Posts Tagged 'Ssae16'

December 13, 2011

Do Your Homework!

As far back as I can remember, I hated homework. Homework was cutting into MY time as a kid, then teenager, then young adult ... and since I am still a "young adult," that's where I have to stop my list. One of the unfortunate realizations that I've come to in my "young adult" life is that homework can be a good thing. I know that sounds crazy, so I've come prepared with a couple of examples:

The Growing Small Business Example
You run a small Internet business, and you've been slowly growing over the years until suddenly you get your product/service mix just right and a wave of customers are beating down the door ... or in your case, they're beating down your website. The excitement of the surge in business is quickly replaced by panic, and you find yourself searching for cheap web servers that can be provisioned quickly. You find one that looks legit and you buy a dozen new dedicated servers and some cloud storage.

You alert your customers of the maintenance window and spend the weekend migrating and your now-valuable site to the new infrastructure. On Monday, you get the new site tuned and ready, and you hit the "go" button. Your customers are back, flocking to the site again, and all is golden. As the site gains more traffic over the next couple of weeks, you start to see some network lag and some interesting issues with hardware. You see a thread or two in the social media world about your new shiny site becoming slow and cumbersome, and you look at the network graphs where you notice there are some capacity issues with your provider.

Frustrated, you do a little "homework," and you find out that the cheap service provider you chose has a sketchy history and many complaints about the quality of their network. As a result, you go on a new search for a hosting provider with good reviews, and you have to hang another maintenance sign while you do all the hard work behind the scenes once again. Not doing your homework before making the switch in this case probably cost you a good amount of sleep, some valuable business, and the quality of service you wanted to provide your customers.

The Compliance-Focused Example
I still live, eat, and breathe compliance for SoftLayer, and we had an eye-opening experience when sorting through the many compliance differences. As you probably recall (Skinson 1634AR15), I feel like everyone should agree to an all-inclusive compliance model and stick to just that one, but that feeling hasn't caught on anywhere outside of our office.

In 2011, SoftLayer ramped up some of our compliance efforts and started planning for 2012. With all the differences in how compliance processes for things like FISMA, HIPAA, PCI Level 1 - 4, SSAE16, SOC 1 and SOC2 are measured, it was tough to work on one without affecting another. We were working with a few different vendors, if we flipped "Switch A," Auditor #1 was happy. When we told Auditor #2 that we flipped "Switch A," they hated it so much they almost started crying. It started to become the good ol' "our way is not just the better way, it's the only way" scenario.

So what did we do? Homework! We spent the last six months looking at all the compliances and mapping them against each other. Surprisingly enough, we started noticing a lot of similarities. From there, we started interviewing auditing and compliance firms and finally found one that was ahead of us in the similarity game and already had a matrix of similarities and best practices that affect most (if not all) of the compliances we wanted to focus on.

Not only did a little homework save us a ton of cash in the long run, it saved the small trees and bushes under the offices of our compliance department from the bodies that would inevitably crash down on them when we all scampered away from the chaos and confusion seemingly inherent in pursuing multiple difference compliances at the same time.

The moral of the story: Kiddos, do your homework. It really is good for something, we promise.

-@Skinman454

July 14, 2011

Skinson 1634AR15 Compliance

Skinson's 1634AR15 Competency Controlled Certification of Compliance
New Compliance structure makes a compliance officer's life much easier.

Dallas -- In a world where auditor to auditor reports are out of control and we have a mountain of complex compliances to worry about, one competent compliancy controlled certification of compliance finally comes forth (and not a minute too soon).

"This new groundbreaking idea will change the lives of many competing auditing firms, law firms, accounting firms and so on," says Steve Kinman. "I spend countless hours reading controls for one report and different controls for another report, and the only difference is the verbiage and format."

The new Skinson 1634AR15 Certification combines your SAS70, SSAE16, ROC, VOC, SOC, NIST, SARBOX, PCI, OMB, ACART, CFDA, HIPAA and SAFE HARBOR compliance into a single report using a set framework that automorphs based upon which auditor is touching the report or viewing it in the state of the art Skinson Portal.

"The Skinson portal is mind-blowing," says Val Stinson. "The automorph feature is something straight out of the movies. It knows who is reading and can change the wording on the fly. This keeps auditors from scratching their heads when the words in the report don't match the words their instruction book."

The introductory price for full Skinson 1634AR15 Compliance Certification is $1,000,000 USD. This is all-inclusive and will sufficiently cover all of your compliance needs.

Contact:
Steve Kinman
skinman@softlayer.com

About Skinson
Headquartered in Dallas, Texas, Skinson is a fictional company that likes to poke fun at the difficult job of compliance in the world. While we find that it can be overwhelming at times, we understand that compliance is a necessary evil. We would like to note that something like we dream about above would be very nice and would save the world a ton of work and cut down on our carbon footprint considerably. If you are in a position of control and can make the above happen please help us!!

On a side note, SoftLayer will do everything we can to help you with any compliance you need. Just ask your local sales team for help, and they will find the right person and get you in contact.

-@skinman454

P.S. The actual reason for this blog post is that we just announced that the control procedures and compliance for our 11 data centers have been verified in a Service Organization Control Report (SOC 1) prepared under the terms of the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) by independent auditing firm Weaver.

January 26, 2011

Time for an Oil Change?

<Fade In>
Man driving into Jiffy Lube, car sputtering and smoking.
Attendant: "Looks like you need an oil change buddy."
Buddy: "Yep, I think so. I was here last week and I think they used the wrong oil!"
Attendant: "Nah, we wouldn't do that. In fact we only have one kind of oil here and that's SAS 70."
Buddy: "Well, that's odd; I am told that I need SSAE 16 for mine to work right."
<Mass Confusion>

Welcome to my world! We have SAS 70 today, but soon we will have the new synthetic, non abrasive, engine-cleaning SSAE 16. Sounds fun right? I sure hope so.

Why the change? Good question. When SAS 70 first appeared in the early 90s, the world's economies weren't quite as intertwined as they are today. It was much harder to do business globally than it is now. (I think the "fad" called the internet has a little something to do with that but I could be wrong!) Now that the oceans have shrunk to a more manageable size, there is a need for the standards that companies use worldwide to match more closely. The goal of the U.S. Statement on Standards for Attestation Engagements 16 (SSAE 16) is to meet a more uniform reporting standard.

What's the difference? It's an "attestation" not an "audit." Google and thefreedictionary.com define attestation as "To affirm to be correct, true, or genuine," and audit as "an inspection, correction, and verification of business accounts." Though they are closely related, they mean different things.

What stay's the same? The focus will still be on controls at service organizations when the controls are relevant to their user entities' internal control over financial reporting. (For some reason, servers tend to have quite a bit to do with that!) There will still be a Type 1 and Type 2 with similar scopes in format. The reports will look very similar but they should be a bit more descriptive. The report will still be used in the same methods and by the same type of user.

What Changes? SSAE 16 is now an attestation and not really an audit. The service auditor will still provide an opinion but it will align itself more closely with existing international attestation standards.

  • Written Management Assertion - Management will be required to provide an assertion, to be included in the report, stating the system is fairly represented, suitably designed and implemented and the related controls were suitably designed to achieve the stated control objectives, and that the controls operated effectively throughout the period. The report will reference that management is responsible for preparing the system description, providing the stated services, specifying the control objectives, identifying the risks, selecting the criteria and designing, implementing and documenting controls that are suitably designed and operating effectively. The auditor's opinion remains in the role of providing assurance, not as the entity responsible for the communication.
  • System Description - The more inclusive description must detail the services covered, classes of transactions, events other than transactions, report preparation processes, control objectives and related controls, complementary user controls and other relevant aspects of the organization's control environment, risk assessment process, information and communication systems, control activities and monitoring controls. (I think an accountant came up with all of that!)

There are quite a few other differences but I think these are the big headliners. SoftLayer is committed to making this change and having it available for our customers that require it. Our normal SAS 70 schedule is Nov. 1 – Oct. 31 but we will be accelerating the process to have the SSAE 16 in place as soon as possible.

We are continuously looking at other compliance, reporting, audits and certifications. If you have any that would help you and your business, let us know.

-Skinman

Categories: 
Subscribe to ssae16