SAS 70 is about a very structured audit into the operations of a company that handles customers’ data. It’s done to a standard developed by the American Institute of Certified Public Accountants (AICPA) called Statement on Auditing Standards No. 70, Service Organizations. This isn’t something you run yourself. You hire an independent accounting and auditing firm that performs the audit and issues a written report.
Actually there are two audits and reports. Type I is used to assess the suitability of controls that the organization has put into practice to achieve the security objectives. Type II includes that information, but is also a review of how effective the controls have operated during the time period being reviewed. That’s why Type II is so desirable. It shows that management has not only created a system but is actually performing to the procedures it has put in place.
What sort of things are audited? Important areas for the auditor include management and organization policies and procedures, physical security of the data center, logical security to ensure only authorized personnel have access to customer data, network security and management, application security and change control, system maintenance controls, incident reporting and resolution, change management, transaction processing, use of subcontractors and business continuity.
You can think of SAS 70 as something akin to the International Standards Organization ISO-9000 quality management standards and auditing for manufacturing organizations. They’re not the same thing, but both have the goal of providing assurance that you are dealing with a company that has effective processes and procedures in place and follows them. The principle is that sloppy seat-of-the-pants operations tend to deliver results that are all over the map. Sometimes things work, sometimes they don’t. You are much better off with a provider that can produce the same results over and over reliably.
What you want in a data center or cloud service provider is an operation that is secure and reliable above all. You wouldn’t prop open the back door to your in-house data center and let anyone who wanted to wander around unsupervised. Likewise, you want the peace of mind that the colocation facility that houses your servers has them secured in locked racks or cages and that nobody who doesn’t belong there can get into the data center at all.
The same is true of the networks that transport packets in and out of your servers. Those connections and the data that traverses them need to be under strict control so that your systems and data cannot be accessed by anyone who doesn’t have your express approval. One advantage of moving to a colocation center is that you are literally within walking distance of your carrier and perhaps your cloud service provider. With all the connections in-house, there is less likelihood of service disruptions or outsiders being able to tap into your data stream.
Service reliability is important as well. Having the servers and appliances locked down is great, but they also have to be on-line 24/7 to fulfill their mission. That’s where backup electrical power, cooling and network connections help keep your applications running non-stop is so valuable. The availability of trained technicians nearby is a way to ensure that if something does go wrong, it gets immediate attention.
Are you interested in moving to a high quality colocation facility or cloud service provider? Many now offer SAS70 Type II certification, so be sure to ask for that assurance when evaluating vendors. Get pricing and location for colocation and cloud services using SAS70 Type II Data Centers.