So this week we found out the server Hillary Clinton used for her personal email account was stored in a bathroom closet. If she requested Platte River Networks to undergo a SSAE16/Service Organization Control (SOC 1 or SOC 2) audit, chances are she would not have moved forward with the company. Using personal email as the Secretary of State would likely still make headlines. However, if the firm she chose to work with passed the extensive audit process we would at least have some peace of mind the company provided service in a reliable, accurate, confidential and secure way to protect classified government data.
When you request an outsourced service organization to complete a SOC audit, auditors dissect particular areas of the business to ensure they are meeting certain standards. Common areas of review include:
- PHYSICAL SECURITY - Are your facilities properly secured? (I don't believe a bathroom closet would have passed the test).
- DISASTER RECOVERY - In the event of a disaster, would you be able to retrieve information from the data back-ups and continue operations? (Questionable at this point if Clinton's emails were backed up)
- ENVIRONMENTAL - Do you maintain an appropriate environment for equipment (e.g. proper HVAC and fire suppression systems)?
- DATA ACCESS - Are security settings in place to prevent unauthorized access to client systems and information? (Again, the server was in a bathroom closet...)
- PROCESSING INTEGRITY - Are quality procedures in place to verify that information processed was completed correctly?
- ORGANIZATION & HR - Do managers provide proper oversight and are employees qualified for their positions?
The big takeaway from servergate is business owners (regardless of political affiliation) should be asking their service organization provider if they are SSAE16/SOC compliant. If they are not, request them to undergo an audit before proceeding with the relationship.