Dec 14, 2010

When is SAS 70 not equal to SAS 70?


Last weekend I went to my local bank branch and it got me thinking about data center compliance and auditing standards. Wait…what? Let me explain.

I was at the bank to put some documents in the safety deposit box I rent at the branch. I went with a bank employee inside their vault and we used dual keys to access the box. After that I was given a secure spot to access my box in private before we jointly returned it. When I originally rented the box I did so because I already had accounts at that branch and its location was convenient for me to visit – but how did I know it was secure?

When I signed the paperwork for the box they told me about some of their security processes – the vault locked every night, only access with the key, etc. – but, really, how do I know that? For all I know, the vault door may never close, there’s an unlocked door in the back of the building or they leave the keys out for anyone to access. The bottom line is, unless I personally verify they do what they say or an independent third party does, I’m just trusting their word.

In the data center and hosting world, the equivalent of that verification is called the Statement on Auditing Standards No. 70 (SAS 70). What’s confusing about it is that the ‘standards’ are set by the company and then independent auditors come in to verify that the company is adhering to their own rules. The processes audited in a SAS 70 evaluation range from the physical security of the facility to ensuring proper on-going maintenance of the critical smoke detection, cooling and power systems.

The challenge is that two facilities may be SAS 70 compliant, but while one offers a multi-layered approach to security with cameras, time locks, 24/7 guards and other measures the other facility can still pass for only having cameras and guards during the day since that is their process being verified. Looking at the two options, where would you want your data hosted?

With Sarbanes-Oxley, HIPAA, PCI and other industry or government compliance requirements, enterprises are getting smart about not only checking for SAS 70, but also requesting the company’s guidelines and processes to make sure it meets their requirements of availability, redundancy, security and other factors. In addition, it’s critical to know how often the facilities are audited. As an example, we audit our facilities twice a year.

And just when you think you have it figured out, a new standard is set to replace SAS 70 in 2011 – Statement on Standards for Attestation Engagements 16 (SSAE 16) – customers are already asking about it and we’re ready!

About our blog.

Explore HorizonIQ
Bare Metal


About Author


Read More