09-06-09 | Blog Post
Update: SAS 70 reports only on controls related to financial reporting. If you need assurance of controls directly related to data centers, including privacy, security and availability, look for a SOC 2 report.
SAS 70 was replaced by SSAE 16 in June 2011.
Many of our clients require SAS 70 because their SaaS products are being delivered to publicly held companies or their customers require SAS 70 as a “good housekeeping” seal of approval.
Others look at SAS 70 as a way to validate that the proper physical and electronic security mechanisms are in place to keep their servers and data safe.
So a couple of thoughts:
1) From a hosting provider’s perspective, we’ve found SAS 70 to be one of the best investments we’ve made (although very expensive in both time and dollars perspective). It helped us solidify, procedure-ize and document everything we do including, physical security to network security, and change orders. It’s increased our quality and up-time, and helped us eliminate errors and outages caused by human error.
Just like any certification, I’m sure that SaaS hosting providers range from simply using SAS70 as a “stamp” and others that use the process to drive their operations. The key to look at is intent.
2) From a SaaS perspective, when you’re looking at a SAS 70 hosting company, the best way to get your handle around a hosting provider’s “intent” and the quality of their delivery is to review the SAS 70 Audit report. Any reputable data center operator will provide is under an NDA. The report should at a minimum include the auditor’s report, a description of controls, the auditors tests, findings and exceptions.
The description of controls is the heart of what you want to look for. It should cover controls for physical security, logical security, network security, security violation reporting and monitoring, change management, organizational and administrative controls, and data backup and recovery. This is the essence of how seriously the hosting provider takes their processes and systems to assure repeatability.
The auditors tests and finding then detail the tests they did against these controls, what they found, and whether they had any exceptions (or failures) in the audit process.
Previous blog posts on SAS70:
What is a SAS70 Audit?
5 Reasons to Choose a SAS70 Audited Colocation Provider.