Abstract image of a woman sitting on books and studying on a laptop

Data Center Audit Standards

K
Keyur Thakore

The document discusses various audit standards for data centers, including SAS 70, SSAE 16, SOC 1-3, and PCI DSS. It provides details on the requirements and goals of each standard. The SAS 70 focused on controls over financial reporting but was not intended for security verification. SSAE 16 superseded SAS 70 and requires assessment of control design and effectiveness. SOC reports evaluate specific controls and are restricted (SOC 1) or public-facing (SOC 3). PCI DSS standards were created by credit card companies to protect cardholder data and require vulnerability assessment, remediation and reporting.

Data & Analytics
Related topics:
Data Center Overview
1 of 19
Downloaded 203 times
1
2
Most read
3
4
5
6
7
8
9
Most read
10
11
12
Most read
13
14
15
16
17
18
19
Data Center Audit Standards Keyur Thakore
Audit Standards Reasoned Insights 2 The standard logos are registered trademarks of their respective organizations.
AUDIT STANDARDS - AICPA Reasoned Insights 3
AICPA SAS 70 •American Institute of Certified Public Accountants Statement on Auditing Standards No. 70 audit, often referred to as SAS 70 audit, was first introduced in 1992. •The SAS 70 audit is meant to measure internal controls over financial reporting. •The SAS 70 audit has been one of the primary means used by data center operators to measure their technical processes around security and assure businesses of its data security practices. 4 Reasoned Insights
AICPA SAS 70 •The SAS 70 audit, according to the AICPA, was never intended to be used by data centers to verify security. •The SAS 70 audit report was never intended to be a “certification”, rather a measure of whether a data center operator adheres to the controls it has established for itself. •The SAS 70 audit requires that the operators develop their own control framework, and then audit their security controls to report back to the customers. 5 Reasoned Insights
AUDIT STANDARDS - SSAE Reasoned Insights 6
SSAE 16 •In 2011, AICPA introduced the Statements on Standards for Attestation Engagements No. 16 (SSAE 16) for reporting on controls at services organizations including data centers. •SSAE 16 is the next generation of AICPA auditing standards, that goes beyond SAS 70 by requiring the auditor to obtain a written report regarding the design and operating effectiveness of the controls being reviewed. •An audit that is conducted under the SSAE 16 will result in a Service Organization Control (SOC) report. 7 Reasoned Insights
SOC 1 Report •A Service Organization Control (SOC) 1 report is produced upon the completion of an SSAE 16 audit. •SOC 1 reports are focused on internal controls over financial reporting. •SOC 1 reports are restricted use reports intended only for existing customers, not prospective customers or the general public. •SOC 1 report is available as Type 1 or Type 2 report: Type 1 reports is auditors’ opinion on the accuracy and completeness of management’s description of the system or service as of a specific date. Type 2 report audits the operating effectiveness of the controls throughout a declared time period, generally between six months and one year. 8 Reasoned Insights
SOC 2 Report •A SOC 2 report is intended to provide assurance about controls related to: 1) security, 2) availability, 3) processing integrity, 4) confidentiality and 5) privacy of a system and its information. •A SOC 2 report is based on pre-defined controls criteria contained in the AICPA Trust Services Principles and Criteria. Thereby it offers a standard benchmark by which two data center audits can be compared against the same set of criteria. •SOC 2 audit requires a minimum reporting period of six months, thereby requiring at least six months of data showing the company has met its control objectives. •SOC 2 reports are seldom released publicly, typically distributed under an NDA to customers and prospects alike. 9 Reasoned Insights
SOC 3 Report •A SOC 3 report is intended for general release and includes a summary opinion regarding the effectiveness of the controls in place at the data center or service organization. •A SOC 3 report provides the same level of assurance about controls over security, availability, processing integrity, confidentiality and/or privacy as a SOC 2 report, however it does not contain the detailed description of the testing performed by the auditor. •A SOC 3 seal is designed to be published on the service provider’s website, or in some similar fashion. It assures users that the data center meets the stringent certification demands laid out by the trust services criteria. 10 Reasoned Insights
AUDIT STANDARDS - PCI Reasoned Insights 11
PCI DSS •Payment Card Industry (PCI) Security Standards Council was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. •Payment Card Industry (PCI) Data Security Standard (DSS) are a set of guidelines, intended to alleviate vulnerabilities and protect cardholder data, for all entities that store, process or transmit cardholder data. •The latest PCI Security Standards, v2.0, were published in October 2010. 12 Reasoned Insights
PCI DSS •PCI Security Standards Council administers PCI DSS and related security standards. •PCI DSS follows common sense steps that mirror best security practices. There are three ongoing steps for adhering to the PCI DSS1: Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data. Remediate — fixing vulnerabilities and not storing cardholder data unless you need it. Report — compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with. 13 Reasoned Insights 1 - PCI DSS Quick Reference Guide.
PCI DSS Requirements Goals PCI DSS Requirements Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to cardholder data by business need to know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy Maintain a policy that addresses information security for all personnel 14 Reasoned Insights
PCI DSS PCI Data Security Standard (DSS) •The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. •PCI DSS covers technical and operational system components included in or connected to cardholder data. •The security controls and processes required by PCI DSS are vital for protecting cardholder account data, including the PAN – the primary account number printed on the front of a payment card. •Merchants and any other service providers involved with payment card processing must never store sensitive authentication data after authorization. This includes sensitive data that is printed on a card, or stored on a card’s magnetic stripe or chip – and personal identification numbers entered by the cardholder. 15 Reasoned Insights
PA-DSS Payment Application Data Security Standard (PA-DSS) •The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement. •Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. PCI lists validated applications on its website. 16 Reasoned Insights
PCI DSS Compliance Report1 Template information contained in PCI DSS Report on compliance: 1. Executive Summary (description of entity’s payment card business; high level network diagram) 2. Description of Scope of Work and Approach Taken (description of how the assessment was made, environment, network segmentation used, details for each sample set selected and tested, wholly owned or international entities requiring compliance with PCI DSS, wireless networks or applications that could impact security of cardholder data, version of PCI DSS used to conduct the assessment) 3. Details about Reviewed Environment (diagram of each network, description of cardholder data environment, list of all hardware and software in the CDE, service providers used, third party payment applications, individuals interviewed, documentation reviewed, details for reviews of managed service providers) 4. Contact Information and Report Date 5. Quarterly Scan Results (summary of four most recent ASV scan results) 6. Findings and Observations (detailed findings on each requirement and sub- requirement, including explanations of all N/A responses and validation of all compensating controls) 17 Reasoned Insights 1 - PCI DSS Quick Reference Guide.
Data Center Audit Standards Reasoned Insights 18
Relevant Links •AICPA Council: http://www.aicpa.org/About/Governance/AICPACouncil/Pages/default.aspx •SSAE Guide: http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/SOC/PRDOVR~PC-0127910/PC-0127910.jsp •PCI Security Standards Council: https://www.pcisecuritystandards.org/index.php 19 Reasoned Insights

More Related Content

PPTX
Internal Audit Methodology
Manoj Agarwal
 
PPTX
Governance, Risk & Compliance Management Solution
Rishabh Software
 
PDF
Internal Audit And Internal Control Presentation Leo Wachira
Jenard Wachira
 
PPTX
GRC Fundamentals
3Sixty Insights
 
PDF
Integrated GRC
Transcendent Group
 
PPTX
Grc governance, risk management & compliance
HR Globe Consulting
 
PDF
We Need To Talk About IT Architecture
Alan McSweeney
 
PPT
Audit of it infrastructure
pramod_kmr73
 
Internal Audit Methodology
Manoj Agarwal
 
Governance, Risk & Compliance Management Solution
Rishabh Software
 
Internal Audit And Internal Control Presentation Leo Wachira
Jenard Wachira
 
GRC Fundamentals
3Sixty Insights
 
Integrated GRC
Transcendent Group
 
Grc governance, risk management & compliance
HR Globe Consulting
 
We Need To Talk About IT Architecture
Alan McSweeney
 
Audit of it infrastructure
pramod_kmr73
 

What's hot (20)

PPTX
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
PPTX
Operational risk ppt
NehaKamboj10
 
PDF
Business continuity management www.reconglobal.in
Satya Yadav
 
PDF
Sharing Practice on Enterprise Risk Management (ERM)
Diane Christina
 
PPTX
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
PDF
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
ServiceDesk Plus Overview Presentation
ServiceDesk Plus
 
PPTX
Security risk management
Prachi Gulihar
 
PDF
Nist.sp.800 37r2
newbie2019
 
ODP
GDPR and ISO 27001 - how to be compliant
Ilesh Dattani
 
PDF
Governance, Risk, and Compliance Services
Capgemini
 
PPTX
Governance risk and compliance
Magdalena Matell
 
PPT
Internal Financial Controls (IFC) / Internal Control over Financial Reporting...
Kirtane Pandit
 
PDF
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
Christina33713
 
PDF
COBIT®5 - Foundation
Mirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker
 
PDF
Developing and Managing Business Continuity Plan (BCP)
Goutama Bachtiar
 
PDF
GRC - Isaca Training 16.9.2014
Paul Simidi
 
PDF
ISO 27001 (v2013) Checklist
Ivan Piskunov
 
PDF
Explanation of the most common types of administrative risks
Prathitha cb
 
ODT
Non functional requirements - checklist
Vu Hung Nguyen
 
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
Operational risk ppt
NehaKamboj10
 
Business continuity management www.reconglobal.in
Satya Yadav
 
Sharing Practice on Enterprise Risk Management (ERM)
Diane Christina
 
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ServiceDesk Plus Overview Presentation
ServiceDesk Plus
 
Security risk management
Prachi Gulihar
 
Nist.sp.800 37r2
newbie2019
 
GDPR and ISO 27001 - how to be compliant
Ilesh Dattani
 
Governance, Risk, and Compliance Services
Capgemini
 
Governance risk and compliance
Magdalena Matell
 
Internal Financial Controls (IFC) / Internal Control over Financial Reporting...
Kirtane Pandit
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
Christina33713
 
COBIT®5 - Foundation
Mirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker
 
Developing and Managing Business Continuity Plan (BCP)
Goutama Bachtiar
 
GRC - Isaca Training 16.9.2014
Paul Simidi
 
ISO 27001 (v2013) Checklist
Ivan Piskunov
 
Explanation of the most common types of administrative risks
Prathitha cb
 
Non functional requirements - checklist
Vu Hung Nguyen
 
Ad

Viewers also liked (20)

PDF
Data Center Checklist for Infrastructure Best Practices (SlideShare)
SP Home Run Inc.
 
PDF
Alternative Approach to Permanent way Alignment Design
Constantin Ciobanu
 
PPTX
Columbian Exchange: Chart
Jonathan Dresner
 
PPTX
Raw Materials Management
cori wolf
 
PDF
Rail Passenger Demand Forecasting - a view from the industry
Institute for Transport Studies (ITS)
 
PPTX
Kasaysayan ng retorika sa daigdig
Mariel Bagsic
 
PPT
Emergency Department Quality Improvement
DrAbdulaziz Saddique
 
PPTX
Predictive Analytics: Extending asset management framework for multi-industry...
Capgemini
 
PPTX
Building a distributed search system with Hadoop and Lucene
Mirko Calvaresi
 
PPT
Process and product quality Assurance
Joydip Bhattacharya
 
PPT
Management planning presentation
all4school
 
PPT
Communication system in healthcare
DrArshpreet18
 
PPTX
Predictive analytics and big data tutorial
Benjamin Taylor
 
PDF
Making Display Advertising Work for Auto Dealers
Speed Shift Media
 
PPTX
Predictive Analytics with Hadoop
DataWorks Summit
 
PPT
Customer satisfaction process
Pimsat University
 
PDF
Mercedes-Benz Case Study
Wolff Olins
 
PDF
Sandia 2014 Wind Turbine Blade Workshop- Newman
Sandia National Laboratories: Energy & Climate: Renewables
 
PPTX
Pneumatic controllers
bestinkallely
 
PPT
CRM Practices in the Airlines Industry
Mandar Ghanekar
 
Data Center Checklist for Infrastructure Best Practices (SlideShare)
SP Home Run Inc.
 
Alternative Approach to Permanent way Alignment Design
Constantin Ciobanu
 
Columbian Exchange: Chart
Jonathan Dresner
 
Raw Materials Management
cori wolf
 
Rail Passenger Demand Forecasting - a view from the industry
Institute for Transport Studies (ITS)
 
Kasaysayan ng retorika sa daigdig
Mariel Bagsic
 
Emergency Department Quality Improvement
DrAbdulaziz Saddique
 
Predictive Analytics: Extending asset management framework for multi-industry...
Capgemini
 
Building a distributed search system with Hadoop and Lucene
Mirko Calvaresi
 
Process and product quality Assurance
Joydip Bhattacharya
 
Management planning presentation
all4school
 
Communication system in healthcare
DrArshpreet18
 
Predictive analytics and big data tutorial
Benjamin Taylor
 
Making Display Advertising Work for Auto Dealers
Speed Shift Media
 
Predictive Analytics with Hadoop
DataWorks Summit
 
Customer satisfaction process
Pimsat University
 
Mercedes-Benz Case Study
Wolff Olins
 
Sandia 2014 Wind Turbine Blade Workshop- Newman
Sandia National Laboratories: Energy & Climate: Renewables
 
Pneumatic controllers
bestinkallely
 
CRM Practices in the Airlines Industry
Mandar Ghanekar
 
Ad

Similar to Data Center Audit Standards (20)

DOCX
How to Report on your PCI DSS Compliance.docx
Christian James
 
PPTX
Secrets for Successful Regulatory Compliance Projects
Christopher Foot
 
PPTX
PruebaJLF.pptx
JoseLuna802663
 
PPT
PCIs_Changing_Environment_-_What_You_Need_to_Know_&_Why_You_Need_To_Know_It..ppt
suridhalder
 
PDF
Pci standards, from participation to implementation and review
isc2-hellenic
 
PPT
PCI DSS
Duy Do Phan
 
PPTX
Payment card industry standrad 12 requiremnets.pptx
muhammadosama0121
 
PPTX
PCI DSS Compliance Readiness
Al Abbas, PMP, CISSP, MBA, MSc
 
PPTX
PCI DSSand PA DSS
Kimberly Simon MBA
 
PPTX
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
PPTX
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
PPTX
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
ControlCase
 
PPTX
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
PDF
PCI-DSS_Overview
sameh Abulfotooh
 
PPTX
PCI DSS and PA DSS Compliance
ControlCase
 
PPTX
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
PPTX
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
PDF
Health, Safety and Security through Compliance
kanew396
 
PPT
pci-comp pci requirements and controls.ppt
gealehegn
 
PDF
PCI Certification and remediation services
Tariq Juneja
 
How to Report on your PCI DSS Compliance.docx
Christian James
 
Secrets for Successful Regulatory Compliance Projects
Christopher Foot
 
PruebaJLF.pptx
JoseLuna802663
 
PCIs_Changing_Environment_-_What_You_Need_to_Know_&_Why_You_Need_To_Know_It..ppt
suridhalder
 
Pci standards, from participation to implementation and review
isc2-hellenic
 
PCI DSS
Duy Do Phan
 
Payment card industry standrad 12 requiremnets.pptx
muhammadosama0121
 
PCI DSS Compliance Readiness
Al Abbas, PMP, CISSP, MBA, MSc
 
PCI DSSand PA DSS
Kimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
ControlCase
 
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
PCI-DSS_Overview
sameh Abulfotooh
 
PCI DSS and PA DSS Compliance
ControlCase
 
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
Health, Safety and Security through Compliance
kanew396
 
pci-comp pci requirements and controls.ppt
gealehegn
 
PCI Certification and remediation services
Tariq Juneja
 

Recently uploaded (20)

PPTX
MBA JAPAN: 2025 the University of Waseda
lethuhahelen
 
PDF
©️ 02_SKU Automatic SW Robotics for Microsoft PC.pdf
none
 
PPTX
cp-and-safeguarding-training-2018-2019-mmfv2-230818062456-767bc1a7.pptx
rachellegalit2
 
PPTX
AI AND ML PROPOSAL PRESENTATION MUST.pptx
wamalajohn
 
PDF
Hikvision-IR-PPT---EN.pdfSADASDASSAAAAAAAAAAAAAAA
BryanPratama11
 
PPT
Classification methods in data analytics.ppt
kavita20193
 
PPTX
machinelearningoverview-250809184828-927201d2.pptx
AnujChetry
 
PPTX
PPT for Diseases.pptx, there are 3 types of diseases
salilbansal7
 
PPTX
1 hour to get there before the game is done so you don’t need a car seat for ...
atharv94071
 
PPTX
Machine Learning and working of machine Learning
AnujChetry
 
PPTX
DATA MODELING, data model concepts, types of data concepts
Shiwangi sharma
 
PPTX
ifsm.pptx, institutional food service management
salilbansal7
 
PDF
2025-08 San Francisco FinOps Meetup: Tiering, Intelligently.
RTylerCroy
 
PPTX
inbound2857676998455010149.pptxmmmmmmmmm
hacheldelrosario
 
PDF
A biomechanical Functional analysis of the masitary muscles in man
AnkitNayak56
 
PPTX
Introduction to Fundamentals of Data Security
SibtainHaider13
 
PDF
Concepts of Database Management, 10th Edition by Lisa Friedrichsen Test Bank.pdf
solutions manual team
 
PDF
technical specifications solar ear 2025.
ViniciusLira30
 
PPTX
9 Bioterrorism.pptxnsbhsjdgdhdvkdbebrkndbd
venkeshiyer98
 
PDF
©️ 01_Algorithm for Microsoft New Product Launch - handling web site - by Ale...
none
 
MBA JAPAN: 2025 the University of Waseda
lethuhahelen
 
©️ 02_SKU Automatic SW Robotics for Microsoft PC.pdf
none
 
cp-and-safeguarding-training-2018-2019-mmfv2-230818062456-767bc1a7.pptx
rachellegalit2
 
AI AND ML PROPOSAL PRESENTATION MUST.pptx
wamalajohn
 
Hikvision-IR-PPT---EN.pdfSADASDASSAAAAAAAAAAAAAAA
BryanPratama11
 
Classification methods in data analytics.ppt
kavita20193
 
machinelearningoverview-250809184828-927201d2.pptx
AnujChetry
 
PPT for Diseases.pptx, there are 3 types of diseases
salilbansal7
 
1 hour to get there before the game is done so you don’t need a car seat for ...
atharv94071
 
Machine Learning and working of machine Learning
AnujChetry
 
DATA MODELING, data model concepts, types of data concepts
Shiwangi sharma
 
ifsm.pptx, institutional food service management
salilbansal7
 
2025-08 San Francisco FinOps Meetup: Tiering, Intelligently.
RTylerCroy
 
inbound2857676998455010149.pptxmmmmmmmmm
hacheldelrosario
 
A biomechanical Functional analysis of the masitary muscles in man
AnkitNayak56
 
Introduction to Fundamentals of Data Security
SibtainHaider13
 
Concepts of Database Management, 10th Edition by Lisa Friedrichsen Test Bank.pdf
solutions manual team
 
technical specifications solar ear 2025.
ViniciusLira30
 
9 Bioterrorism.pptxnsbhsjdgdhdvkdbebrkndbd
venkeshiyer98
 
©️ 01_Algorithm for Microsoft New Product Launch - handling web site - by Ale...
none
 

Data Center Audit Standards

  • 1. Data Center Audit Standards Keyur Thakore
  • 2. Audit Standards Reasoned Insights 2 The standard logos are registered trademarks of their respective organizations.
  • 3. AUDIT STANDARDS - AICPA Reasoned Insights 3
  • 4. AICPA SAS 70 •American Institute of Certified Public Accountants Statement on Auditing Standards No. 70 audit, often referred to as SAS 70 audit, was first introduced in 1992. •The SAS 70 audit is meant to measure internal controls over financial reporting. •The SAS 70 audit has been one of the primary means used by data center operators to measure their technical processes around security and assure businesses of its data security practices. 4 Reasoned Insights
  • 5. AICPA SAS 70 •The SAS 70 audit, according to the AICPA, was never intended to be used by data centers to verify security. •The SAS 70 audit report was never intended to be a “certification”, rather a measure of whether a data center operator adheres to the controls it has established for itself. •The SAS 70 audit requires that the operators develop their own control framework, and then audit their security controls to report back to the customers. 5 Reasoned Insights
  • 6. AUDIT STANDARDS - SSAE Reasoned Insights 6
  • 7. SSAE 16 •In 2011, AICPA introduced the Statements on Standards for Attestation Engagements No. 16 (SSAE 16) for reporting on controls at services organizations including data centers. •SSAE 16 is the next generation of AICPA auditing standards, that goes beyond SAS 70 by requiring the auditor to obtain a written report regarding the design and operating effectiveness of the controls being reviewed. •An audit that is conducted under the SSAE 16 will result in a Service Organization Control (SOC) report. 7 Reasoned Insights
  • 8. SOC 1 Report •A Service Organization Control (SOC) 1 report is produced upon the completion of an SSAE 16 audit. •SOC 1 reports are focused on internal controls over financial reporting. •SOC 1 reports are restricted use reports intended only for existing customers, not prospective customers or the general public. •SOC 1 report is available as Type 1 or Type 2 report: Type 1 reports is auditors’ opinion on the accuracy and completeness of management’s description of the system or service as of a specific date. Type 2 report audits the operating effectiveness of the controls throughout a declared time period, generally between six months and one year. 8 Reasoned Insights
  • 9. SOC 2 Report •A SOC 2 report is intended to provide assurance about controls related to: 1) security, 2) availability, 3) processing integrity, 4) confidentiality and 5) privacy of a system and its information. •A SOC 2 report is based on pre-defined controls criteria contained in the AICPA Trust Services Principles and Criteria. Thereby it offers a standard benchmark by which two data center audits can be compared against the same set of criteria. •SOC 2 audit requires a minimum reporting period of six months, thereby requiring at least six months of data showing the company has met its control objectives. •SOC 2 reports are seldom released publicly, typically distributed under an NDA to customers and prospects alike. 9 Reasoned Insights
  • 10. SOC 3 Report •A SOC 3 report is intended for general release and includes a summary opinion regarding the effectiveness of the controls in place at the data center or service organization. •A SOC 3 report provides the same level of assurance about controls over security, availability, processing integrity, confidentiality and/or privacy as a SOC 2 report, however it does not contain the detailed description of the testing performed by the auditor. •A SOC 3 seal is designed to be published on the service provider’s website, or in some similar fashion. It assures users that the data center meets the stringent certification demands laid out by the trust services criteria. 10 Reasoned Insights
  • 11. AUDIT STANDARDS - PCI Reasoned Insights 11
  • 12. PCI DSS •Payment Card Industry (PCI) Security Standards Council was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. •Payment Card Industry (PCI) Data Security Standard (DSS) are a set of guidelines, intended to alleviate vulnerabilities and protect cardholder data, for all entities that store, process or transmit cardholder data. •The latest PCI Security Standards, v2.0, were published in October 2010. 12 Reasoned Insights
  • 13. PCI DSS •PCI Security Standards Council administers PCI DSS and related security standards. •PCI DSS follows common sense steps that mirror best security practices. There are three ongoing steps for adhering to the PCI DSS1: Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data. Remediate — fixing vulnerabilities and not storing cardholder data unless you need it. Report — compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with. 13 Reasoned Insights 1 - PCI DSS Quick Reference Guide.
  • 14. PCI DSS Requirements Goals PCI DSS Requirements Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to cardholder data by business need to know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy Maintain a policy that addresses information security for all personnel 14 Reasoned Insights
  • 15. PCI DSS PCI Data Security Standard (DSS) •The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. •PCI DSS covers technical and operational system components included in or connected to cardholder data. •The security controls and processes required by PCI DSS are vital for protecting cardholder account data, including the PAN – the primary account number printed on the front of a payment card. •Merchants and any other service providers involved with payment card processing must never store sensitive authentication data after authorization. This includes sensitive data that is printed on a card, or stored on a card’s magnetic stripe or chip – and personal identification numbers entered by the cardholder. 15 Reasoned Insights
  • 16. PA-DSS Payment Application Data Security Standard (PA-DSS) •The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement. •Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. PCI lists validated applications on its website. 16 Reasoned Insights
  • 17. PCI DSS Compliance Report1 Template information contained in PCI DSS Report on compliance: 1. Executive Summary (description of entity’s payment card business; high level network diagram) 2. Description of Scope of Work and Approach Taken (description of how the assessment was made, environment, network segmentation used, details for each sample set selected and tested, wholly owned or international entities requiring compliance with PCI DSS, wireless networks or applications that could impact security of cardholder data, version of PCI DSS used to conduct the assessment) 3. Details about Reviewed Environment (diagram of each network, description of cardholder data environment, list of all hardware and software in the CDE, service providers used, third party payment applications, individuals interviewed, documentation reviewed, details for reviews of managed service providers) 4. Contact Information and Report Date 5. Quarterly Scan Results (summary of four most recent ASV scan results) 6. Findings and Observations (detailed findings on each requirement and sub- requirement, including explanations of all N/A responses and validation of all compensating controls) 17 Reasoned Insights 1 - PCI DSS Quick Reference Guide.
  • 18. Data Center Audit Standards Reasoned Insights 18
  • 19. Relevant Links •AICPA Council: http://www.aicpa.org/About/Governance/AICPACouncil/Pages/default.aspx •SSAE Guide: http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/SOC/PRDOVR~PC-0127910/PC-0127910.jsp •PCI Security Standards Council: https://www.pcisecuritystandards.org/index.php 19 Reasoned Insights