Jay Heiser

A member of the Gartner Blog Network

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Coverage Areas:

The SAS 70 Charade

by Jay Heiser  |  July 5, 2010  |  4 Comments

SAS 70 is  a) not a certification, b) not a standard, and c) isn’t meant to be applied the way it is being applied now.  To be fair, all service providers are under huge customer pressure to provide SAS 70, but instead of explaining their security, continuity, and recovery capabilities in more appropriate terms, most vendors make the unfortunate decision to exaggerate the  significance of their having undergone a SAS 70 evaluation.

Why should a potential  customer accept SAS 70 as being proof of anything? They don’t know what was evaluated, they don’t know who evaluated it, or what form the evaluation took.   Even if the evaluation did look at design and build considerations, it was almost certainly a very small part of the overall assessment, and do you really want an accounting firm evaluating security architectures and encryption implementations?

4 Comments »

Category: Cloud IT Governance risk management security Vendor Contracts     Tags: , , , ,

4 responses so far ↓

  • 1 Tweets that mention The SAS 70 Charade -- Topsy.com   July 5, 2010 at 1:09 pm

    [...] This post was mentioned on Twitter by R Ray Wang, Thomas Otter and Partnerpedia, Cal Braunstein. Cal Braunstein said: RT @rwang0 intersting point of view on SAS 70. RT @vendorprisey: http://bit.ly/9rpCoo SAS 70 put in its place. > SAS 70 – trust but verify [...]

  • 2 SAS 70 Auditor   July 5, 2010 at 3:04 pm

    SAS 70 is absolutely a standard. In fact, SAS stands for Statement on Auditing Standard and is number 70 in that collection of standards. Whether it “isn’t meant to be applied the way it is being applied now” is a drastic overstatement. It’s use is auditor to auditor communication, and in that respect, it is being used as designed. Anyone that uses it for other purposes does so at their own risk given that the opinion letter itself defines the authorized use and users of the report. Potential customers, by the way, are not authorized users of SAS 70 reports.

  • 3 Gartner walks into SAS 70 SNAFU - or does it? | ZDNet   July 6, 2010 at 12:15 pm

    [...] Heiser, research VP at Gartner has walked into something of a SNAFU. He says: SAS 70 is  a) not a certification, b) not a standard, and c) isn’t meant to be applied [...]

  • 4 Cloud CISO   July 15, 2010 at 3:36 pm

    Even though Jay’s heading for this post comes over negative, I could not agree more with the advice he is giving potential Cloud buyers (in his research paper on the same topic).

    SAS 70 as a “standard” is only the starting point at verifying your provider’s commitment to availability, confidentiality and integrity of your data.

    After recently attending a conference on Cloud technologies at InterOp, and being present at the FedRAMP kickoff in DC in May, it is clear that Cloud providers should be transparent at sharing their approach on security down to the control level detail (1) where applicable to the customers use-case / compliance requirements, and (2) in context of multi-tenant system architecture.

    SpringCM (a pure Cloud ECM provider) provides such information under an NDA agreement to our customers and are actively working towards our FedRAMP certification.