Data recovery companies should use excellent practices to safely handle client financial data. Regular audits are an important part of any IT provider's security system, and the two most common audit standards are SAS 70 and SSAE 16, both of which are issued by the American Institute of Certified Public Accountants.
When looking for a data recovery provider, you should check for compliance with one of these two standards, even if you are not legally required by the SEC to do so. Of the two standards, SSAE 16 is the superior option. SSAE 16 significantly updates SAS 70, and while there is some disagreement as to the extent of these updates, it is clear that SSAE 16 Type II attestations do much more to ensure the security of an organization than the simpler SAS 70 audits.
Data recovery companies need to use consistent standards, and providers that do not perform SSAE 16 Type II attestations might put their customers' data at risk. Publicly traded companies also have legal requirements when contracting IT services, and SSAE 16 compliance is mandatory for many of these businesses.
Advantages of SSAE 16
Long-Term Security - SSAE 16 emphasizes security by requiring a description of the intent of security systems. While it is a one-time attestation, the requirements are designed to insist on excellent long-term security. This is closely related to the management attestation requirement, which is by far the most significant new feature of SSAE 16 Type II standards.
Testing Vs. Auditing - To qualify as SSAE 16 Type II compliant, data recovery providers must complete a full management attestation. The managers must explain the intent of their security systems and demonstrate how they address this intent.
By involving management in the process, SSAE 16 Type II takes a more comprehensive approach. Management attestation standards vary by industry, but management is held fully responsible for the validity of the attestation. Auditors must make sure that proper criteria are used during the attestations.
Detailed Requirements - Because SSAE 16 Type II requires a description of the systems used to prevent unauthorized access to data, it requires a significant rethinking of security. SAS 70 requires a description of "controls," which is less comprehensive.
In order to meet the requirements of SSAE 16 Type II compliance, data recovery companies need to meet strict criteria, and they cannot use reports from previous audits (including SAS 70 audits) to meet attestation requirements. This is extremely important. To get a SSAE 16 Type II compliance report, data recovery providers need to show compelling evidence for all of their claims. Many SAS 70 certified companies simply submitted the same information over and over again to keep their certifications up to date. This approach does nothing to demonstrate proper security controls.
We should note that compliance with SSAE 16 or SAS 70 standards does not literally yield a certification; the term "certification" is commonly used by IT contractors, but SSAE 16 Type II attestations can only yield compliance reports, not official certification.
In any case, SSAE 16 is a much-needed update to SAS 70, and creating a compliance report certainly requires an extremely in-depth approach. Always ask about security credentials when evaluating data recovery providers, and when in doubt, ask to see audit or attestation reports. By working with SSAE 16 compliant data recovery providers, you greatly limit your chances of unauthorized data access, and you fulfill SEC requirements for publicly traded companies.