SOC 1/SSAE 16 Compliance is a key foundation to IT Security, which is why CenturyLink has invested extensively in obtaining and maintaining this compliance and passing on the benefits to our customers.
CenturyLink provides an annual Statement on Standards for Attestation Engagements (SSAE) No. 16. The certification validates CenturyLink’s commitment to operational excellence and client satisfaction. The SSAE 16 SOC 1 Type 2 report indicates that an independent service auditor has formally evaluated and issued an opinion on the description of selected CenturyLink systems. The opinion includes the suitability of the design and the operating effectiveness of applicable controls. This audit report includes controls related to:
Thirteen of CenturyLink global data centers are independently audited in accordance with SSAE 16 and have published a Service Organization Controls 1 (SOC 1), Type 2 report.
Service Organization Controls (SOC) reports are specifically designed for organizations like CenturyLink. The reports help organizations operate their systems and provide services to their customers by building trust and confidence in their service delivery processes and controls. Each type of SOC report is designed to help meet specific needs:
SOC 1 Reports are conducted in accordance with the professional standard known as Statement on Standards for Attestation Engagements (SSAE) No. 16, simply known as SSAE 16. These reports are specifically intended to meet the needs of the customers of CenturyLink. There are two types of reports:
Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
Additionally, accompanying SSAE 16 audit guides are available to help auditors perform these engagements. The SOC 1 reporting framework uses SSAE 16 as the professional standard for issuing these reports.
The scope of the SOC 1 report addresses the networking and hosting services system provided by CenturyLink. The network and hosting services environment is an Information Technology General Control (ITGC) system.
Two primary features of the SOC 1 report that organizations should be aware of are:
The management of the service organization is ultimately responsible for providing what's technically known as the description of the "system." The description covers the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.
he management of the service organization must also provide the auditor with a written statement of assertion, a document that effectively attests to a number of important provisions and clauses relating to the engagement itself. Management’s written assertion covers:
Worldwide, CenturyLink has 59 SOC 1-compliant data centers These facilities and processes and policies have been audited by SOC 1, CSAE 3416, and/or ISO 27001 standards.
A variety of products and services are included in the SOC 1 report, including:
A significant number of organizations that previously underwent SAS 70 compliance will be SSAE 16 candidates. This is due in large part to the services and supporting controls in place that affect the internal control over financial reporting (ICFR) for entities utilizing CenturyLink services.
Some examples of SSAE 16 candidates are:
In the regulatory compliance world what’s a better fit for data center compliance, SOC 1 SSAE 16 reporting or SOC 2 AT 101 reporting? Both sides put forth credible merits for using either SOC 1 or SOC 2. Many firms issue both SOC 1 and SOC 2 reports for data centers.
A Type I report does not include testing or an opinion related to the operating effectiveness of controls over a specified period of time.
Hybrid-ready public cloud provides the agility, scalability and security expected from an enterprise-class cloud, backed by an industry leading global network.
Experts at the ready to maintain and administer your cloud deployments. Rapid provisioning, hourly billing, and highly automated.
A full complement of threat prevention, threat management, incident response and analysis services to support your hosted or on-premise enterprise security environments.
Maintain complex IT infrastructure and applications with our comprehensive portfolio of managed hosting services including, fully manage networks, servers, storage, operating systems, and security.
Gives a range of storage options including data replication and back up/archiving. CenturyLink solutions are secure, affordable and can provide data resilience with up to 5 nines.