French Caldwell

A member of the Gartner Blog Network

French Caldwell
VP and Gartner Fellow
15 years at Gartner
19 years IT industry

French Caldwell is a vice president and Gartner Fellow in Gartner Research, where he leads governance, risk and compliance research. Mr. Caldwell also writes and presents on knowledge management. His research includes analysis of the impact… Read Full Bio

Coverage Areas:

Time to Stop Misusing SSAE 16 in Vendor Marketing

by French Caldwell  |  October 9, 2012  |  5 Comments

Some vendors and their auditors appear to be misusing SSAE 16 the same as they did SAS 70. For example, today I saw an announcement from security vendor Prolexic with the headline, “Prolexic Completes SSAE 16 Examination for Distributed Denial of Service (DDoS) Attack Mitigation Services.”

SSAE 16 (aka SOC 1) like SAS 70 before it is a standard focused on financial reporting integrity — a fact that Prolexic clarifies in a note at the bottom of its press release. To the extent that Prolexic’s customers must ensure that Prolexic has adequate controls to support Sarbanes-Oxley or similar rules, then SSAE 16 is appropriate — but you have to read the press release carefully to glean that context.

However, Prolexic’s president Stuart Scholly went further and stated in the press release: “Completing these examinations assures enterprises that Prolexic has adopted relevant controls that are well designed and operating properly.”

That’s just not true.

SSAE 16, aka SOC 1, does not contain a list of control objectives. The controls to be audited are specified by the vendor and agreed upon by the auditor, and thus it is not easily comparable between vendors.  And the SOC 1 report is not supposed to be shared with prospects.

So, to be clear, SSAE 16 (or SOC 1) is relevant for compliance with Sarbanes-Oxley and similar laws. It does not provide comprehensive assurance for security, availability, processing integrity, confidentiality or privacy controls. That’s the purpose of SOC 2, a companion standard to SOC 1.

SOC 2 and SOC 3, a short form of SOC 2 that can be used in marketing, do have a set of control objectives that can be objectively audited, and the results compared to other companies. INetU is an example that has used SOC 2 and SOC 3 to communicate its controls assurance.  And the SOC 3 can be shared with prospects.

Now, Prolexic goes on to state that they have PCI DSS certification. Good on ‘em — PCI DSS is one of several alternatives for vendors who want to demonstrate effective controls. Other standards and certifications include ISO 27001 certification, Shared Assessments, Cloud Security Alliance, and many more.

For more on SSAE 16 (SOC 1), SOC 2, SOC 3, and alternatives see:

Cloud Security and Risk Standards, by Jay Heiser and Rob McMillan

IT Audit Standards, Frameworks, and Guidelines for Auditees and Auditors, by Khushbu Pratap

SAS 70 Is Gone, So What Are the Alternatives?, by French Caldwell

5 Comments »

Category: Cloud compliance GRC Standards Vendor Contracts     Tags: , ,

5 responses so far ↓

  • 1 Jon Long, The Risk Assurance Guy   October 9, 2012 at 3:39 pm

    Thank you for speaking out on this topic Mr. Caldwell. I hope that the market hears you very soon. I will be doing my part to make that happen.

  • 2 George Bishop, CPA, CISA   October 9, 2012 at 5:16 pm

    Well stated. As a provider of SOC 1, 2, and 3 examinations (and SAS 70s, WebTrusts, and SysTrusts before that), I am often frustrated by thier misuse beyond the purposes intended – especially among some CPAs. I believe SOC 2 provides a great opportunity for qualified practitioners (those with both attestation examination experience and skills in IT audit and control relevant to the scope of the examination) to provide independent assurance and useful, detailed reporting about risk areas areas that users of service organizations have been seeking for some time. The more user organizations that have some understanding of these exams and insist on quality reporting from their service organizations, the more consistent utility and value they will provide.

  • 3 Anton Chuvakin   October 10, 2012 at 1:58 pm

    >goes on to state that they have PCI DSS certification

    Actually, that one is more likely to be iffy as well as PCI DSS assessment is meant for payment providers, not security providers. I bet their RoC has plenty of N/As. Like, most of them? :-(

  • 4 Daniel Golding   October 12, 2012 at 4:58 pm

    PCI DSS is not meant for payment providers only – this is incorrect. There are numerous service providers, including datacenters with PCI DSS – see the VISA list of global service providers.

  • 5 Jon Dee   October 14, 2012 at 4:40 am

    A very useful discussion guys
    Anything that increases the understanding of standards by those that are potentially seeking to rely on this assurance is very welcome.
    I suspect that ISAE 3402 is also being used for marketing in a similar way.
    Best wishes
    Jon