Datacenters and SOC 1?
Should service organizations that make use of a SOC 1-compliant datacentre be SOC1 compliant? The answer is simple; if a service organization processes data with a financial impact on behalf of the customer, it should be SOC compliant. Internal controls should be implemented logical acces, security and processing of customers’ data. Examples of the types of service organizations that might need SOC examinations are :
- Document management services
- Managed service providers
- Application development services
- Order fulfillment and distribution services
- Payroll processors
- Information security management services
- Claims processors
- Internet banking providers
- Printing and mailing services companies
- Loan servicing providers
- Third-party administration services
There should be a clear understanding from the service organization that outsourcing the data hosting component of a service organization's operations does not imply less responsibility for protecting customer data. Organizations can better manage and improve their own internal security and operational controls as a consequence of outsourcing non-core processes. This is an important reason for service organizations to have a SOC 1 assurance opinion to internal controls and processes independently investigated and validated. Is your organization ready for a SOC 1 audit?
A service organization should evaluate its preparedness to undergo a SOC 1 examination by taking these steps once the need is identified:
- Determine the type and scope of a SOC 1 examination needed based on the nature of services provided to its customers.
- As part of a SOC 1 examination regulatory and compliance requirements need to be addressed and must be assessed and defined.
- As part of the SOC 1 investigation, existing policies and procedures should be validated and internal controls reviewed and updated. A service organization should work on enforcing for internal controls and structure procedures that lack written policies.
- A readiness assesment can be performed with supported by a third-party consultant or auditor. A readiness assessment will be helpful to identify issues before the ISAE 3402 | SOC 1 audit.
A service organization can begin its SOC 1 examination once internal control gaps and deficiencies are remediated and policies and procedures are written and enforced.
What a service organization does for validating internal controls in place at its mission critical suppliers such as data centers should also be included in a SOC 1 examination. The overall responsibility of protecting customer data would always remain with a service organization as mentioned before. It would require it to build a rigorous oversight function and gain clear understanding of how the data center hosting affects the security, confidentiality and availability of customer data. knowledge of nature and type of data center hosting services used is necessary to understand which data center’s internal controls and processes should be examined as part of the oversight function. Service organizations should validate that appropriate physical and environmental safeguards in place at the data center if the organization uses data center for colocation purpose.
Service organizations that use cloud services offered by a data center should also audit the operational effectiveness of controls around logical access, security monitoring, cyber threat prevention, configuration management, incident- and change management.
Are you the service organization that controls all its own data or outsourcing? Our team can help you understand the complexities of SOC 1 audits and determine which controls would need to be in place and covered by such an examination.