SSAE16 Data Center (the new SAS70)

SSAE16 Data Center (the new SAS70)

The SSAE16 standard is a recent evolvement of SAS70, which intends to align US companies with ISAE 3402 the international standard. This process is designed to help in guaranteeing a higher level of security and reliability in hosting the type of sensitive eCommerce operations for the clients of Nexcess.

Where did SSAE16 Come From?

In technical terms, SSAE16 data center examinations were first introduced by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) as a replacement to SAS70 (or Statement on Auditing Standards No. 70). SSAE16 (or the Statement on Standards for Attestation Engagements No. 16), on a broader scale, was created with the intention of bringing the United States up to code with the International Standards for Assurance Engagements No. 3402 (ISAE3402). AICPA describes SSAE16, as they did SAS70 in years previous to 2010, as "the primary standard for reporting on controls at service organizations."

Why do Standards Like SSAE16, SAS70, and ISAE3402 Matter?

Conducting examinations such as SSAE16 on data center operations simply assures that the facility's operators are meeting a certain level of standards with regard to the suitability, design and effectiveness of their controls. The definition of SSAE16's mention of "controls" is intended to include nearly everything that touches a data center's hosting products. Specifically, it is defined as: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. Firstly, this is intended to increase consumer confidenceby assuring that the AICPA's high standards are being met in all of the above aspects of operation via the SSAE16 examination. Secondly, for many organizations, such as those that are publicly traded, or those in industries such as medical and payroll processing, SSAE16 compliance is likely to be a legal requirement when obtaining services from any outsourced providers.

Have Nexcess' Data Centers Undergone the SSAE16 Audit?

Yes, we completed our Type II SSAE16 audit on 1/31/2012 which covered an official review period of August 1, 2011 to January 31, 2012. We will continue to have SSAE16 Type II examinations on an annual basis to verify our compliance with the standard.

For more information on the SSAE16 standard, you may visit the official SSAE16 website.