Datacenter Process Compliance: The SOC 1 – SSAE 16 Type 2 Audit
In 2014, the company behind Cloud My Office, Flashpoint Informatics, Inc, embarked on an external audit in order to certify our datacenter processes. Since our datacenter, which is located in State College, Pennsylvania, is privately owned and operated, it’s important to our clients that we have third-party verification of our processes. We chose to engage a respected outside CPA firm, the Moore Group, to complete the audit. Our SOC1 SSAE 16 Type 2 audit included verification of our processes related to backups, disaster recovery, hr, virus scanning, software programming and more.
The name SOC audit is an acronym for Service Organization Controls. The audit’s intention is to verify that we have established controls in order to accomplish the goals we’ve published to our customers. As a refresher, some of those goals are:
- Securely storing customer information, and allowing access only to parties designated by the customer
- Verifying that only approved personnel within our organization can access secured information, and that an audit trail exists when such data is accessed
- Ensuring that we have backup procedures in place that provide a minimum of 30 days of recoverability for files and emails
- Inspection of failover procedures for bandwidth providers, firewalls, routers, backup power and more
- Visual inspection of the datacenter space including backup generators and fiber paths to and from the facility
- Reviewing other procedures that relate to certifications such as PCI compliance and HIPAA compliance
THE AUDIT PROCESS
The audit is a significant undertaking for any organization, and includes several steps:
- Cloud My Office management produces a list of controls that we have implemented and are being tested at our organization. In our case, these controls covered everything from the HR policies for the team that manages your virtual desktops, redundancy of systems related to access the virtual desktop and exchange systems, file server backups and recovery, and custom software design processes.
- Cloud My Office then provides the third-party auditor with dates and examples of the testing that we have performed against our procedures. The auditor verifies these examples and reports independently.
- The auditor performs an on-site visit in order to verify controls contained in the audit checklist, and to interview staff relative to the HR and software design portions of the audit.
- The third-party auditing organization provides an opinion letter describing their view on how our controls and procedures are implemented.
AUDITED EXCHANGE HOSTING
Cloud My Office offers a full range of compliant hosting services, including Exchange hosting. We offer compliant email encryption service, to ensure that organizations requiring HIPAA compliance are able to meet legal and legislative requirements, as well as the needs of their customers. Our Exchange hosting system is redundant, and offers access via mobile device, web mail, and Microsoft Outlook. We even offer the ability to remotely wipe a mobile device if it is lost or stolen.
Having completed a SOC 1 SSAE 16 – Type 2 audit with no issues found, our hosting is now verified as compliant with industry best practices. A full copy of the audit report is available upon request. Please contact us today for more information about our compliant desktop hosting packages for businesses of all sizes!