In the embedded webinar below, Sean Bruton of Hosting.com explains why they decided to pursue a SOC 2. Here are a few of his note worthy quotes:
4:10 “SSAE 16 retains the original purpose of SAS 70. That is, compliance around internal controls over financial reporting.”
5:18 Gartner Weighs In – SAS 70 is useless for security
5:35 Now there are options.
6:08 “The AICPA is saying that SOC 1 is the wrong report for IT service providers to run.”
6:45 “If your service provider has passed a SOC 2 assessment; if you got a SOC 3 report, then what you have is assurance that they met a minimum standard of due diligence.”
7:30 “SOC 3 is great for marketing purposes, but get a copy of the [SOC 2] report! The reason you do this is because at the end of the day, [without the detail a SOC 2 report provides], you have no knowledge of specifically, what controls the service provider has implemented, what is ultimately your responsibility to implement with the applications you are hosting in the cloud.”
Sean is an extremely rare individual, and I hope to be able to interview him in person very soon. Connect with him on LinkedIn here: