I’ve never been a big fan of SAS 70, even though it seemed to many like a great way for an organization to tell the board and its auditors that it practiced due diligence. You know, ” hey look, I got a SAS 70 from the service provider. See, they’re secure.” Not so fast, bucko.
The SAS 70 was never intended to be a test of the effectiveness of an organization’s security controls. Rather, it simply checks to see if controls are in place–controls as defined by the audited organization’s own management.
In the article, SAS 70 replacement: SSAE 16 – CSO Online – Security and Risk, CSO’s Bill Brenner takes a look at something that may strengthen SAS 70… a replacement.
Tom Olzak on Security 