• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 814
  • Last Modified:

Regarding compliance with SAS70, SSAE16, PCI DSS.

I'm evaluating email SaaS providers and see that many vendors are compliant with SAS70, SSAE16, and/or PCI DSS.

Can I ask them to provide their attest/audit records so I can see where they are lacking in security?  

So many vendors are compliant; I really want to see who "barely" got compliant vs who ensures security is a priority and tries to do everything.
0
dorianit
Asked:
dorianit
  • 2
2 Solutions
 
Dave HoweSoftware and Hardware EngineerCommented:
should be available - most SAS70 (for example) audit reports I have seen explicitly note that the report may be shared with customers of the auditee and incorporated by their auditors "by reference"

Note however - a SAS70 is near worthless for security auditing, being focussed on internal fraud prevention controls. SSAE16 is even worse, allowing much self attestation by the company to be taken at face value. They are aimed more at SOX compliance than security controls.
0
 
dorianitAuthor Commented:
DaveHowe,

Thanks.   Are there compliance/standards for cloud vendors today?
0
 
Dave HoweSoftware and Hardware EngineerCommented:
It varies; the ISACA one is widely regarded, and a new body called the Cloud Security Alliance (http://cloudsecurityalliance.org/ ) is trying to position itself as a defacto standard, although I don't believe it has even timetabled submission to a recognised standards body (presumably for control reasons, although the MS OpenXML debacle has given ISO a major knock as a credible standards body)

Most will have *some* sort of accreditation, but largely just SAS70 (if so, you should ask for and then read the report carefully); I virtual guarantee that they will cover physical security of the site (as that's a SOX item) but once an employee is authorized in, don't care what they do and they won't have any mention of electronic security or access controls beyond fraud detection.

That's not to say they won't *have* such controls, just that they aren't formally noted in SAS.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now