Friday Thought: What does SAS 70 really mean?

When talking about security of cloud solutions, we often mention that Google Apps is SAS 70 Type II certified.  While it sounds impressive, what does it really mean.

SAS 70 is an accounting audit standard for operational policies and procedures.  To achieve certification, you …

  1. Must have best-practice policies and procedures in place
  2. Must be able to prove that you follow policies and procedures
  3. Must have an independent 3rd party audit your operations on a regular basis to validate the policies and procedures and verify that they are followed.

SAS 70 Type II reflects a level of certification for data center and IT operations that includes:

  • Physical security of buildings and data centers
  • Logical security (network, systems, data, etc)
  • Privacy
  • Incident management and availability
  • Change management
  • Organization (roles and responsibilities)
  • Administration (personnel, documentation, funding, etc.)

So while it sounds impressive, SAS 70 Type II certification really is impressive!

Most businesses cannot or choose not to incur the cost and effort to achieve SAS 70 Type II certification for their internal systems.  With the certification, Google is confirming the security and safety of your data continuously at a level that likely exceeds the security of your in-house networks and systems.