In Part 1 of this post, I discussed standards and regulations in general and some basic compliance concepts, in Part 2 I explore some current standards and regulations and their relevance.
What Happened to SAS70?
SAS 70 is no more. You can take a look here to read all about how and why that happened. (I assure you it is riveting 😉 ) Suffice it to say the original standard had become rather stretched and bogged-down, so it has been retired and replaced by a suite of standards under the banner of SAES-16 SOC reports.
Let’s talk about SOCs
SOC (Service Organization Control) reports have replaced the venerable SAS 70. The SOC reports are standards set by the American Institute of Certified Public Accountants (AICPA) and they pertain to service provider organizations.
There are three kinds of SOC report (1, 2, and 3) and each kind has two types, Type-1 and Type-2. A Type-1 report is what is known as a “point in time” report, which basically states that company has the proper controls in place. A Type-2 report states that you have been living by those controls for at least six months. So the soonest a Type-2 report can be issued is six months after a Type-1.
SOC 1: In the words of the AICPA, the SOC 1 is “To give the auditor of a user entity’s financial statements information about controls at a service organization that may be relevant to a user entity’s internal control over financial reporting.”
So, the SOC 1 is all about a company’s financials. It is not a report on the entity’s service.
The SOC 1 is also sometimes referred to as simply “SAES-16”. When a CPA or compliance-y type of person says just “SAES-16” they almost always mean a SOC 1 report.
SOC 2: Once again in the words of the AICPA, a SOC 2 report is “To give management of a service organization, user entities and others a report about controls at a service organization relevant to the security, availability or processing integrity of the service organization’s system, or the confidentiality and privacy of the data processed by that system.” This is the standard most people really need their service provider to report on at a minimum.
SOC 3: The AICPA states the SOC 3 is “To give users and interested parties a report about controls at the service organization related to security, availability, processing integrity, confidentiality or privacy. SOC 3 reports are a short-form report (i.e., no description of tests of controls and results) and may be used in a service organization’s marketing efforts.” This one kind of looks like a certification. The problem with it is that it is a short form and doesn’t list specific controls. It is more of a marketing tool than a compliance tool.
PCI is the Payment Card Industry standard. PCI applies to you if deal with “Cardholder Information” as defined by the PCI Security Standards Council.
PCI is often known as one of the more (if not the most) rigorous standards not in the federal domain. PCI, unlike many other standards, calls for specifics such as password length, key length and encryption algorithms, as well as for quarterly penetration tests by an Accredited Scanning Vendor (ASV).
Sumo Logic is in the process of acquiring a PCI Level-1 Service Provider certification.
The Health Insurance Portability and Accountability Act is enforced by the US Department of Health and Human Services Office for Civil Rights. This regulation deals with the use storage and transfer of Protected Health Information, and is a Federal law. Entities covered by HIPAA who are not compliant risk serious legal consequences.
There is no specific certificate or attestation for HIPAA compliance, although some CPA firms will draft a custom attestation to satisfy an unbroken chain of paperwork.
If a service provider adheres strictly to PCI and SOC-2 standards, chances are they are HIPAA compliant.
Some states (most notably California and Massachusetts) have very strict laws regarding data privacy and protection. In these states (as well as some others) there may in fact be a law on the books that requires certain types of business to maintain a particular standard or certification. These are the only cases where failure to be compliant or certified is against the law.
Compliance at Sumo
At Sumo Logic, we currently have a SOC 2 Type 1 report and are working diligently towards our SOC 2 Type 2. We are also in the process of attaining our PCI/DSS Service Provider Level 1 certification. These attestations and certificates help show our customers (and more importantly our customers’ auditors!) that we have done all of the due diligence they would expect from a business who will be handling their sensitive data.