Slashdot Mirror

← Back to Stories (view on slashdot.org)

Do Data Center Audits Mean Anything?

Posted by samzenpus on from the who-certifies-the-certifiers? dept.

1sockchuck writes "Data center service providers often tout certifications such as SAS 70, SSAE 16 and SOC 2 as evidence that they meet lofty operational standards. But some of these certifications are based on self-defined standards, and the entire situation is confusing and frustrating to customers, according to one critic, who says data center shoppers are poorly served by the jumble of acronyms and standards. Do these certifications matter when users are seeking data center space? Should they?"

2 of 84 comments (clear)

  1. Uses for Audits/Certifications by ackthpt · · Score: 4, Insightful
    • - Waving in face of prospective customers - ' Yes w certainly a certificate of certification granting certitude!'
    • - Finding things you actually did right
    • - Finding things you need to fix or wallpaper over
    • - Creating gainful employment for auditors, certifiers, pencil pushers, paper shufflers and rubber stampers.
    • - Sell more seminars and books for a certification industry
    • - Influence government to require certain certifications to keep an industry of auditing and certification on the gravy train for years
    • - Give significantly less benefit to people who disagree with the need for dubious audits and/or certifications.
    --

    A feeling of having made the same mistake before: Deja Foobar
  2. If you want security and reliability... by jafo · · Score: 4, Insightful

    Security and reliability are processes, they are not something you can do once and then forget about. So, yes, I would say that having regular audits are a useful thing. As far as whether these specific standards are useful, the facility we have most of our servers in we have been in since before their SAS 70 audit, and their procedures were good before, but there's a noticeable improvement after. Things like a man-trap with a live security person comparing you with your on-file photo before you enter the raised floor, 2-factor auth on all doors rather than just on the key doors, maintenance lock-outs displayed more prominently, EPOs installed (not a benefit to me, but they did put alarmed doors around the EPOs to prevent the common problems).

    As far as it being "based on self-defined standards", I'm ok with that. I'm ok with the requirement being that they *HAVE* standards for certain things rather than dictating what exactly those standards are. One size does not fit all, but having standards for what you do, I have found in my own business, improves quality.