Some vendors and their auditors appear to be misusing SSAE 16 the same as they did SAS 70. For example, today I saw an announcement from security vendor Prolexic with the headline, “Prolexic Completes SSAE 16 Examination for Distributed Denial of Service (DDoS) Attack Mitigation Services.”
SSAE 16 (aka SOC 1) like SAS 70 before it is a standard focused on financial reporting integrity — a fact that Prolexic clarifies in a note at the bottom of its press release. To the extent that Prolexic’s customers must ensure that Prolexic has adequate controls to support Sarbanes-Oxley or similar rules, then SSAE 16 is appropriate — but you have to read the press release carefully to glean that context.
However, Prolexic’s president Stuart Scholly went further and stated in the press release: “Completing these examinations assures enterprises that Prolexic has adopted relevant controls that are well designed and operating properly.”
That’s just not true.
SSAE 16, aka SOC 1, does not contain a list of control objectives. The controls to be audited are specified by the vendor and agreed upon by the auditor, and thus it is not easily comparable between vendors. And the SOC 1 report is not supposed to be shared with prospects.
So, to be clear, SSAE 16 (or SOC 1) is relevant for compliance with Sarbanes-Oxley and similar laws. It does not provide comprehensive assurance for security, availability, processing integrity, confidentiality or privacy controls. That’s the purpose of SOC 2, a companion standard to SOC 1.
SOC 2 and SOC 3, a short form of SOC 2 that can be used in marketing, do have a set of control objectives that can be objectively audited, and the results compared to other companies. INetU is an example that has used SOC 2 and SOC 3 to communicate its controls assurance. And the SOC 3 can be shared with prospects.
Now, Prolexic goes on to state that they have PCI DSS certification. Good on ‘em — PCI DSS is one of several alternatives for vendors who want to demonstrate effective controls. Other standards and certifications include ISO 27001 certification, Shared Assessments, Cloud Security Alliance, and many more.
For more on SSAE 16 (SOC 1), SOC 2, SOC 3, and alternatives see:
IT Audit Standards, Frameworks, and Guidelines for Auditees and Auditors, by Khushbu Pratap