peshkova - Fotolia

Channel compliance controls: SSAE 16 audit requirements rigorous

Channel companies need to pay up for SSAE audits and develop policies, processes and documentation around regulatory compliance, say experts at ChannelCon 2016.

The cost of a regulatory compliance regimen and external SSAE 16 audit requirements can be quite steep, but channel companies need to make the investment to avoid penalties and establish credibility in the market.

That's the view of industry executives who say customers, business partners and government regulators are making more demands on service providers to attest that adequate controls are in place. A single audit can run into the thousands of dollars, but the cost of noncompliance can prove far worse when it comes to fines and damage to business reputation.

Ron Culler, CTO at Secure Designs Inc., a managed internet security services provider in Greensboro, N.C., said state and federal governments are "starting to ask a lot more questions," while customers are also looking to raise their comfort level with service providers. "They are asking, 'Why should we use you? Why should we trust what you are doing?'"

Ron Culler, CTO, Secure DesignsRon Culler

Culler, speaking at CompTIA's ChannelCon 2016 conference this week in Hollywood, Fla., said Secure Designs went through a Statement on Standards for Attestation Engagements (SSAE) 16 audit, which he described as an "excruciating ordeal." SSAE 16 is an audit standard for services organizations. According to the American Institute of Certified Public Accountants (AICPA), which developed the SSAE 16 audit requirements, a service provider provides a description of its system and the controls it has in place. A CPA firm then offers an opinion on whether the description is "fairly presented" and whether the outlined controls are "suitably designed."

Culler said SSAE 16 audits, in effect, call on a service provider to determine what it wants to be audited on. Secure Designs hired an accounting firm to help define that scope, what Culler referred to as a pre-assessment process, and then brought the firm in a second time to review the company's measures.

"It is not inexpensive," Culler observed. "No one wants to spend the money ... but you just have to go ahead and do it. It is a cost of doing business now."

No one wants to spend the money … but you just have to go ahead and do it. It is a cost of doing business now.
Ron CullerCTO, Secure Designs

"It is going to cost you a lot of money to go through an audit process," agreed Tracy Pound, managing director at Maximity.

But Pound, also speaking at ChannelCon 2016, suggested companies consider the cost of noncompliance: "If something goes wrong, how much will it cost your business and your client's business?"

Mike Semel, president at Semel Consulting LLC, cited a recent Health Insurance Portability and Accountability Act (HIPAA) enforcement action as a case in point. In July 2016, Catholic Health Care Services (CHCS) of the Archdiocese of Philadelphia agreed to pay $650,000 as part of its settlement with the Department of Health and Human Services' Office for Civil Rights (OCR). OCR, which oversees HIPAA enforcement, said the "theft of a CHCS mobile device compromised the protected health information [PHI] of hundreds of nursing home residents."

CHCS provided IT services to six skilled-nursing facilities as a business associate. Under HIPAA, an organization that handles PHI is considered a business associate and is subject to the same fines as healthcare providers that violate HIPAA's Security Rule. The CHCS settlement is thought to be the first enforcement action involving a business associate.

Semel said the cost for noncompliance isn't limited to fines, however.  A service provider may also be subject to the costs associated with breach notification and legal fees, not to mention the damage to the company's reputation in the market.

Getting on the right track

To get on the right side of the compliance challenge, Semel suggested a three-pronged approach: policy, procedure and documentation. As for the first prong, a service provider should create a security policy that discusses what an organization will do to provide security -- for example, protecting endpoint devices against malware in response to a specific HIPAA requirement. The procedure, meanwhile, describes the specifics of how a service provider plans to implement the policy -- maintain a firewall configured in a certain way and institute a regular schedule of patching and updating, for instance. The third prong, documentation, presents evidence that a service provider has done what it set out to do with regard to policy and procedure.

Semel said the step for documentation, which he said should be maintained separately for each regulation, can prove particularly difficult.

"One of the weaknesses we have seen with technical folks is documentation," he said.

Channel partners can avail themselves of tools that can help them prepare for SSAE 16 audit requirements as well as meet a particular compliance obligation. Various frameworks, for example, provide organizations with a head start on what questions it should be asking itself with respect to compliance and which particular requirements apply, or don't apply, to them.

"A lot has changed in the last couple of years, and a lot more focus has been put on the concept of these frameworks," Culler said.

He cited the example of CompTIA's Security Trustmark+, which is built on the National Institute of Standards and Technology's Cybersecurity Framework and also takes into consideration regulations such as HIPAA and the Payment Card Industry Data Security Standard.

"When you start looking at [compliance] it can be overwhelming," he said. Frameworks, he said, "give you that place to start. If you don't have a starting point, you are just going to run around."

Business benefits of compliance, meeting SSAE 16 audit requirements

While the primary motivation for compliance may be staying out of trouble, the process need not be entirely a defense measure. Pound said channel partners can seize upon an audit as an opportunity to determine whether their internal processes are working well and identify those that may be outdated due to new product sets or a changing business focus.

"It's an opportunity for streamlining the way you work," she said.

And once a service provider has its compliance and security house in order, it can credibly begin offering its own security compliance and services to customers.

Culler said service providers can conduct research for customers who are asking about the compliance implications of a new technology direction -- adopting a new line-of-business cloud application, for example.

"You are taking a question from them and going out and doing the research," Culler said. "Do the investigative work for them. That is billable."

Next Steps

Learn about the opportunities and pitfalls of HIPAA compliance services

Read how the regulatory compliance is reshaping the channel

Find out about key channel trends in 2016

Dig Deeper on Regulatory compliance with cybersecurity laws and regulations