70: Service Organizations (SAS 70) was developed by the American Institute of Certified Public Accountants. 8 Thus, it still falls on the service organization's clients to determine whether the controls specified in the SAS 70 report cover all their expected security control requirements.ĭerrick Rountree, in Security for Microsoft Windows System Administrators, 2011 SAS 70 A SAS 70 audit does not perform a gap analysis between the service organization's internal controls and a set of respected standard controls. 8 The important thing to note here is that an SAS 70 report will only provide analysis on the service organization's internal controls. SAS 70 is an audit performed by an independent certified public accountant (CPA) or firm, where the auditor issues an opinion on the internal controls of a service organization. However, you should keep in mind that SAS 70s are essentially marketing tools for the third party and they are generally written to convince you of how great that third party is. SAS 70s can provide useful information to reassure your organization that the third party has implemented at least some security controls. When the third party is asked a security-related question, the third party will usually refer their clients to their SAS 70, regardless of whether the answer is in the SAS 70 or not. 70 (SAS 70) is commonly used by third-party service providers to answer their client's questions regarding security. Tony Flick, Justin Morehouse, in Securing the Smart Grid, 2011 SAS 70
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |