The growth of cloud computing and its acceptance by companies of all sizes has caused a shift in how businesses use and save their electronic files. These companies are turning over human resource files, personal health information, financial records, payroll documents, and other confidential data to third-party data centers who they entrust with storing, monitoring, and maintaining this data. Any breach of security can have critical implications for both the company who owns the data and the data center who is responsible for its protection. So, how can you ensure that you select a data center provider who has your best interest top of mind and has stringent security measures in place to protect and appropriately manage your company’s data?

In this post, we will look at SOC 2 certification to help you better understand how it is achieved and how it can benefit your business.

What is SOC 2?

The American Institute of Certified Public Accounts (AICPA) put Service Organization Controls (SOC) in place to be used by independent third-party auditors to evaluate data center providers and report on the risks associated with data management. It provides potential clients with insights into a data center’s infrastructure, technology usage, personnel, and the procedures it has in place to safeguard your data. The data center’s facility and processes are audited using strict standards to ensure they continually follow best practices and meet the highest government and industry regulations.

To meet these rigorous requirements, a SOC audit report encompasses five Trust Service Criteria which are Security, Availability, Processing Integrity, Confidentiality, and Privacy. In these descriptions, the word “entity” refers to a data center client.

• Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
• Availability: Information and systems are available for operation and use to meet the entity’s objectives.
• Processing integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
• Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.
• Privacy: Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

This set of five different criteria is demonstrated through a data center’s Policies, Communications, Procedures and Monitoring and each must be met individually to establish compliance. Since the same compliance requirements are used to evaluate all providers, you can read multiple reports and uniformly evaluate the potential providers.

Difference Between SOC 2 Type 2 and Type 1?

Data center providers can select which type of audit to perform. We have already established that SOC 2 evaluates a service provider based on their Security, Availability, Processing Integrity, Confidentiality and Privacy. The next step is to select Type 1 or Type 2.

• SOC 2 Type 1 Audit Report: A description of procedures and system controls the provider has in place which meets the SOC requirements at a specific point in time.
• SOC 2 Type 2 Audit Report: The Type 2 audit report includes the description of procedures and system controls found in a Type 1 audit report but includes a detailed assessment of the design and operating effectiveness over an extended period of time, known as its audit period – normally 6 months or longer.

How Does SOC 2 Type 2 Data Center Certification Benefit Your Business?

Receiving confirmation that the data center provider you select has been awarded SOC 2 Type 2 certification can provide you with peace of mind that they have met the highest security and protocol standards and are committed to your security, availability, and data processing needs. In addition, you can have confidence that:

• Your data center’s organizational controls and operational capabilities are designed to keep sensitive data secure over an extended period of time.
• The audit includes an onsite evaluation of the actual data center facility enabling auditors to evaluate the facility’s physical and network security in person and compare it to what they were told by the provider’s management team and staff.
• The certification process is an independent and unbiased assessment of the data center by a third-party auditor and certification is awarded solely based on meeting or exceeding a pre-defined list of industry requirements.

Not only does a SOC 2 Type 2 audit verify the data center’s compliance, but it also helps companies in regulated industries to more quickly achieve their own compliance certifications. Financial services firms, healthcare providers, law firms, banks and other businesses for whom meeting government regulations is a requirement, have a leg up in meeting their own requirements including PCI, HIPAA, Sarbanes-Oxley, and others.

MULTACOM SOC 2 Type 2 Certification

Whether you have chosen a dedicated server, a private or hybrid cloud environment, or decided that colocation is the best IT solution for your company’s needs, selecting a SOC 2 Type 2 certified data center with whom to partner will give you the confidence that they are able to design, monitor and maintain a secure network and infrastructure environment.

However, not all data centers who have received SOC 2 Type 2 certification have the same strict processes and procedures in place. It is critical to understand that when evaluating SOC 2 certified data centers, you must read and compare the certification of each company on your short list of potential providers.

For example, a review of MULTACOM’s SOC 2 Type 2 certification will demonstrate that we inspect our equipment more frequently than many other data center providers who have also received the certification. Annual, semi-annual, and monthly inspections of MULTACOM fire suppression, HVAC / dry-cooling infrastructure and UPS systems are conducted more often to ensure that we consistently deliver a 100% uptime SLA and provide the most robust data center infrastructure in which your business can thrive.

At MULTACOM, we are proud to be able to demonstrate our commitment to our clients by having been awarded SOC 2 Type 2 certification. The rigorous certification procedure was performed by independent auditor Schellman & Company, LLC. They are the only company worldwide that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, and a FedRAMP 3PAO.

A copy of our SOC 2 Type 2 audit report can be made available to you upon request. To receive a copy, please complete our online request form.