Response to Question about SAS 70 Objectives

By Pete Boden, GM, Online Services Security & Compliance, Global Foundation Services

Following our posting further below we received a question about what the objectives were for our SAS 70 certification. Here's our response:

The Global Foundation Services (GFS)-managed online operating environment is required to meet a number of government-mandated and industry security requirements, many of which require a periodic review to validate that compliance is being maintained. These are in addition to our business requirements. The GFS Online Services Security and Compliance team operates a comprehensive security program and control framework that is evaluated regularly by external parties. The ISO standard is the foundation of our program. While the ISO/IEC 27001:2005 certification standard includes about 150 security controls for our scope, we have increased our security controls to 291 at this point. The reason we’ve done this is to account for the uniqueness of the cloud infrastructure and risk management. In addition, the security program and capabilities are subject to a SAS 70 Type II review. The ISO certification and SAS 70 Type II attestation demonstrate Microsoft’s commitment to delivering a trustworthy cloud computing infrastructure.