I noticed a recent post on the boards questioning the value of SAS 70 Reports. Given that I do about 15 a year, I thought I’d venture an answer to that question.
First, it’s important to understand what a SAS 70 is NOT:
It’s not a checklist;
It’s not a certification;
It’s not a security assessment;
In fact, it doesn’t do a thing for your network security, except, perhaps, inadvertently. It does not directly attest to the quality of your network security, either; that’s not its’ function.
And only a certified public accounting firm can do one, because a certified public accountant must sign off on the report.
So what CAN such a report do for your organization, and why? Are your customers constantly asking for one? Are you losing business because you don’t have one?