Domain 4: Compliance and Audit SAS 707 type II reports
36 views
Skip to first unread message
xhee...@googlemail.com
Dec 18, 2009, 9:11:52 AM12/18/09
to Cloud Security Alliance
For audit and compliance we are asking SAAS providers for SAS 70 type
II reports. Up to now most providers provided these reports.
II reports. Up to now most providers provided these reports.
We now have a SAAS provider that is charging us 395 euro for the
report. They claim this is common.
Does anybody have similair experience ?
Could this be a awaye to hide vulnerabilities ?
Erick Dahan
Dec 18, 2009, 10:26:53 AM12/18/09
to cloudsecur...@googlegroups.com
I won't get into the benefits and limitations of SAS-70 reports and their subjectivity and limited scope,
but this definitely sounds suspicious, and would not encourage supporting paying for something you should be entitled to, its absolutely ridiculous.
The worse I encountered was a provider providing a copy of the report only under NDA, and with good reasons, several key control deficiencies were identified in the report.
Maybe this is not the company you should be dealing with.
--
Erick Dahan, CISA CISSP
but this definitely sounds suspicious, and would not encourage supporting paying for something you should be entitled to, its absolutely ridiculous.
The worse I encountered was a provider providing a copy of the report only under NDA, and with good reasons, several key control deficiencies were identified in the report.
Maybe this is not the company you should be dealing with.
--
Erick Dahan, CISA CISSP
--
You received this message because you are subscribed to the Google Groups "Cloud Security Alliance" group.
To post to this group, send email to cloudsecur...@googlegroups.com.
To unsubscribe from this group, send email to cloudsecurityall...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cloudsecurityalliance?hl=en.
Khürt Williams
Dec 19, 2009, 2:03:05 PM12/19/09
to Cloud Security Alliance
I agree with Erick. I would be leary of any provider that required a
payment for the SAS 70 Type II report or forced an NDA on it's client
regarding the content of the SAS 70 report. What are they hiding?
payment for the SAS 70 Type II report or forced an NDA on it's client
regarding the content of the SAS 70 report. What are they hiding?
On Dec 18, 9:11 am, "xheem...@googlemail.com"
JayHeiser
Jan 11, 2010, 10:50:35 AM1/11/10
to Cloud Security Alliance
Is your organization finding that SAS70 reports are providing enough
information for you to satisfactorily conclude that your SaaS
providers are meeting your standards for security, continuity, etc?
information for you to satisfactorily conclude that your SaaS
providers are meeting your standards for security, continuity, etc?
SAS70 was developed by auditors to facilitate the communication of
process efficacy information from a provider's auditor to the buyer's
auditor. It is explicitly not intended to address technical issues.
On Dec 18 2009, 9:11 am, "xheem...@googlemail.com"
Erick Dahan
Jan 11, 2010, 11:51:07 AM1/11/10
to cloudsecur...@googlegroups.com
Hi Jay,
I find SAS-70 type1/2 reports lacking in general. They are pretty subjective, limited in scope, and you mentioned rarely effectively
address technical issues.
What is unfortunate is that there are limited reliable and cost effective certification schemes for many organizations to implement.
How many smaller SaaS providers can really afford the full brunt of a ISO/IEC 27001 certification? As a customer I would LOVE for all
my vendors to abide to the strictest requirements, but with the exceptions of a few huge players, there aren't that many.
I hope the CSA will promote/lead something reasonable that can be accommodated by vendors and provide reasonable assurance to
customers. The bar needs to be raised a little bit.
--
Erick Dahan, CISA CISSP
I find SAS-70 type1/2 reports lacking in general. They are pretty subjective, limited in scope, and you mentioned rarely effectively
address technical issues.
What is unfortunate is that there are limited reliable and cost effective certification schemes for many organizations to implement.
How many smaller SaaS providers can really afford the full brunt of a ISO/IEC 27001 certification? As a customer I would LOVE for all
my vendors to abide to the strictest requirements, but with the exceptions of a few huge players, there aren't that many.
I hope the CSA will promote/lead something reasonable that can be accommodated by vendors and provide reasonable assurance to
customers. The bar needs to be raised a little bit.
--
Erick Dahan, CISA CISSP
Reply all
Reply to author
Forward
0 new messages