What is an SSAE Type 2 Audit, and Is It Relevant to Virtual Server Hosting?

By Lisa Gecko

When organizations are comparing virtual server hosting companies, they need to quickly assess service quality and reliability. Standards for Attestation Engagements (SSAE) No. 16 Type II is one of the most rigorous auditing standards for hosting companies. SSAE 16 is designed to provide customers with a level of assurance of corporate controls beyond previous SAS 70 Type 1 and Type 2 audit reports. The leading audit firm Deloitte & Amp; Touche LLP, conducts the SSAE 16 audits. SSAE 16 Type II audits confirm the highest service level attainable for a virtual server hosting company.

SSAE is an internationally recognized standard developed by the American Institute of Certified Public Accountants (AICPA). It effectively replaces SAS 70 as the authoritative guidance for reporting on host organizations – and is a recognized mark of IT service quality. The SSAE 16 Type II compliance designates that the host delivers reliable and secure operating environments with the proper controls for conducting high-availability data center operations.

An SSAE report is produced after a redundant independent examination of internal controls and processes, and demonstrates the reliability, security and operational excellence of modular data center technology for a host’s customers. The SSAE 16 report scope focuses on performance procedures, which are likely to be relevant to its customers’ internal controls. The report is intended for use by a host’s customers and their auditors.

Strictly speaking, SSAE 16 compliance indicates that a service auditor has performed an attestation engagement to report on controls at a host, which resulted in the issuance of an SSAE 16 Type 1 or SSAE 16 Type 2 report. To learn more about SSAE 16 and the new reporting requirements, organizations can utilize SSAE 16 Readiness Assessment (http://www.ssae16.org/ssae-16-reporting/readiness-assessments-for-ssae-16.html); a proactive and useful assessment tool for helping better understand the entire SSAE 16 reporting process.

SSAE 16 Type II compliance controls include facilities and asset management, logical access and access control, network and information security, computer operations, backup and recovery, change and incident management, organizational and administrative controls, security policies, reporting, and monitoring, and physical and logical security.

An SSAE 16 compliant web host should offer the following features: SSL capability, enterprise-level, application level protection, hardware firewall, IP-restricted FTP, managed backups with 14-day retention, advanced monitoring, and multi-level intrusion prevention (IPS/IDS).

SSAE 16 compliant hosting practices allow organizations to achieve compliance for more control objectives, and it help businesses do it for less money than it would take to adopt policies, infrastructure and expertise to implement the same control objectives in-house. When a host provides a solid foundation built around SSAE 16 requirements, it enables a company to compete on an international level.

Outsourcing hosting infrastructure and facilities to a provider that already meets SSAE 16 regulations allows a company to focus its time, money, and manpower on its core business. By inheriting a SSAE 16 compliant host’s infrastructure, policies, proficiency and efficiency, instead of developing secure hosting policies and network environment from scratch, companies achieve SSAE 16 compliance without the expense.