SAS 70 Anyone?

The company I just got hired for tells me they are a SAS 70 compliant. Naturally I wanted to read up on this as I've never heard of this. From everything I can gather this certification has more to do with accounting, business policies, and the like. I have managed to find a document on physical access requirements for the data center for compliance but that's about it. Anyone have any experience with this certification or more information on it?

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

eMeS

NightShade03 wrote: »

The company I just got hired for tells me they are a SAS 70 compliant. Naturally I wanted to read up on this as I've never heard of this. From everything I can gather this certification has more to do with accounting, business policies, and the like. I have managed to find a document on physical access requirements for the data center for compliance but that's about it. Anyone have any experience with this certification or more information on it?

I used to manage a large organization's annual response to a SAS 70 audit.

Basically a SAS 70 audit is intended to ensure that a service provider has effective controls and is meeting certain standards with respect to the delivery of services. You find it often in financial services, insurance companies and outsourcing companies.

We used it because often when we would bring on new clients (with billions+ in assets) they would want to perform their own audits of our data centers. We didn't really have the time or the inclination to do that for every customer, so we would share our SAS 70 audit reports with them in lieu of countless audits.

The auditing company will typically assign a lead auditor, who will manage several junior auditors. The junior auditors are typically straight out of college, and often know nothing about nothing. The audits are both evidence and interview-based.

As the guy on the inside it's your job to answer the questions they ask truthfully, but to not volunteer any information that is not asked. Additionally, there is always a finding, and if you can tee this up in a way that the finding(s) is easily manageable, then that's better for you. You don't want those guys to have to dig too much for their findings.

These can definitely be cat and mouse games....

Go to AICPA http://www.aicpa.org/ for more information. I think you should be able to see the full text there as well.

MS

NightShade03

Thanks for the info I will check out the site. We are a SaaS company and as a member of the data center everything we do for the developers (patching, server maintenance, rollouts, etc) all needs to be approved and there needs to be a paper trail for the auditors. This seems like a good plan however the method of documentation is not great and I'm looking to improve on it.