, and others.
SOC (Service Organization Control) is one of three service control reports designed to give applicable parties a detailed view into the service organization’s internal controls.
- SOC 1 – The default report after an SSAE 16 audit. A SOC 1 report describes the internal controls over financial reporting, and will be classified as Type I or Type II
- SOC 2 – Describes the security, availability, process integrity, confidentiality, or privacy controls, and will also be classified as Type I or Type II
- SOC 3 – The highest certification achievable. It also describes the accuracy of internal control found in a SOC 2 report, and is publicly available to anyone to review
Replaced by the SSAE 16 regulatory compliance, the Statement on Auditing Standards No. 70 (SAS 70) was an auditing standard developed by the AICPA, which auditors used to determine the provider’s level of controls and other information. A SAS 70 data center compliance report would be described as Type I or Type II.
Standing for the Health Insurance Portability and Accountability Act of 1996 (HIPAA), HIPAA compliant data centers are certified to provide federal protection for sensitive health information. Used mostly in in the healthcare field, HIPAA compliant data centers are trusted with preserving the security, privacy, and availability of protected health information.
Important for credit card companies, data centers that meet the Payment Card Industry Data Security Standard (PCI DSS) are certified to host and store highly sensitive credit card data.