Tom Olzak

Archive for February, 2011|Monthly archive page

SAS 70 replacement: SSAE 16

In Business Continuity, Cloud Computing, Data Security, Government, Network Security, Policies and Processes, Regulation, Risk Management, Security Management, Vendor Management on February 28, 2011 at 22:24

I’ve never been a big fan of SAS 70, even though it seemed to many  like a great way for an organization to tell the board and its auditors that it practiced due diligence.  You know, ” hey look, I got a SAS 70 from the service provider.  See, they’re secure.”  Not so fast, bucko.

The SAS 70 was never intended to be a test of the effectiveness of an organization’s security controls.  Rather, it simply checks to see if controls are in place–controls as defined by the audited organization’s own management.

In the article, SAS 70 replacement: SSAE 16 – CSO Online – Security and Risk, CSO’s Bill Brenner takes a look at something that may strengthen SAS 70… a replacement.


%d bloggers like this: