We have always maintained that SAS 70 Type I and II certifications, though a great make-work program for U.S. accountants and required under some companies’ SOX programs, are next to useless if you want to know whether or not a hosted service provider has adequate security controls in place.
The list of problems with using SAS 70 documents as “security certifications” is long, too long for this post. Though of course, coming from a vendor, any complaints about the abuse of a certification certain competitors rely on can end up sounding like carping.
But Gartner has now stepped up to the plate and agreed with us. Here’s the money quote from Gartner Research Vice President French Caldwell:
“Chief information security officers (CISOs), compliance and risk managers, vendor managers, procurement professionals, and others involved in the purchase or sale of IT services and software need to recognize that SAS 70 is not a security, continuity or privacy compliance standard.”
There are several useful security standards, including ISO 27001, which is the gold standard and probably what you want to demand from your hosted service vendor.
But one piece of paper you won’t want to be relying on is a SAS 70 certificate.