Most hosting customers are interested in the NetSource SSAE16 audits. NetSource has just started their SSAE16, SOC1, and SOC2 audits for 2015. This will be the sixth annual audit. Since NetSource has just started the audit, customers want to know more about it.
First a little history and definition. Customers want a way to judge whether their data center is reliable, secure, and exercises best practices. The hosting industry looked around for a standard and choose the SAS70 standard. Data centers and customers quickly found the SAS70 standard to be lacking; it was developed years before hosting became critical for business and it didn’t fit well for hosting. So, the SSAE16 standard took its place. SSAE16 was developed to work better for data centers and to better align with the needs of data center customers. Since, SSAE16, new standards called SOC1 and SOC2 were introduced. SOC1 is basically the same standard as SSAE16.
What is SSAE16 and SOC1? As mentioned above, they are the same standard. These standards require that data centers define policies and procedures for operations. Then, the audit verifies that the data center conforms to their own policies and procedures. The NetSource data center was originally built to the ANSI 942 standard. So, the NetSource procedures conform closely to the ANSI 942 standard and other best practices in the hosting industry, including reliability and security standards, such as PCI-DSS, for example. NetSource takes a diligent approach to defining its procedures and then those procedures are verified by the SSAE16/SOC1 audit.
Some might see a flaw in the SSAE16/SOC1 approach. What would prevent a data center from specifying very lax procedures and then passing an audit? Nothing! An auditor is confined to verify only those procedures specified by the data center. There are two things a customer can do to protect themselves from this flaw or a disreputable data center. First, they can request the audit report for the SSAE16/SOC1 audit and check out the procedures the data center uses for themselves. This is usually done under a non-disclosure agreement. Never host in a data center that will not share their SSAE16 report! Second, they can verify that the data center has a SOC2 audit.
What is SOC2? SOC2 goes a step further and provides specific standards and best practices that a data center must follow for reliability and security procedures. A SOC2 audit will verify that the data center conforms to those reliability and security standards. Choose a data center that has a SOC2 audit. A customer may also request the SOC2 audit report for review.
Anyone can see how important these standards are. They verify that data centers conform to best practices and no one has to take the data center’s word for it. A third party audit provides an independent assessment.
The NetSource audit has started for 2015. It will be complete, with the annual report ready, by the end of July. In the meantime, get the current SSAE16/SOC1/SOC audit reports. A customer only needs to sign a non-disclosure agreement since these documents contain detailed procedural information about the operations at NetSource.
The NetSource audit covers all aspects of the data center operations including management practices, human resource procedures, technical procedures, maintenance procedures, reliability maintenance, and security maintenance. It includes procedures for regular maintenance of all systems including power, environmental, networking, monitoring, business continuity, services, and more. It also covers all locations, the Naperville location, the Chicago location, both data rooms in Naperville, and the office areas. It covers colocation hosting, dedicated server hosting, managed services, disaster recovery services, security services, and cloud hosting services – basically everything.
With annual audits, conducted at NetSource by an independent third party auditor, a customer can be sure of the highest levels of reliable and secure operation.