by Tony Morgan, CEO of NationalNet
Over the next 8 months NationalNet will be undergoing an extensive audit known in the industry as SSAE 16 (formerly known as SAS 70 Type II Certification). This article is the first in a series explaining the audit, what we are actually doing, and keeping you updated on our progress. I chose to write this article myself as it is an important part of the growth of our company and we take these milestones very seriously. I will try to keep it light by being informative without boring you to death with all of the geek-speak. As always, if you have any questions, comments, or concerns feel free to address them to me, directly, at firstname.lastname@example.org
Let’s start with the basics, shall we…..
What is SSAE 16? Well, since you asked, get ready for this…..it is a “Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization”. Wasn’t that a mouthful? While that may seem like a long name that really means nothing, pay close attention to the last 7 words, “Reporting on Controls at a Service Organization”. At our core, NationalNet is simply nothing more than a service organization and one of the things that you pay us for is to have controls (or systems) in place to handle any eventuality. This audit is really nothing more than a Certified Public Accountant (CPA) coming into our facility and “testing” these controls and certifying that we have them and we follow them. The controls cover everything from the actual physical security of the Data Center, to the logical security of the network, to the training of our employees, to the inner workings of our Customer Portal, MyNatNet.
Why would NationalNet want to be SSAE 16 Certified? For many customers, before you choose a hosting/collocation provider, you take an opportunity to visit the facility and talk with key people and get a warm feeling about the provider and the level of service you may expect to get from them. However, in many other cases, the decision may be made at the Home Office in Grand Rapids, Michigan, (to quote David Letterman). Having this certification allows us to send documentation to the Home Office (in Grand Rapids, Michigan) that shows the controls and that a licensed, outside party has certified that the systems were in place and functioning during the audit period. In addition, many Government Agencies, Fortune 500 Companies, and Foreign Governments require the certification before they will do business with a data center at any level.
So, what was SAS 70 then and did it go away? First developed in 1992 the Statement on Auditing Standards No. 70 (SAS 70) has been the undisputed leader in testing the security and controls of a data center to assure clients that it meets some level of assurance. After nearly 20 years, however, this system has become dated and inadequate to handle the next generation of data centers that are dotting the landscape in today’s market. The AICPA (American Institute of Certified Public Accountants), has mandated that all SAS 70 Certifications cease on June 15, 2011 and be upgraded to the newer SSAE 16. In a nutshell, it’s time to retire the old Cathode Ray Tube (CRT) and upgrade to the 24″ HD flat screen monitor.
What is the first step to achieving SSAE 16? This is the hard part for us. Deep down in our hearts, we know that we do everything necessary to guarantee our customers satisfaction every single day….but now we have to write it down…..in detail…..lots and lots of detail. You may think it sounds easy but I assure you it is not. Let me use this example….if I asked you to write down IN DETAIL how a human walks one step you would think it should be easy. Did you know that the human body uses over 200 muscles to walk a single step? Now think of having to write a procedure for each and every muscle, in detail, noting every move and every signal from the brain. Finished? Not yet, my friend. Then write, in detail, what each of those 200 muscles and another 300 more muscles that have to deploy in the case that you tripped over the curb. Now you are starting to get the idea. My team and I spent the first quarter of this year in meeting after meeting committing what NationalNet does every day to paper and we are almost done with this step of the process.
What’s next? In our next article we will begin getting into the actual controls and the testing of those controls.