Wednesday, November 2, 2011

CSA Goes Beyond SAS 70 and ISO 27001

SAS 70 is a set of self-defined certifications for the internal business controls of an organization: everything from how human resources handles backup checks to data backup, patch management, and client administration. However, it doesn’t specifically address issues affecting cloud-based services.

The issue is that one company’s SAS 70 certification isn’t the same as another’s: “You define the controls as the service provider and the auditor comes in and makes a judgment whether these controls are sufficient or not” with testing, says Chris Day, chief security architect at cloud computing provider Terremark, a major cloud services provider, which holds a SAS 70 certification. “SAS 70 is very enterprise-specific: my SAS 70 is different from yours or IBM’s, for example. It’s difficult to know whether my SAS 70 is more comprehensive as yours, which would be troubling for something as complex as cloud security.” Day says that the PCI Security Standards Council (PCI) is actually a better standard for gauging data security, because it dictates a series of controls, how they should be implemented, and what level of logging should be deployed.

PCI is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.


Continues Day, “We have SAS 70, but that it doesn’t necessarily tell the whole story. SAS 70 is a foundational certification.”

Reavis of the CSA says ISO 27001 is actually better for cloud services than SAS 70. “It’s more holistic and covers more ground,” he says. ISO 27001 specifies how an organization should handle its information security management, including security controls, risk assessment, and other issues.

However, like SAS 70, ISO 27001 is self-defined by each organization that uses the certification. “You can exclude from the certification some very important things,” Reavis says. Even so, he says, ISO 27001 makes the most sense for now: “We feel that until we can get a cloud security certification, ISO is a better interim step” because it’s more broad than SAS 70, he says.

Source of Information : Implementing and Developing Cloud Computing Applications 2011
CSA Goes Beyond SAS 70 and ISO 27001SocialTwist Tell-a-Friend
Digg Google Bookmarks reddit Mixx StumbleUpon Technorati Yahoo! Buzz DesignFloat Delicious BlinkList Furl

2 comments: on "CSA Goes Beyond SAS 70 and ISO 27001"

Anonymous said...
This comment has been removed by a blog administrator.
ISO 27001 Certification said...

We are providing the ISO 27001 awareness and ISO 27001 Audit training kit with more than 300 slides in ppt and trainer handouts for easy understanding to the client. In Our kit more than 350 audit questions on ISO 27001 is given to prepare auditors own ISO 27001 audit checklist for quick auditing the system. Our product is editable and delivery is given by ftp download as per demo given in our web site.

Post a Comment