Regarding compliance with SAS70, SSAE16, PCI DSS.

Posted on 2012-09-12
Last Modified: 2012-09-17
I'm evaluating email SaaS providers and see that many vendors are compliant with SAS70, SSAE16, and/or PCI DSS.

Can I ask them to provide their attest/audit records so I can see where they are lacking in security?  

So many vendors are compliant; I really want to see who "barely" got compliant vs who ensures security is a priority and tries to do everything.
Question by:dorianit
    LVL 33

    Assisted Solution

    by:Dave Howe
    should be available - most SAS70 (for example) audit reports I have seen explicitly note that the report may be shared with customers of the auditee and incorporated by their auditors "by reference"

    Note however - a SAS70 is near worthless for security auditing, being focussed on internal fraud prevention controls. SSAE16 is even worse, allowing much self attestation by the company to be taken at face value. They are aimed more at SOX compliance than security controls.

    Author Comment


    Thanks.   Are there compliance/standards for cloud vendors today?
    LVL 33

    Accepted Solution

    It varies; the ISACA one is widely regarded, and a new body called the Cloud Security Alliance ( ) is trying to position itself as a defacto standard, although I don't believe it has even timetabled submission to a recognised standards body (presumably for control reasons, although the MS OpenXML debacle has given ISO a major knock as a credible standards body)

    Most will have *some* sort of accreditation, but largely just SAS70 (if so, you should ask for and then read the report carefully); I virtual guarantee that they will cover physical security of the site (as that's a SOX item) but once an employee is authorized in, don't care what they do and they won't have any mention of electronic security or access controls beyond fraud detection.

    That's not to say they won't *have* such controls, just that they aren't formally noted in SAS.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Suggested Solutions

    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now