Service Providers Meet SAS 70

Service providers and organizations must provide the highest levels of security when safeguarding client information and data. Security breaches and errors make headlines on a regular basis because many service providers did not demonstrate adequate control of client data through comprehensive safeguarding.

As a colocation and hosting provider it is imperative that Hosting.com implements safeguards to ensure effective controls are in place to protect and secure the data of our clients and most importantly – their clients. For publicly traded companies and companies in the healthcare, financial services, and insurance sectors security validation is often required by law.

In 2002, section 404 of the Sarbanes-Oxley Act made the Statement on Auditing Standards No. 70 (SAS 70) Certification more prevalent in the American business place because of the new process outlined for reporting on internal controls for financial reporting. SAS 70 is the standard set in place by the American Institute of Certified Public Accountants that auditors use to evaluate internal controls of organizations and businesses that provide a service.

SAS 70 certification focuses on policy and procedure, documentation, security infrastructure, access control, IT infrastructure, and management of company and customer assets, including the change management of company controls. The SAS 70 audit reviews and tests each of these controls with regulatory compliance in mind.

A business can have either a SAS 70 Type I certification, which verifies that a service provider has policies and procedures in place; or going a step further, a business can have a SAS 70 Type II certification that evaluates a history that these policies and procedures have been used consistently, confirming that each perform as expected. In other words, if a company states that they have policies in place, the SAS 70 Type II certification tests and proves that these policies are followed and work as they were designed to.

More frequently, clients are demanding such certification from their service providers. Service providers are completing the SAS 70 certifications as a way to streamline the audit process with their own clients. If each existing or potential client of a business wanted to schedule their own audit of these controls, the service provider would spend much of its time hosting audits, rather than focusing on the services that it provides.

Some of the reasons for seeking out SAS 70 Type II certified service providers have been covered. Additional benefits to clients include: cost-savings when asked for the certification from your own clients or prospects (estimated at $5,000-$10,000 per request), an edge to fast-growing organizations over their competition because their service is certifiably secure; and peace of mind that your service provider’s policies and procedures have been tested to ensure the security of your data assets.

Hosting.com is entering its third year of SAS 70 Type II certification, and Hosting.com’s auditor, Chilton & Medley, is registered as a qualified Account Firm with the Public Company Accounting Oversight Board. Chilton & Medley audit each of Hosting.com’s data centers annually.