by Tony Morgan, CEO of NationalNet
Since our first article on NationalNet’s SSAE 16 Attestation process, we’ve kept up the momentum and are now well on our way to the testing segment. We’ve not only given the auditors a list of all of our data center commitments, but we’ve gone into detail on how we control them to ensure a high quality of service is continually given to our customers.
As I explained in Part 1 of this series, we spent many weeks committing all of the things that we do on behalf of our customers to paper. Along with our contracted consultants we wrote step by step documentation for everything from the process one uses to gain access to the data center all the way through the smallest details of how we evaluate our employees on an ongoing basis. These processes are also known as “controls”. Step two of the audit process is where we define how we will “test” all of the controls.
From the outside looking in, one could only assume that a student writing their own final exam would be easy, but in this case, it is not. Because the CPA firm has their license on the line, they will not accept anything less than the best form of testing that is available. For example, as a company we choose to test our generators once per week by firing them up and running them to make sure that they are reacting appropriately. This is common among most Data Centers, but in our Attestation we stated that we also test the generators under a full load at least once per year because we know that they can react differently under load than they do with no load. You would be surprised at how many of our competitors choose not to do the last step. So, in our test simply stating that we do it is not enough. We agreed to provide logs from the system showing the tests, invoices from our vendor showing the tests were performed and the contract that we have signed with the vendor to complete this on an annual basis. In addition, if the auditor so chooses, we may be asked to actually pull up video from our security cameras around the generators showing the exact date and time that these tests were performed. This is just one of literally dozens and dozens of controls that are tested.
In addition to the obvious tests there will be some that are not so obvious, as well. For an example, the auditors will be gaining access to the facility at different times throughout the audit period. Each time they will be watching to make sure that the security policies and procedures are being followed to the letter. One of the things that we state in our Attestation is that all visitors must have their badge displayed prominently while inside the facility. We also go on to state that it is every employee’s responsibility to challenge anyone found inside the building without credentials displayed, as opposed to most facilities where it is simply left up to the security force. The auditor may choose to simply remove their badge and walk around the halls in the secured areas to see if employees challenge their access. Our customers need to know that when we say that we are a secure facility that it is not just lip service…we really mean it.
In the coming weeks, we will be finished writing the tests of the controls and will be moving onto the next step of the “walk through”…..call it a “pre test” if you will. This step will complete two steps…first, it will give us a chance to see how we perform under the tests, but it will also be a chance for the consultants to make sure that the tests are solid and do not need to be tweaked prior to the audit. More on that in Part 3 of this series coming soon…