Compliance for Colocation Services & Data Centers

Colocation services and data centers have become a popular option for companies with midsize IT needs because it allows the company’s IT staff to focus on the actual work being done, instead of the infrastructure needed to support the system. The increased outsourcing of IT infrastructure has escalated the need for colocation and data centers to obtain a third-party assurance over the controls for security, privacy and regulatory compliance.

In the latter half of 2011 when the AICPA released its Service Organization Controls reporting structure, some believed that the new SOC 2® concept would play a prominent role in reporting the controls for data centers. In part this belief was because the new SOC 2® concept provided guidance to service organizations that wanted to provide their customers with assurance about controls that did not affect their customers’ internal controls over financial reporting. Some people in the compliance industry made the argument that internal controls of data centers had no relevance to internal controls over the financial reporting of another company. A detailed review of the standards reveals that this argument is lacking authoritative support; the AICPA’s SOC 1® directly contradicts this argument when it provides examples of valid candidates, such as Internet service providers, web hosting providers and application service provider (including those that provide services similar to traditional mainframe data center service bureaus).

Bottom line is if your colocation or data center performs outsourced services that are relevant to internal controls over the financial reporting of another company; your organization should be examined under the SSAE 18 standard for SOC 1®. ‘Services that are relevant to internal controls over financial reporting’ can range from providing access controls over financial data to recording or manipulating financial data for the user organization. In the remote situation where your colocation or data center is performing outsourced services that are not relevant to internal controls over the financial reporting of your customers, the logical choice for your attestation would be the SOC 2® standard.

Colocation and Data Center’s SOC 1® attestation involves the following critical areas:

  1. Control Environment: the organizational level controls also known as “tone at the top” which consists of management’s oversight and internal operational level controls.
  2. Physical Security: the protection of information systems as it relates to third party data.
  3. Environmental Security: the protection of information systems and data from environmental threats.
  4. Network Support: the network services are designed and monitored to ensure network availability.

Colocation and data centers not involved in internal controls over the financial reporting for their customers can meet their customers’ compliance requirements by obtaining a SOC 2® service auditor’s report.

Colocation and Data Center’s SOC 2® attestation involves the following critical areas:

  1. Security: the system is protected against unauthorized access (both physical and logical).
  2. Availability: the system is available for operation and use as committed or agreed.
  3. Processing Integrity: system processing is complete, accurate, timely and authorized.
  4. Confidentiality: information designated as confidential is protected as committed or agreed.
  5. Privacy: personal information is collected, used, retained, disclosed and destroyed in conformity with commitments in the organization’s privacy notice and with criteria set forth in generally accepted privacy principle issued by the AICPA and CICA.

The scope of the SOC 1® and SOC 2® attestations are determined by the colocation and data center. Accordingly, a well scoped attestation can clearly demonstrate your organization’s quality of service and ensure that sufficient information is provided to your user organizations to communicate your stringent controls over physical security, environmental security, authorized access and continuous availability of services.

Compliance Process

We tailor every attestation engagement to our client’s requirements. However, we have a fundamental four phase process that normally meets our clients’ needs and creates an efficient, unobtrusive attestation engagement that enables you to focus on your business while we focus on your compliance.

Scope (Phase 1): Not every SOC 1<sup>®</sup> and/or SOC 2<sup>®</sup> attestation engagement have the same requirements. Each company can vary depending on the type of services they perform for their customers. We have years of experience working with just about every industry and work with our clients to ensure that we cover the appropriate scope to ensure your customers’ needs are satisfied. While the scoping phase of our attestation is normally covered during our initial quoting process, we offer a formal meeting with our clients to ensure we have a mutual understanding of the attestation goals.
<p> <h2 style="display:inline;">Plan</h2> (Phase 2): We offer two options for the planning phase of your attestation engagement:</p><!-- [et_pb_line_break_holder] --><ol><!-- [et_pb_line_break_holder] --> <li>We provide our in-house developed questionnaires and request list that are based on industry leading compliance frameworks such as CobiT, ISO 27000, PCI and HIPAA. Customers benefit from this approach by getting to work at their own pace with just a deadline in mind.</li><!-- [et_pb_line_break_holder] --> <li>The other option is an onsite visit to perform walkthroughs of the relevant service offerings. We then customize our attestation plan and deliver a detailed document request list to prepare our clients for phase three (fieldwork).</li><!-- [et_pb_line_break_holder] --> </ol>
Fieldwork (Phase 3): Our auditors have a minimum of five years of experience with the Big 4 global CPA firms, large consulting firms and smaller boutique firms that specialize in SOC 1<sup>®</sup> and/or SOC 2<sup>®</sup> attestations. Due to this, we are efficient and understand what is required for each attestation.
<p> <h2 style="display:inline">Report & Market</h2> (Phase 4): Your SOC 1<sup>®</sup> and/or SOC 2<sup>®</sup> service auditor’s report is essentially the product for which you pay. We provide well defined and quality written reports that focus on providing your customers with everything they need from a third-party assurance perspective. We take pride in delivering professional quality reports in a timely manner; we stand behind everything we issue. Publicizing or marketing your service auditor’s report is the opportunity for your attestation to pay for itself. A major benefit from completing the SOC 1<sup>®</sup> and/or SOC 2<sup>®</sup> attestation is the tangible return on investment that is created from having your company examined under the SSAE 18 standard for SOC 1<sup>®</sup> and/or SOC 2<sup>®</sup>. We provide customized press release information and a SOC for Service Organizations logo to place on your web site, all included in our fixed fee pricing.</p>

Project Timeline: Four Phase Attestation

For More Information Speak to a Service Auditor at Roosa CPA, LLC (877) 410-8516

Back to Industries