[117652] in North American Network Operators' Group
Re: SAS70 Type II compliant colo providers - Chicago, IL
daemon@ATHENA.MIT.EDU (Charles Mills)
Tue Sep 22 23:27:33 2009
In-Reply-To: <16720fe00909221753o2fd18489sc39f12c5ee4f5356@mail.gmail.com>
Date: Tue, 22 Sep 2009 23:26:45 -0400
From: Charles Mills <w3yni1@gmail.com>
To: Jeffrey Lyon <jeffrey.lyon@blacklotus.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hmm...the ones I've been involved with have to go through an
independent third party audit to ensure that they are compliant. The
independent auditor has to agree that they're practices are secure and
satisfies the credit card company's security objectives.
If it were that loose you'd see a lot more security breaches on the
magnitude of the TJX breach.
Chuck
On Tue, Sep 22, 2009 at 8:53 PM, Jeffrey Lyon
<jeffrey.lyon@blacklotus.net> wrote:
> Most of our customers just make up their own definition of PCI and
> then demand that we help them adhere to it.
>
> Jeff
>
> On Tue, Sep 22, 2009 at 8:50 PM, Jay Farrell <jayfar@jayfar.com> wrote:
>> Yes, but with PCI compliance the powers that be (credit card
>> companies) can actually fine you big bucks for being non-compliant.
>>
>> http://www.google.com/search?hl=3Den&source=3Dhp&q=3Dpci+compliance+fine=
s&aq=3Df&oq=3D&aqi=3Dg1g-m1
>>
>> http://www.pcicomplianceguide.org/pcifaqs.php#11
>>
>> Cheers,
>> Jayfar
>>
>> On Tue, Sep 22, 2009 at 8:17 PM, Jeffrey Lyon
>> <jeffrey.lyon@blacklotus.net> wrote:
>>> People buy SAS 70 compliant anything just because it's the latest
>>> buzzword, kind of like PCI compliance.
>>>
>>> Jeff
>>>
>>> On Tue, Sep 22, 2009 at 7:52 PM, John Curran <jcurran@istaff.org> wrote=
:
>>>> On Sep 22, 2009, at 11:54 AM, Andy Ashley wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I would really appreciate any recommendations for SAS70 Type II compl=
iant
>>>>> colocation providers in Chicago, IL
>>>>
>>>> Andy -
>>>>
>>>> =A0 As an FYI, SAS 70 Type II compliance means whatever that provider'=
s "SAS
>>>> 70 Type II" audit document states for controls, i.e. there is no speci=
fic
>>>> requirements associated with SAS 70 Type II, only that you publish a
>>>> documented set of management and security controls and then are audite=
d for
>>>> compliance against that list. =A0That may not be realized by the folks=
who've
>>>> sent you to go get SAS 70 Type II compliant hosting, but is something =
that
>>>> you probably want to keep in mind since little items like generators a=
nd
>>>> door locks aren't necessarily included.
>>>>
>>>> /John
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Jeffrey Lyon, Leadership Team
>>> jeffrey.lyon@blacklotus.net | http://www.blacklotus.net
>>> Black Lotus Communications of The IRC Company, Inc.
>>>
>>> Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
>>> 21 to find out how to "protect your booty."
>>>
>>>
>>
>>
>
>
>
> --
> Jeffrey Lyon, Leadership Team
> jeffrey.lyon@blacklotus.net | http://www.blacklotus.net
> Black Lotus Communications of The IRC Company, Inc.
>
> Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
> 21 to find out how to "protect your booty."
>
>
