Re: SAS70 Type II compliant colo providers - Chicago, IL

[Christopher Morrow <morrowc.lists () gmail com>]

On Tue, Sep 22, 2009 at 11:26 PM, Charles Mills <w3yni1 () gmail com> wrote:
> Hmm...the ones I've been involved with have to go through an
> independent third party audit to ensure that they are compliant.  The

the pci-is-good/sux (and sas-70 is-good/sux) discussion seems out of
nanog scope, to me... but really PCI compliance isn't the panacea,
heck I bet TJX was PCI compliant for some portions of the things owned
six ways to sunday in their breach. The same goes for the last 12
'major' breaches and information leaks.

No compliance doc/cert is going to save the day, only good ongoing
practices and vigilant administration is going to make it better.

That said did anyone actualy suggest a sas-70 colo in ORD?? VZB's
CHI10 facility used to be in this set, the OP might consider checking
with them... (though I recall CHI10 being 'full' or 'out of power',
but I'm sure that's changed/improved)

-Chris
(there was some effort a while back to sas-70 ceritfy most of the
ex-UU datacenters)

> independent auditor has to agree that they're practices are secure and
> satisfies the credit card company's security objectives.
> If it were that loose you'd see a lot more security breaches on the
> magnitude of the TJX breach.
>
> Chuck
>
> On Tue, Sep 22, 2009 at 8:53 PM, Jeffrey Lyon
> <jeffrey.lyon () blacklotus net> wrote:
> > Most of our customers just make up their own definition of PCI and
> > then demand that we help them adhere to it.
> >
> > Jeff
> >
> > On Tue, Sep 22, 2009 at 8:50 PM, Jay Farrell <jayfar () jayfar com> wrote:
> > > Yes, but with PCI compliance the powers that be (credit card
> > > companies) can actually fine you big bucks for being non-compliant.
> > >
> > > http://www.google.com/search?hl=en&source=hp&q=pci+compliance+fines&aq=f&oq=&aqi=g1g-m1
> > >
> > > http://www.pcicomplianceguide.org/pcifaqs.php#11
> > >
> > > Cheers,
> > > Jayfar
> > >
> > > On Tue, Sep 22, 2009 at 8:17 PM, Jeffrey Lyon
> > > <jeffrey.lyon () blacklotus net> wrote:
> > > > People buy SAS 70 compliant anything just because it's the latest
> > > > buzzword, kind of like PCI compliance.
> > > >
> > > > Jeff
> > > >
> > > > On Tue, Sep 22, 2009 at 7:52 PM, John Curran <jcurran () istaff org> wrote:
> > > > > On Sep 22, 2009, at 11:54 AM, Andy Ashley wrote:
> > > > > > Hi,
> > > > > >
> > > > > > I would really appreciate any recommendations for SAS70 Type II compliant
> > > > > > colocation providers in Chicago, IL
> > > > >
> > > > > Andy -
> > > > >
> > > > >   As an FYI, SAS 70 Type II compliance means whatever that provider's "SAS
> > > > > 70 Type II" audit document states for controls, i.e. there is no specific
> > > > > requirements associated with SAS 70 Type II, only that you publish a
> > > > > documented set of management and security controls and then are audited for
> > > > > compliance against that list.  That may not be realized by the folks who've
> > > > > sent you to go get SAS 70 Type II compliant hosting, but is something that
> > > > > you probably want to keep in mind since little items like generators and
> > > > > door locks aren't necessarily included.
> > > > >
> > > > > /John
> > > >
> > > >
> > > >
> > > > --
> > > > Jeffrey Lyon, Leadership Team
> > > > jeffrey.lyon () blacklotus net | http://www.blacklotus.net
> > > > Black Lotus Communications of The IRC Company, Inc.
> > > >
> > > > Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
> > > > 21 to find out how to "protect your booty."
> >
> >
> >
> > --
> > Jeffrey Lyon, Leadership Team
> > jeffrey.lyon () blacklotus net | http://www.blacklotus.net
> > Black Lotus Communications of The IRC Company, Inc.
> >
> > Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
> > 21 to find out how to "protect your booty."