We’ve come a long way since the days of the SAS 70, which did little to actually test the security of a data center or managed service provider. Under a SAS 70, which was designed to test the integrity of financial reporting and not information security, an organization could make up their own set of rules to be audited against. An auditor, usually a CPA sanctioned by the American Institute of CPAs (AICPA), would "test" their client by looking for evidence that they followed each rule.
The SAS 70 is the equivalent of asking students to write their own test questions.
If the client failed their own test question, the auditor would mark them as deficient or non-compliant with that section for that testing period.
The SAS 70 was designed in a world before the Internet or widespread data communications, so in 2010, the AICPA issued two new documents governing the use of compliance engagements:
- the Statement on Standards for Attestation Engagements Number 16 (or SSAE-16); and
- the Attestation Standards Section 101 (or AT-101).
Much like the SAS 70, SSAE-16 rules are made up by the organization being tested and have no guarantee of actually protecting your data.
The SSAE-16 is for a service organization that directly handles financial transactions that affect the financial reporting of their clients, while the AT-101 is for a service organization that houses the technology systems that a client uses for financial reporting. It’s an important distinction:
If your provider doesn't handle financial transactions on your behalf, they shouldn't be using the SSAE-16 report for compliance.
Therein lies the problem with compliance programs at most data centers and managed service providers. They stick with SSAE-16 because they get to keep the same rules from their days with the SAS 70 instead of adopting the strict rules of the AT-101.
In the end, the decision on compliance comes down to one important factor: