As more and more organizations outsource data storage for corporate email, financial systems and expense reporting, corporate risk and security managers need to ensure their customer files and data are as secure as possible. Just asking a service provider if they’re secure isn’t enough—you need greater assurances than a cursory yes or no answer.

So how can you really know if your data is safe?

One of the best ways to make sure your data is safe is by performing an external audit by an organization outside of your service provider. Here are a few types of audits that are important:

SOC 1 Type II or SSAE16 Type II

This is an audit of an organization’s unique set of key business and technical controls. The value of an SOC 1 / SSAE16 audit centers on the fact it must be carried out by a licensed public accounting firm. There are formal standards for the performance of SOC 1 / SSAE16 audits that leaves nothing to chance. To go a step further, the accounting firms performs these audits are, themselves, audited.

The best way to get evidence of SOC 1 / SSAE16 from a service provider is to ask for a copy of the audit report. You can determine the report’s authenticity by contacting the audit firm directly.

Payment Card Industry Data Security Standard (PCI-DSS)

Every service provider that receives, transmits, or processes credit card data is required to be PCI compliant. The PCI standard is very stringent and includes more than 150 specific requirements including strong encryption of credit card numbers at all times.

Only qualified audit firms are permitted to perform PCI audits. These firms, known as QSAs (Qualified Security Assessor), are required to undergo strict qualification and certification processes.

Another way to get evidence of compliance is to ask the service provider for a copy of the Attestation of Compliance (AOC) that is signed by the audit firm. To be doubly sure, contact the QSA directly to confirm the authenticity of the AOC.

ISO 27001

ISO 27001 is the international standard for information security management. This well-known standard defines the required characteristics for a mature, risk-based security management program.

It is one thing to be audited to ISO 27001 and quite another to be certified to ISO 27001. Any firm or individual who obtains a copy of the ISO 27001 standard can audit an organization and produce a report. But to be certified to ISO 27001, the firm performing the audit must be accredited and like other external reports, these audits are reviewed to ensure accuracy.

The best way to determine whether a service provider is certified to ISO 27001 is to ask for a copy of the most recent certificate and audit report.

Penetration Tests

Service providers that provide their services via online applications should frequently test their applications for vulnerabilities. Periodically, they should hire competent, outside firms to perform penetration tests. Like other external audits, these tests – often called “ethical hacks” – provide objective, qualified opinions that can be trusted.

Unlike the other audits discussed listed above, the rules for performing these “pen tests” varies somewhat. Consequently, finding and choosing a qualified firm takes a little more work and requires the involvement of a security specialist.

We believe there is no substitute for security audits set to these internationally recognized standards and our own Concur Trust Platform includes ISO 27001, SOC 1 / SSAE16 and PCI audits, penetration tests, plus additional controls to ensure the very best security available for your corporate data. 

Related post:

• Cloud Computing Security at Concur