Hosting.com is in the Elite Group of CSPs with SOC 2 Reports

I have been observing the transition of SAS 70 to SOC reports over the past two years, and have noted that the same misuse that was occurring with SAS 70 reports carried forward to SOC 1  (SSAE 16) reports.  I would be remiss, however if I did not highlight cloud service providers (CSPs) that have chosen to undergo the more applicable and rigorous SOC 2 attestation engagement.  Based on my observations, Hosting.com is among the Top 10% in SOC compliance rigor – not only keeping up with key details behind compliance – but actually ensuring that compliance is a part of their solutions, so their customers have less to worry about.

In the embedded webinar below, Sean Bruton of Hosting.com explains why they decided to pursue a SOC 2.  Here are a few of his note worthy quotes:

2:18 “SAS 70 has a long history of having nothing to do with IT service providers.”

4:10 “SSAE 16 retains the original purpose of SAS 70.  That is, compliance around internal controls over financial reporting.”

5:18 Gartner Weighs In – SAS 70 is useless for security

5:35 Now there are options.

6:08 “The AICPA is saying that SOC 1 is the wrong report for IT service providers to run.”

6:45 “If your service provider has passed a SOC 2 assessment; if you got a SOC 3 report, then what you have is assurance that they met a minimum standard of due diligence.”


7:30 “SOC 3 is great for marketing purposes, but get a copy of the [SOC 2] report!  The reason you do this is because at the end of the day, [without the detail a SOC 2 report provides], you have no knowledge of specifically, what controls the service provider has implemented, what is ultimately your responsibility to implement with the applications you are hosting in the cloud.”

Sean is an extremely rare individual, and I hope to be able to interview him in person very soon.  Connect with him on LinkedIn here:

10 comments:

  1. If that is the only criteria (which lacks a bit of depth), then ViaWest would be in the top 10% as well.

    ReplyDelete
  2. I see that ViaWest received their SOC 2 this year (http://bit.ly/13ocJxP. Congrats to ViaWest as well. I'd love to speak with someone there.

    ReplyDelete
  3. It might be better than a SOC1 but it still an incorrect answer to the problem.

    The biggest problem is how and why people are hiring accountants to perform security assessments ? The best choice would involve a security firm using a real security framework (ISO 270xx, PCI, NIST 53-???, etc.). I don't care much for SOC2 since it's still the accounting profession mingling in a field they shouldn't be involved with in the first place.

    ReplyDelete
  4. You have a point about SOC 2's weakness. I still believe that it is a superior assurance though. SOC 2 is a period of time attestation whereas all other attestations only provide point in time assurance. You have to give it to the CPAs. They understand auditing, and what it takes to ensure that controls are operating effectively, not just that they were in place when the auditors checked. I wrote a blog post a long time ago on this topic titled "So Many Security Standards, Audits, and Certifications. Which One is Right?!"

    ReplyDelete
  5. We'll agree to disagree because any audit can be performed as a Type 1 (point in time) or as a Type 2 (effectiveness throughout a period). And I also disagree about CPAs understanding auditing. They understand auditing in their field of expertise (ie. the production of financial statements and all financial processes surrounding it) but they're mostly clueless when it comes to audit anything with technologies.

    Asking accountants to audit security is like going to a chiropractor for an oil change.

    ReplyDelete
  6. True. Any audit can be performed as point in time, or period of time, but there is no period of time assurance offered by any other report. Just read the fine print. The auditors provide no opinion or assurance other than the day that the report was issued. See my post for an example here: http://www.riskassuranceguy.com/2012/01/proof-that-iso-27001-is-point-in-time.html

    I agree that CPA's understanding of security subject matter limits them in their ability to perform security audits, but I am speaking of the audit process. My point is that Security professionals do not understand the level of documentation that is needed to support an opinion because they've never had to defend their opinions in court. The point-in-time assurance escape hatch gets them out of having to. CPA's bring that process to the table, and we as security professionals can learn from them.

    ReplyDelete
  7. We’ve dealt with more hosts than you can imagine; in our opinion, the hosts below represent some of the best and brightest of the hosting world. If you do decide to go with one of the hosts below and click through from this page, some will donate a portion of your fee back—so you can have a great host and support top web hosting at the same time.

    ReplyDelete
  8. cheap website designoffer a much quicker solution in the form of over 300 website themes.

    ReplyDelete
  9. Thanks for insightful article! Data security plays really important role today. As for me this is caused by many factors, one of them I think is that many businesses use Ideals virtual data rooms - online trusted repositories for processing and storing information.

    ReplyDelete
  10. Delta Decisions Inc. is a premiere web development firm specializing in e-commerce and business websites. We offer services including website design, web hosting, SEO servives, pay-per-click, google adwords, website branding and much more.
    website developer Toronto

    ReplyDelete