In a recent post, we discussed four ways to vet a cloud provider before trusting them with your mission-critical workloads. If you missed that post, you can access it here. One of these ways was to request a copy of their independent audit reports. (If they don’t have any, cross them off your list ASAP!)
In that post, we talked briefly about SOC 1 and 2 Type I and II, but those are far from the only reports a vendor might have. Here’s a brief summary of all of the various reports, what they mean, and why they might be relevant for you. I’ve also included a summary of SOC 1 and 2, so you have the entire list all in one place.
SSAE 18 –The SSAE standards govern how a company conducts an audit and reports on compliance controls. The SOC 1 and 2 reports are the output from these standards. Therefore, when SSAE is mentioned, it’s usually in combination with either SOC 1 or 2.
If you ever hear someone talking about an SSAE 16 audit, just be aware that the SSAE 18 standard replaced the SSAE 16 standard in 2017. It’s possible you’re talking to someone who may not realize that SSAE 16 is no longer valid. Just be sure you ask for their most recent report to ensure the provider is compliant with the most current standards.
SOC 1 – SOC 1 covers financial reporting controls, so it’s not highly relevant when it comes to data security.
SOC 2 – As outlined in our last post, SOC 2 assesses the provider’s ability to ensure the security, availability, integrity, confidentiality, and privacy of their customers’ data. This report is highly relevant to those who are concerned about security and compliance. SOC 2 is broken down into two types of reports:
Type I assesses the provider’s systems and protocols at a point in time. The auditor will come in and look at how the controls are designed and evaluate their suitability. This is a good report, but SOC 2 Type II is more informative.
Type II looks at the effectiveness of these controls by assessing them over a minimum of six months. That is, SOC 2 Type II validates not only that the controls are in place, but also that protocols are consistently followed. You can see why this might be more reassuring than the SOC 2 Type I report.
Bill 198 – Bill 198 is a Canadian law that is similar to the US’s SOC requirements. The bill requires publicly held companies to implement internal controls over financial reporting and disclosure controls and procedures. It also requires these companies to evaluate the strengths and weaknesses of these controls. If you’re a publicly held company in Canada, you will want to ask for this report. If not, the SOC 2 Type II report should suffice.
PCI DSS – This acronym stands for the Payment Card Industry Data Security Standard. This standard is intended to protect the security and integrity of transactions involving debit and credit cards and to protect the cardholder against the misuse of their personal information. There are two types of reports you might see here as well:
Report on Compliance (ROC) – The ROC is a report used by VISA to ensure that their level 1 merchants are compliant with the PCI DSS standard. This report is completed by the Qualified Security Assessor (QSA).
Attestation of Compliance (AOC) – This report is a form used by merchants and service providers to attest to the results of a PCI DSS assessment. The QSA also completes this report after performing the audit.
If you’re just doing your due diligence, either the ROC or the AOC should be fine. (You might need one or the other if you’re looking to work with a specific credit card company such as VISA/Mastercard.) Generally, we share our ROC with potential customers.
The PCI DSS report you want to watch out for is the SAQ, which is merely a Self-Assessment Questionnaire and not the result of an independent audit.
FISMA – FISMA is the Federal Information Security Management Act, which defines the framework for protecting government information, operations, and assets against natural or man-made threats. It’s probably overkill to request this report if you’re not a government entity, but if you are, you’ll need it.
HIPAA/HITECH – This audit is paramount for those in the healthcare industry as it details the provider’s adherence to HIPAA/HITECH security and privacy rules. Like many industry regulations, there is no official certification for third-party providers, but the audit report should identify any red flags.
Keep in mind that the independent audit does NOT replace a signed Business Associate Agreement (BAA). Nor does either the audit or a signed BAA resolve the healthcare provider (covered entity) of responsibility for compliance.
HITRUST – HITRUST is short for the Health Information Trust Alliance, a company governed by an executive board comprised of leaders from some of the largest healthcare organizations in the industry. HITRUST’s Common Security Framework (CSF) is a set of prescriptive controls that cover a number of industry standards including ISO/IEC 27000 and HIPAA.
In our opinion, HITRUST certification does not replace an independent HIPAA/HITECH audit, but it should give you additional confidence in the provider’s security standards. For that reason, we started offering a HITRUST report to our prospective customers last year.
ISO 27001 – This is the international standard that covers best practices for Information Security Management Systems (ISMS). Unlike many other standards, there is an official certification for ISO 27001. This certification demonstrates the provider is following industry-standard best practices for data and system security.
FERPA – FERPA is designed to safeguard the privacy of children by protecting their education records, including report cards, transcripts, disciplinary records, contact and family information, and class schedules. If you’re an educational institution (or a parent), FERPA is important to you.
GDPR – Much has been said recently about GDPR as it just went into effect in May of 2018. In short, GDPR is the EU’s Global Data Protection Regulation. It has security requirements similar to many of the US regulations, but it goes much further in terms of ensuring the privacy of EU residents. Many of the privacy elements are outside the scope of your cloud provider, but if you’re required to comply with GDPR, the security elements are definitely applicable. As almost a third of our customers do business in the EU, the GDPR audit is a standard for us.
If you have questions or comments about any of these reports, feel free to reach out to us directly or add your comments below. We’d love to hear from you.