Regulatory Compliance, Governance and Security » co-location

SAS 70 Audits for Data Centers | Why the Trend will Continue

Charles Denyer — Mon, 28 Sep 2009 00:27:08 +0000

SAS 70 audits have quickly become a high priority for data centers, co-location entities and managed service providers as of late. And there are plenty of reasons why this trend will continue go grow. The number of organizations that have buried the client server architecture is growing every day, resulting in a huge surge for data centers. In fact, most quality data centers in the United States are having little or no challenges in filling up their data center floor space. From traditional ping, power and pipe to fully managed services, data centers are becoming a necessity for most businesses today. As a result of this, their respective compliance requirements will continue to expand also. From SAS 70 to PCI DSS, just to name a few, data centers are being hit hard with the regulatory compliance bug.

Add to the fact that many data centers are now physically housing sensitive health care and financial information for many of their clients. As such, client requests for the security, confidentiality and integrity of this data are being validated via SAS 70 Type II audits. This “trend” if you want to call it that, will become a mandatory requirement for any data center seeking to grow and prosper in the coming years.

Visit the official SAS 70 Resource Guide to learn more about SAS 70 Type I and Type II audits.

HIPAA Compliance for Data Centers | The How and Why

Charles Denyer — Fri, 25 Sep 2009 13:49:14 +0000

HIPAA compliance for data centers is fast becoming a hot topic in regulatory compliance. It first started with Statement on Auditing Standards No. 70 (SAS 70), it is now moving onto the Payment Card Industry Data Security Standards (PCI DSS) provisions, and how the Health Information Portability and Accountability Act (HIPAA) mandates may very well be next on the horizon.

In short, it is a string of compliance requirements that has and will continue to be had for data centers, co-location, and managed service entities. And why? Because these types of businesses are at the forefront of virtualization, cloud computing, hybrid clouds, software as a service (SaaS) platforms

So, if a data center undertakes a HIPAA assessment or audit, are they HIPAA compliant, do they get a HIPAA certificate, etc? The best way to answer that is an accounting firm would undertake an Agreed Upon Procedure (AUP) audit an the audit itself would test the requirements as stated in the HIPAA provisions. You would then end up with a data center that is compliant with these very provisions.

In subsequent blogs, i’ll discuss the scope of a HIPAA assessment/audit for a data center.

SAS 70 Audit and Compliance Tips for Data Centers

Charles Denyer — Fri, 08 May 2009 11:47:25 +0000

Learn more about SAS 70 audits for data centers by reviewing the step by step SAS 70 audit process. From beginning to end, a number of steps, activities, and deliverables must be undertaken for ensuring the audit is successful. From the initial SAS70 readiness questionnaire assessments to the delivery of the final audit report, both the CPA firm conducting the audit and the data center employees will be working together in a collaborative manner for the audit.

Follow this step by step process if you are a data center or co-location facility that will be performing a SAS 70 audit in the near future:

First and foremost, identify the scope of the SAS 70 audit. Though it sounds quite straightforward, every CPA firm approaches scope in a slightly different manner. When identifying scope, there are a number of items to keep in mind, such as the following: Does the scope of the audit satisfy your client’s demands? Does the scope of the audit conform to industry accepted standards for SAS 70 audits on data centers?

Once the scope has been identified, it’s critical to begin the planning process with the auditors. A series of planning meetings should include a discussion on the following items:

1. SAS 70 readiness questionnaire assessment and when it will be done (if deemed necessary).

2. Discussion of type of sampling that is conducted for the audit (this is important as auditors have varying views on the numbers and amounts done on audit sampling).

3. Discussion that identifies key personnel involved in the audit from both sides.

4. Discussion on what data center physical security controls will be included in the scope of the audit.

These are just some general parameters to get you going in the right direction.

If you want to learn more about SAS 70 audits, then visit the official SAS 70 resource guide, where you can obtain SAS 70 sample reports for review.

SAS70 Audit Reports for Data Centers |Important Facts to Know

Charles Denyer — Fri, 26 Sep 2008 17:33:49 +0000

SAS70 audits have quickly become a mainstay in the world of data centers, managed services and co-location entities, and this will no doubt continue to grow. This is happening for a large number of reasons, but primarily data centers (and any variant thereof, such as managed services, co-location entities with “ping, power and pipe”) are hosting and residing an ever growing and enormous amount of information for many service providers. These service providers are commonly being asked to be SAS70 Type II compliant. As such, the data centers used by these very service organizations are commonly included within the scope of the SAS70 audit.

And what should data centers take from this? A good idea would be to become SAS70 compliant, and here’s why.

1. SAS70 compliance help mitigate and possibly eliminate many of these specialized requests your clients are asking for in helping them facilitate their own SAS70 compliance.

2. It greatly helps with business development and marketing for data centers.

3. It helps unearth any weaknesses or deficiencies you may have within your control environment.

To learn more about SAS70 audits and data centers and to receive a complimentary SAS70 Type II audit report, visit the official SAS70 Resource Guide.