First Midwest Data Centers Achieve SOC 2 Compliance
ANN ARBOR — The data center operator Online Tech Inc. Tuesday announced that its Michigan data centers have achieved the American Institute of CPAs (AICPA) Service Organization Controls (SOC 2 and SOC 3) compliance.
All three of Online Tech’s data centers have passed independent SOC 2 and SOC 3 audits, the highest level of data center standards which audit the company’s security, availability, processing integrity, confidentiality and privacy.
Online Tech’s SOC 2 and SOC 3 audit lands on the heels of its HIPAA and SSAE 16 audits earlier this year. Online Tech announced completion of its HIPAA audit in September where it achieved 100 percent compliance across all 54 HIPAA citations and 136 audited HIPAA components. Online Tech was also the first data center operator in Michigan to achieve the SSAE 16 audit last June. SSAE 16, also known in the industry as SOC 1, focuses on controls specifically relevant to financial auditing.
SSAE 16 and its predecessor, called SAS 70, have non-objective control criteria which are written by the data center operator and then audited by an outside firm. Some data center operators, such as Online Tech, specify detailed, specific criteria in their SSAE 16 audit report with as many as 49 control activities to be audited against. Other operators provide a minimal report with less than a dozen controls that are audited. As a result, no two SSAE 16 audits are the same, and the quality of an SSAE 16 report can only be judged by reading all of the fine details. This leaves data center customers without a standard, objective set of criteria with which they can easily compare and select a data center operator.
In contrast, SOC 2 and SOC 3 provide for a much more stringent audit, with a stronger set of controls and requirements specific to data center service organizations. SOC 2 and SOC 3 provide a standard benchmark by which two data center audits can be compared against the same criteria. In comparison to an SSAE 16 engagement, where the data center operator defines the criteria for an audit, the SOC 2 Report uses consistent, pre-defined control criteria related to security, availability, processing integrity, confidentiality and privacy of a system and its information.
“SOC 2 and SOC 3 are welcome standards to our industry,” said Mike Klein, president of Online Tech. “They raise the bar for service organizations and allow the best to shine with these much harder standards of compliance. Clients seeking data center operators that employ best-practices day-in and day-out will get what they’ve been looking for — a standard, more objective benchmark against which to compare options.”
The national auditing firm, UHY LLP, examined all of Online Tech’s data centers and conducted a comprehensive review of the effectiveness of the policies and procedures that govern them. The controls encompassed service offerings, physical, logical, and network security, risk assessment, redundancy, change management, and more. All of Online Tech’s independent audits cover the entire range of hosting solutions from colocation to managed services, managed dedicated servers, managed and private clouds, and disaster recovery.
Online Tech serves a growing demand for data and computing capacity in small and mid-size businesses. Through its high availability SAS 70 data centers, Online Tech delivers a range of hosting services including colocation, managed dedicated servers, private cloud hosting, and disaster recovery.
More at www.onlinetech.com.