Data centers are increasingly being called upon to be SAS70 Type I or Type II compliant. It stems primarily from the rapid growth of compliance legislation, along with the advent of many industries, particularly Software as a Service (SaaS), that require services from data centers and co-location entities. Moreover, today’s data centers provide a wide array of services, and as such, client using these very services often have to adhere to regulatory compliance mandates also. Ultimately, this has a downstream effect that places data centers on the compliance radar, with SAS70 audits commonly being the default compliance tool used for evaluating their internal control structure.
Additionally, because no two SAS70 audits are truly identical, and because a SAS70 audit should be customized to reflect specific industry needs, it’s important to note what is considered as an acceptable baseline scope for SAS70 audits on data centers. Thus, the areas of executive tone, human resources, incident management, change management, logical security, network security, physical security, environmental security, and computer operations form the basis of the audit for purposes of scope. Please keep in mind, this a generally accepted scope, which can increase or decrease based primarily on what is driving the requirements for the audit itself.
To gain a greater understanding of your organization’s SAS70 needs, it would be helpful for you to learn about what SAS70 is and also obtaining SAS70 sample reports, which are an excellent tool for learning more about this type of audit.