Like SAS 70 Type 1 and Type 2, SSAE 16 data center compliance was created by the good folks over at AICPA. Also like SAS 70 Type 1 and Type 2, SSAE 16 is the standard by which data centers are measured. The SSAE 16, a report filed by external compliance auditors of third party service providers, in our case data center hosts, lays out the must have for a data center to be considered a standard level data center.
The main difference between SAS 70 reports and SSAE 16 reports – more accurately deemed audits – is SSAE 16 audits require the management team of the data center under audit to provide the auditor with a written presentation concerning their facility and how it functions. This written report includes details on facility control, system designs, standard operational effectiveness etc.
Outside of the actual report which has to be filed by an independent confirmed CPA, in terms of colocation needs and data center web hosting services, SSAE 16 specifies what a data center must have to reach SSAE 16 standards.
SSAE 16 Data Center Compliance
For SSAE 16 data center compliance, the facility in question must have the following characteristics:
- Safe Grounds: All DC’s which are deemed a SSAE 16 Type II data center must be constructed on the premise of keeping the public at bay. This is to say, SSAE 16 data centers must have closed gate policies, walls/gates to keep unwanted members of the public off the grounds, battering rams to protect the building and other various security measures.
- Internal Security: Another characteristic of a SSAE 16 data center is internal security. From having a round the clock security staff, to maintaining working security cameras throughout the facility, to installing bullet proof glass within the facility and force entry resistant doors.
- Visitor Policy: The visitor policy of a SSAE 16 compliant data center is one of being tracked and logged into the system at all times. This is to say, all SSE 16 compliant data center visitors must sign in to the facility, must be accompanied around the facility with a registered tenant and must, at all times, have their visitor status badge available for inspection while in the DC.
- Data Deletion: When it comes to the protection of private data, data deletion is paramount within the walls of a SSAE 16 compliant facility. This means all paper documents which are thrown away must be shredded. Once shredded, documents should be properly moved off the facility. Once the process is complete, a time ledger full with a signature of the employee who carried out the document destruction must be created/stored.
Please note: If you search long enough on the Internet you can uncover articles on why SSAE 16 data centers and SAS 70 Type 1 or Type 2 data centers simply aren’t needed. While we could get into a long argument here concerning how wrong that sentiment is, we will simply say, when you are investing your critical business applications with a data center provider, it’s better to invest in a board certified data center than a rundown facility. Put it this way, you wouldn’t go to a doctor who never got certified by the American Medical Association.
All this said, before you invest your money in a hosting firm, do your research on the data center facility they operate out of.