SAS 70? ISO 27001? PCI? The Big OverviewBy Sune Christesen, Sep 8 2010
It is very normal that companies require that their colocation or managed service providers are certified according to one or more standards, to make sure that they can expect that their data is in good hands. Some industries are even forced by law to require specific standards from the providers they choose, which is why compliance with these is important for enterprise orientated service providers.
There are a bunch of different standards though, commonly used for different purposes, so it can be quite a jungle if you are new to this. In this post we will be going over some of the most common standards and certifications you might come across in the data center industry. We will only touch some of the standards very briefly to give an overview, so if you would like to know more about them you will have to dig deeper on your own via the links included.
SAS 70
SAS 70 is a statement on auditing standards by AICPA (American Institute of Certified Public Accountants) from 1993, where an independent auditor is to evaluate a service providers controls and generate a report based on the evaluation. SAS 70 is the most common standard you will encounter in the US, but unfortunately it is often misunderstood as being a general stamp of approval that provides a guarantee of everything being secure and all procedures being perfect.
However this is not guaranteed in any way by choosing a provider who is SAS 70 audited, as the SAS 70 audit does not necessarily touch all relevant topics (the provider chooses what they would like to have audited) or alternatively the report can contain remarks about certain procedures etc. that are not properly designed. Even though this would be the case the company would still be able to say that they are SAS 70 audited, which is why the fact that a company is SAS 70 audited in no way is a guarantee of anything. The only sense of security when it comes to SAS 70 is the actual content of the SAS 70 report, so there is no purpose of just requiring that a service provider is SAS 70 audited without reviewing the SAS 70 report thoroughly.
There are two types of SAS 70 auditor reports (SAS 70 I and SAS 70 II). Type 1 is limited to the auditors opinion on the service providers description of controls and their relevance compared to the service providers control objectives, where type II audits are extended to also include audit of how this actually works in operation during a period of time than just evaluating it on paper.
ISO 27001
ISO 27001 is an ISMS (Information Security Management System) standard by ISO and IEC from 2005 (therefore also referred to as ISO 27001:2005), evolved from the British Standard BS7799, for managing information security. ISO 27001 is used in conjunction with other standards from the ISO 27000-family, such as the ISO 27002 that contains some guidelines to audit by.
Even though ISO 27001 is an international standard SAS 70 is often preferred with US service providers, but in Europe for example the standard is commonly used. The ISO standard is also used in the US though, as it has advantages such as being an International standard as well as being more specific with a formal set of requirements, which provides more sense of security that a provider has been audited on specific things (unlike the SAS 70 that as mentioned leaves it up to the provider to choose suitable things to audit on).
PCI DSS
The PCI DSS (Payment Card Industry Data Security Standard) was created by the credit card companies (VISA, MasterCard etc.), to ensure that data is probably handled and secured when handling credit card data. Even though it is the merchant or PSP (payment service provider) that needs to be PCI certified for handling credit card transactions, the standard also has some requirements to the physical facilities that the data center they are located in needs to be compliant with. This includes access control, surveillance, procedures for visitors etc., to limit who has access to the equipment that handles and stores transaction related data.
Tier Standard
The Tier Standard from Uptime Institute was developed specifically to data centers, evaluating them on various fixed benchmarking points and then placing them in a category from 1-4 that would reflect its operational sustainability (tier 4 being the best). In addition to the number, a tier certification also includes a rating as either Bronze, Silver and Gold depending on the characteristics of the company and facility certified.
The Tier standard is very well known within the industry and a lot of clients as well as providers use the terminology of the tier standard. Even though a lot of clients require for example a minimum of a tier 3 and a lot of providers claim to operate a tier 3, it is actually very few providers that choose to get certified according to this by the Uptime Institute.
HIPAA
HIPAA (Health Insurance Portability and Accountability Act) was enacted by the US Congress in 1996, to ensure protection of for example medical records for US consumers. HIPAA compliance is therefore required when storing and processing medical data in the US and lack of this can result in fines if you handle such data.
HIPAA covers various subjects that needs to be taken care of, under topics such as administrative safeguards, technical safeguards and physical safeguards, but without defining how they should be taken care of (for example requiring that an organization shall take implement policies and procedures to limit physical access and ensuring that only authorized access is allowed, but without requiring how large an effort should be put in to this).
LEED System
The LEED system (Leadership in Energy and Environmental Design) was designed by the US Green Building Council and introduced in 1998, and unlike the other standards above has nothing directly to do with operation or security. A LEED certification functions as a third party evaluation of how energy efficient a building is, which some data center developers choose to certify by due to the huge focus on efficiency and green data centers. When being certified, buildings are placed within one of four categories (Certified, Silver, Gold and Platinum) depending on how many points they score in their evaluation – the higher the score, the more energy efficient the building is.
Conclusion
Obviously there are a ton of other standards and regulations available out there, for example SSAE 16 that is a new upcoming standard that will function as a replacement of SAS 70 and ISAE 3402 that is a new international standard designed to streamline some of the various national standards under an international standard (such as the the American SSAE 16, German IDW PS 951, Canadian CICA 58970, British AAAF 01/06, Australian GS 007 etc.). SSAE 16 and ISAE 3402 are definately standards that we will be seing more of in the future, but for now the standards listed in this post are probably the ones that you will be most likely to meet in the data center industry.
To sum them up, you could say that the SAS 70 and ISO 27001 are the most “general” standards used. PCI compliance and HIPAA on the other hand are more industry specific standards, while the Tier Standard is focussed on data centers operational sustainability specifically and the LEED system on the energy efficiency of buildings. So it is not really possible to draw any real conclusion on the various standards, as they were designed for different purposes and therefore have different methods of achieving their goals.
As a result of this you will often see data centers promote themselves as being certified, audited or compliant according to more than one standard, as it varies from customer to customer what they will require – and then of course it always looks good if you meet a standard that your competitors does not.
Now I am no expert on this subject, so if you have any corrections or comments – feel free to put in your two cents.