Find the latest posts and news related to data security, cloud storage and advanced data protection.

What’s a SAS70 and why is it SO important to my data?

Data Security, Uncategorized Leave a comment

If you’re not the accounting type, you may have not heard of this little reported stronghold called the SAS70. What it is, is an audit that service companies willingly subject themselves to (Yes, I said willingly and audit in the same sentence) in order to assess and evaluate their internal controls.

Basically, it’s a review of the processes a business claims to have in place in order to conduct itself in the manner that it has promised to you.

You may be familiar or have seen the logos for the globally-accepted ISO 9000 certificate. It is a similar quality test except that there is an International Organization for Standardization which governs who receives the status. A SAS70 audit has no specific level of performance requirement and is self-imposed.

I can hear you thinking, “So wait a minute, can a company just say what they do and pay for an audit to confirm it?”

Kind of. But it’s a helluva lot more involved than that.

“And why would this matter to protecting my data?

Okay slow down, good questions. Data Centers – or rather, “the cloud” — subject themselves to a SAS70 audit each year. This process takes months to complete and is quite costly. They do it because they have a supreme level of service that they guarantee for you (protecting your mission-critical information) and ensuring the proper processes are established and followed is integral.

I spoke with Kristen Herring, head of marketing for CoreXchange Data Center here in Dallas. She explained that when the company had their first SAS70 Type II review it took 6 months to complete. Thankfully when it was time for renewal, the process is not as lengthy or else they’d be in perpetual audit season.

Kristen explained that CoreXchange sought the audit because they hold themselves to a very high standard. Achieving that standard and maintaining it is key to their livelihood,  so inviting the auditors in each year is something they embrace.

Finding an accounting firm to conduct the audit is important as well. There are lots of firms that can conduct a SAS70 audit, but there are also firms that maintain a level of technical expertise in collocation facilities and are best suited for a SAS70 of a Data Center.

For a datacenter, the audit will cover everything from the smallest process like the check-in station and man-trap, to the biggest such as what to do during a disaster in order to maintain service. The auditors comb through the operations manual, customer contracts, absolutely everything that has a process associated with it.

The cost for a SAS70 will vary, but is determined by the number of locations, and the number of processes that the business maintains. Translated, that means they cost anywhere from maybe $20,000 to $200,000. (Renewals are less.)

I had to ask, “What if a company doesn’t pass their audit?”

It’s not money down the drain. The firms will work with the company in any area where improvement is needed and until they get any issues resolved.

There’s no Good Housekeeping Seal of Approval for these things, but rest assured after going through this grueling process, any company that has achieved SAS70 is going to brag about it. With a little digging you should be able to verify if they have received and maintained their status.

“Customers shouldn’t just accept that a colo and bandwidth provider has a SAS70, they should ask for a copy of the report and read it. A company could put that they use crayons as part of their check-in process and if they do, then they’ve passed the audit,” urges Chris Tubeville of CoreXchange.

So Congratulations to CoreXchage on continuing their SAS70 Type II reviews. Kristin shared with me that they are even going a step further to undergo a SASE16 audit which includes even MORE checkpoints.

Sounds to me like they have an audit-addiction – and that’s a very good thing.

Leave a Reply