Vetting back-up services: Meet SAS 70

A>s I write, my last column on back-up services has been posted only three days, but responses already are coming from services vendors.

While I've not yet heard from my "placeholder" company, LiveVault, a competitor wrote immediately, seconding my focus on security - and upping the ante:

"You raise an excellent point in your Network World column about identity theft, data security and backup. Security needs to be addressed on both sides of the remote back-up equation. That's why Arsenal Digital Solutions, a competitor of LiveVault's, certified that its storage management services meet the Statement on Auditing Standards No. 70 Type II."

That's "SAS 70" - and I'd not heard of it before. The writer, David Resnic, anticipated this and offer a paragraph to help me (and probably you) get a handle on it.

"In case you're not aware, SAS 70 is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). An SAS 70 audit or service auditor's examination is widely recognized because it signifies that a service organization has been through an in-depth audit of their control activities, which generally include controls over IT and related processes. In today's global economy, service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act make SAS 70 audit reports even more important to the process of reporting on effective internal controls at service organizations."

So now that I've known about SAS 70 for more than 72 hours, I can say that having SAS 70 is better than not having it. But more than that is a stretch at this point. SAS 70 is, in a word, overwhelming. A Google search brings up more than 2 million results.

Scanning some of the results starts you down the path of trying to understand the subtleties. For example, does your prospective vendor have a "Type I" or a "Type II" certification? And what does each mean?

One site compares SAS 70 with "SysTrust." Promulgated by AICPA, SysTrust appears to embody a set of principles, criteria that can be offered through AICPA members. If you have a day or so to spend browsing, visit this page .

So one silver bullet turns into two silver bullets. Which is the better certification? Finding that out is no easy task.

For the ubiquity of SAS 70, it didn't take long to find an industry article finding fault with it. An article on last year, "Stuck in the SAS 70s ," notes that SAS 70 was finalized in 1993 and that unnamed critics say it needs a "major overhaul." SysTrust, on the other hand, lists April 2003 as the date that the program was last updated - an eon in tech time.

If you work for a large company and you're thinking of outsourcing, it looks as though it is time to get to know those exciting people over there in the auditing and compliance part of the company.

But what are small companies to do? The small to midsize business customer with minimal IT support will find back-up services most appealing. Yet this same customer will have neither the time nor expertise to become familiar with the arcane aspects of things such as SAS 70.

We can only hope the industry itself takes on the task of education - and we don't end up with a new version of FUD wars.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.