I dug quite deeply into SAS 70. It is an auditing Standard and sounds very impressive but you have to be aware what you are actually looking at.

The scope is very important.

If I write a document that says “We have no security controls. Our servers are hosted in the middle of a busy shopping centre and anyone has full console access to them. There is however a plastic cordon tape around the area where the servers are and people need to open it and close it after they are done. We also have a mat.”

We can pass the SAS 70 audit if all the above is true. Forget good security principals, is what we have stated a true reflection of reality. (Actually, does the auditor think that it is.)

SAS 70 type 2 is a little more interesting… do the controls as stated above work. Is there a mat? Check. Is there cordon tape. Do people open and close it? Check.

Having passed the SAS 70 audit, I can now add that to my site – “Our security controls have passed a full SAS 70 type 2 audit and users need to abide by our access controls.”

The other things that companies can do is have SAS 70 audits of some of their infrastructure. So, your “Level 1” server sits under the technician’s desk next to his skateboard and comic collection but “Level 5” servers are in the data centre. The website states “All data centres are SAS 70 audited” but in the Standard document it states “Scope: Level 5 Servers”.

Basically, a SAS 70 Audit is the company saying “we have independent auditors that can verify we haven’t lied to you about security controls”. You have to read further to see what these controls actually are.