Editor’s note: Security is a major consideration during the software evaluation and purchasing process, especially for SaaS/cloud-based solutions. In this post, Neil Davies, LeveragePoint’s Vice President of Engineering, provides a history on security standards, details on SOC reports, and guidance on what you should look for when making a SaaS/cloud-based software decision.
I see many standards for security, including SAS 70, SSAE 16, SOC 1,2 & 3. I am confused, please explain the differences?
First, a quick history lesson. SAS 70 is an auditing standard from the AICPA. It is a report on the internal controls of a service organization and has been around since the early 1990’s. Roll into the 2000’s, Enron happens, and Sarbanes-Oxley thrusts this little known standard to the fore by making a Type II SAS 70 the de facto standard for assurance of a service provider’s controls. This presented a few problems, as SAS 70 was never really designed for this. It was designed to audit controls, not to comment upon the systems security fitness. A SAS 70 report could in theory be written in such a way to only cover the controls that the service provider knew they could meet. So in 2011, the AICPA published new standards to replace the SAS 70 in order to overcome its flaws. The SSAE 16 was born, and from its onset it was designed to attest to the validity of system’s fitness for a particular purpose.
What Are a SOC 1, 2, and 3 Reports and the Differences Between Type I and II Reports?
There are 3 flavors of SSAE 16, known as SOC 1, 2 and 3.
- SOC 1 is primarily designed to review financial reporting systems.
- SOC 2 covers operational control systems following predefined Trust Services Principles and Criteria around security, availability, process integrity, privacy and confidentiality.
- A SOC 3 report is for general use, and provides a level of certification for service providers that assure their customers of facility security, high availability and process integrity.
Note, a SOC 3 report provides only the system description and the auditor’s opinion, whereas a SOC 2 report includes service auditor testing and results and therefore is a confidential report.
A Type I report focuses on the auditors’ opinion of the accuracy and completeness of the service organization’s design of controls, system and service. A Type II report includes Type I information and an audit on the effectiveness of controls over a certain time period, normally between six months and a year.
When Choosing a Cloud-based Software, What Type of Report is Best?
Well that depends. If the software affects your financial statements, then SOC 1 Type II is your report. For other software vendors, a SOC 2 Type II report gives you detailed information on their relevant controls and how well these controls are executed. As such, a vendor that offers at a SOC 2 Type II report should be sought.
What’s LeveragePoint’s View?
Customer data in LeveragePoint is important information on how your product is different to your competitors, with key insights into your competitors and customers. Keeping this data confidential and secure is paramount. At LeveragePoint we have been publishing a SOC 2 report since 2011 as it best fits the needs of our customers’ requiring assurance that LeveragePoint’s system and controls meet industry standard criteria for security and confidentiality. A copy of our SOC 2 Type II report is available to all our subscription customers.
About the Author
Neil Davies is VP, Engineering at LeveragePoint. Previously, he was an Engineering Manager at Monitor Group and Logica CMG in London. He is the architect of the LeveragePoint platform, and a passionate advocate of Cloud Computing, Semantic Technologies and open-source projects. Mr. Davies holds a BS in Computer Science from the University of Nottingham.