SSAE-16 and ISAE-3402: Beyond the Acronyms
SSAE-16 is Statements on Standards for Attestation Engagements for reporting on controls at a service organisation, established by the American Institute of Certified Public Accountants. ISAE-3402 is the International Standard on Assurance Engagements for assurance reports on controls at a service organisation issued by the International Auditing and Assurance Standards Board. SSAE is essentially a US auditing standard, whereas ISAE is an international one.
In SaaSplaza’s most recent audit of its Control Objectives from January 1, 2017 through December 31, 2017 - the physical and logical security of servers, system uptime, backup consistency and the knowledge of our staff (and their backgrounds) were audited. The resulting documentation is available to SaaSplaza Partners and Customers upon request. The report shows that SaaSplaza passed the standards, thereby earning its dual report, and making SaaSplaza one of the only Cloud providers in the world to have both ISAE-3402 and SSAE-16 Standards completed.
These reports replace the SAS 70 reports, but like SAS 70, there are Type I (establishes controls) and Type II reports (establishes controls, and details the testing of controls over a six month period). SaaSplaza ISAE-3402 and SSAE-16 audits are both Type II.
NOTE: ISO standards do not replace, and are not the equivalent of, Type II ISAE or SSAE standards. The main difference being that the ISO “family” of standards requires neither testing nor disclosure, whereas testing and disclosure are fundamental for Type II ISAE and SSAE standards.
So what comprises the Control Objectives detailed in the ISAE/SSAE reports? What do they cover?
In essence, everything related to data security and service/system availability.
SSAE-16 & ISAE-3402 Control Objectives
There are 14 Control Objectives that were investigated - and within those objectives, 33 total controls - to address the security and availability of network architecture, the physical security of the solution and data centers, the logical security of the overall environment, and the reliability and integrity of the personnel involved.
Most of the controls fall into three major categories:
- Controls to Prevent Disclosure of Data
- Controls to Prevent Unavailability of Services
- Controls to Provide Error Recovery
NOTE: The SSAE and ISAE reports are dynamic documents that respond to a dynamic market. Controls can - and usually do - change annually, based on evolving needs in the market, security trends and developments, user requests and more.
Controls to Prevent Disclosure of Data
Within this category, the Control Objectives cover all possible ways data could be disclosed: a failure in configuration, a personnel issue, physical access to servers/facilities, administrative access to systems, and loss of, or access to, data during physical and logical (network traffic) transport. Each Control Objective comprises various controls that are tested repeatedly. For example, there are six Control Objectives to prevent disclosure of data. In the first alone, Control Objective 1: Prevent disclosure of data caused by failures in configuration and handling of data, there are six separate controls tested.
Controls to Prevent Unavailability of Services
Within these blocks of Control Objectives, controls focused on preventing software malfunctions, preventative monitoring, and lack of capacity were tested in detail. There were 15 separate controls tested herein.
Controls to Provide Error Recovery
This group of controls relates to backups (daily of both physical and logical disks), hardware availability, repair/replacement times, incident management and response times, and other critical issues that could impact both data and systems recovery in the event of an emergency.
ISAE/SSAE auditing is our choice, but security is a job for ALL
These audits are done annually, proactively, and at SaaSplaza’s expense. Why would a company submit itself to such rigorous investigation? The answer is easy: for you. We know that a prime concern many have regarding the Cloud is security. With these audits, we are taking the necessary step to prove that SaaSplaza and the services we provide treat security as an essential issue.
Yes, putting data in the cloud is a potentially risky proposition, and this may hold many enterprises back from fully embracing cloud — especially public cloud services such as Microsoft Azure. But we believe, and many of our Partners and Customers tell us, that SaaSplaza stays up to date with the latest security measures and controls more rigorously than they do.
However, security is not 100% in our hands—it’s in your hands, too. Keeping antivirus and malware definitions up-to-date, making proper staffing choices, ensuring passwords are changed often, and maintaining current and correct permissions is entirely up to you. We can ensure the security and availability of the back end, but the front end will always be the ultimate responsibility of our Partners and their Customers.
When it comes to security, we’re always happy to provide recommendations and assistance. For more information or to obtain a copy of the audit report please contact us