Statement on Standards for Attestation Engagements (SSAE) No. 16

The Auditing Standards Board of the AICPA issued Statement on Standards for Attestation Engagements (SSAE) No. 16, “Reporting on Controls at a Service Organization.”  This new Standard is similar to the global standard (ISAE 3402).  SSAE No. 16 will supersede SAS No. 70. The effective date for SSAE No. 16 will be for service organization reports with periods ending on or after June 15, 2011.

See Official SSAE16 Website

Molecular Memory Breaks New Ground in MIT Research Lab

Unless you happen to be a molecular physicist, molecular physics just got fascinating. Especially to IT representatives across the globe, molecules now hold a very crucial key to unlocking ultra-efficient data storage. Soon, data center technicians will be able to store insane amounts of data in specialized layers of molecules. It might sound like science fiction, but recently the notion has become fact. It’s called “molecular memory,” and it could mean that within a decade, IT personnel will be stashing as much as 1,000TB of data in as little as a square inch of space. It’s anticipated that the subsequent result will be more energy- and space-efficient data centers worldwide.

The technology is exciting, especially when you consider that the discovery of molecular memory will only accelerate the search for more, improved alternatives to today’s data storage solutions. The molecule used in the research, which was conducted in an MIT lab, originated in India by chemists at the Indian Institute of Science Education and Research (IISER).

Molecule Memory Revealed

By changing the magnetic conductivity of the molecules, researchers were able to replicate binary ones and zeros in accordance with the molecules’ magnetic state. This creates molecular memory, which grants us the ability to store even more data in less space.

The Process

With the recent leap in the technology, researchers have made inroads in specific manufacturing phases that will cut down on some of the cost of manufacturing as well as produce a product that will be easier to keep cool. This last part will be music in the ears of IT personnel who are driven to find the effective ways to manage the heat levels in their facilities.

What Tomorrow Means for “Molecular Memory”

Jagadeesh Moodera led the research team at MIT and predicts that workable storage devices modeled after the science of molecular memory will be available as replacements for traditional SSD systems within a decade. Consequent benefits of the technology will be a better use of the energy to power and cool the devices in data center facilities as well as a more efficient use of hard drive space.

As facility technicians across the globe strive to shave costs and enhance performance, this technology is both timely and invaluable. Moodera hopes that the findings will generate interest in the continued development of these types of memory solutions.


What is Virtualization

When a company moves away from physical computers and starts to focus more on virtualization, they will save a lot of money as a result. It’s difficult to acquire enough computers to meet the needs of their growing workforce. Dealing with the implications of upgrading their current technology infrastructure is even more daunting. One of the Dell virtualization benefits is that it eliminates the necessity of having to purchase a computer for each new employee. It also lowers the amount theyh have to budget for IT each year. They can’t expect to replace every computer with a virtualized version though. Virtual machines do not work well with graphically intense applications. Companies that do a lot with graphic design or video editing won’t be able to completely virtualize their systems; however, they will have the chance to store their files in a virtual environment should they choose to do so. Do not save files on a virtual machine and expect them to be there the next day though. Virtual systems are often wiped on a moment’s notice because they encountered a virus or spyware infection.

A company filled primarily with physical computers has to hire enough IT professionals to keep them up and running. As the company grows larger, the amount of money they have to spend hiring IT employees goes up as well. Virtual machines take what used to require a team of IT professionals to maintain and reduce it to a level where one or two people could get the job done. The person who installs your virtual machines must have done it in the past. Companies will benefit very little from virtual machines that are crashing on a regular basis. The same amount of protection attached to regular office computers should apply to virtual machines as well. It’s easy to reduce the amount of protection since it’s effortless to reset a virtual machine when it runs into trouble; however, some employees might forget to switch their files over to removable media or their office computer and lose what they spent hours working on. Since most projects have deadlines associated with them, it’s essential to ensure that the employees will have the chance to move their files before the virtual machine they used is wiped.

It’s a good practice to wipe your virtual machines on a regular basis. If they’re being used by several people, the amount of files weighing them down could slow them down to the point where they’re practically unusable. Most companies are able to let each employee have their own virtual machine, but that isn’t always the case. Storing a large amount of virtual machines puts a lot of strain on your server. Small companies won’t have servers as strong as large companies; therefore, the amount of virtual machines they will use will be much smaller as well. It’s possible for you to take the risk and work primarily on main office computers. You need to back up your data constantly and have good protection measures in place if you decide to go this way though. Your files will stick around if you know how to protect them and put them in the right place in case something terrible happens.

Will entities now become “SSAE 16 certified”?

Here is the excerpt verbatim from the AICPA:
Q. — Will entities now become “SSAE 16 certified”?
A. — No! A popular misconception about SAS 70 is that a service organization becomes “certified” as SAS 70 compliant after undergoing a type 1 or type 2 service auditor’s engagement. There is no such thing as being SAS 70 certified and there will be no such thing as being SSAE 16 certified. An SSAE 16 report (as with a SAS 70 report) is primarily an auditor to auditor communication, the purpose of which is to provide user auditors with information about controls at a service organization that are relevant to the user entities’ financial statements.

SAS 70–Is it All the Due Diligence You Need?

The answer is a resounding and definitive “No!” According to an article I found on Datamation: How Cloud Computing Security Resembles the Financial Meltdown, putting all your faith in a vendor’s claim to be SAS 70 certified is one of the riskiest move you can make on behalf of your company.

“Who’s issuing these certifications?” it asks. “And where’s the money coming from to pay the auditors checking off the list?” The answer is always: the vendors themselves. Which makes sense, right? Who else should pay a third party auditor to cross-examine a vendor’s internal processes but the vendor, as a courtesy, convenience, and assurance to its customers that they have their act together and can be trusted.

The point made in the Datamation article was that it was third party auditors who signed off all those shoddy sub-prime mortgages as AAA-rated assets, and they were paid by the schmoes needing the recommendation. Shady enough for you? It certainly doesn’t inspire the greatest confidence in organizations that likewise pay their auditors, and that’s not entirely fair.

Of course, there is always the option to hire your own auditor instead of relying on the group hired by the company you’re investigating, but not many of us can bear the expense. It ends up being an excellent PR move for vendors to stamp a “SAS 70 Certified” icon on their site with the message: “Your data is safe with us. We’ve been certified.”

Savvy consumers would request tangible proof, a report of some kind that they can hold in their hand, and requesting this report is the first step in doing your proper due diligence. As nice as it would be to take anyone’s word for it when they promise you the world, it’s a luxury that has probably never existed in any bygone era. The reality is you’ve got to do your research, and any company you do business with has to have the history and the list of satisfied clients to back them up and give a little weight to their claims.

In my personal opinion, it should be a good sign if the company you’re thinking of using as your cloud computing provider can say it’s SAS 70 certified and then prove it. Especially if it’s also gone through the trouble to become certifiably PCI Compliant. And then even more especially if it can give you a list of client referrals that can attest to their positive experience with that particular provider. Altogether it means that the company has its head on straight, is up-to-date on current industry standards, and is proactively on top of its game. It will go that extra mile to grant its customers the assurance they need to entrust their data to them, and that in itself is a valuable consideration to have when you’re comparing the top providers.

Installment #8: So what’s the bottom line?

So what is the bottom line to my company?

If you are a service provider, having a SAS 70 report ready can mean a shortcut for your company to help its customers with their auditing and compliance needs. It can help your company to maintain security and policy awareness, which will build your ability to perform in an ever more risk-adverse financial world. Likewise, such certifications are growing increasingly attractive to potential clients and can make or break a deal.

An SAS 70 audit can be a real walk in the park if you are confident that your policies are well documented, and properly followed by your employees. This is something you need to do anyway to ensure the viability of your company as a service provider. As long as you are already implementing policies and procedures and following them correctly, your audit should be a painless and interesting process which will help you get an outside person’s view into your daily workflow.

If you have service providers you do business with and need to make sure they are staying compliant with their own policies, an SAS 70 report can help your company to feel more secure about the providers you do business with. Additionally, if you need to comply with industry standardization requirements or policy requirements internally, you can save your company and your auditors’ time and money by having an SAS 70 report on hand from each of your major service providers.

Installment #7: Where do I go for more specific SAS 70 guidelines?

What if I want more specific guide lines on what to do before getting a SAS 70 Audit?

Groups such as the Information Systems Audit and Control Association (ISACA) and The IT Governance Institute have published many frameworks and guides for information security and auditing. Other standards that companies may be required to adhere to (such as PCI-DSS etc.) may actually have more specific requirements that can easily be used to create policies and procedures that will allow a SAS 70 audit to be performed.

Installment #6: Can I fail a SAS 70 audit?

Can I fail a SAS 70 audit?

Yes, actually you can. When a service provider is audited, their report can be given an ‘unqualified opinion’ on whether they have policies and procedures as desired and whether they comply with them. An ‘unqualified opinion’ is essentially a ‘passing’ grade. If the service provider either cannot produce the policies and procedures as desired or they fail to demonstrate compliance with their policies and procedures, a ‘qualified opinion’ is given at the end of the report. Essentially, the report will include a ‘qualification’ for each deviation from policy/procedure. This is not exactly a failure, per se. It simply means that the report shows that the service provider is not in 100% compliance with their own desired policies and procedures. The report would have to be considered in more depth by a customer’s auditors to determine what that particular shortcoming means to that particular customer.

Essentially, even though any given service provider will determine their own policies and procedures that they need to comply with to have an unqualified SAS 70 report, it is not uncommon for a service provider to fail to enforce those policies and procedures or to find that employees are either not properly trained on procedures or not following them properly. That is why the auditing needs to be done on a recurring basis and a Type II report can be much more meaningful than a Type I report. If a service provider fails to comply with their own policies, they would need to correct whatever issue caused a qualification to be listed on the report and then repeat the audit process to have a new report generated.

Installment #5: Will my Service Provider’s SAS 70 report expire?

Will my Service Provider’s SAS 70 report expire and does it need to be renewed?

Not really. The report targets auditing of either one point in time (Type I) or a specific time period (Type II) such as a 6 month period of auditing. Therefore a report is valid as long as it was correctly produced. Of course things change and companies procedures and policies and their ability to execute them will change over time as well, so realistically a report is of less and less value the older it is. Any given provider will probably want to–or be required by their customers–to have a new report generated on a yearly basis as it seems reasonable to ensure that policies are up-to-date and followed appropriately.

Installment #4: So what good will a SAS 70 report do me?

So what good will it do me to get a report from my Service Provider?

Well, if your company is already subject to industry standardization requirements such as PCI-DSS, Sarbanes-Oxley, or other standards, your auditors will probably make repeated requests to obtain information from your various service providers about their security procedures and policies. Having a Type I or Type II SAS 70 report on hand will allow the service provider to easily supply information to auditors in a familiar manner that should satisfy a lot of those requests which will save your auditors time and save you money.

If you are a service provider, the reverse applies to you. Having a Type I or Type II report ready to go means you can provide information to your customers that makes their lives easier and helps them get back to business.