SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070

SAS 70 In A Post- Sarbanes- Oxley, SaaS World Francine McKenna McKenna Partners LLC, for SpearMC Consulting (Booth #308)

Agenda  What is SaaS?  What is SAS 70?  Today’s environment  Security risks in a SaaS environment  ITGC  Q&A

Who is McKenna Partners LLC?  McKenna Partners LLC is a specialized boutique consulting firm, with expertise in Mexico and Latin America.  We focus on serving other professional services firms and industry in the area of internal control, IT governance. and compliance initiatives.  Francine McKenna, President, is also the author of the blog, re: The Auditors

Who is SpearMC?  SpearMC is a full-service consulting and technology services firm.  We focus on Oracle/PeopleSoft suite of applications.  The company was founded in 2001 by KPMG / BearingPoint alumni

In growing world of SaaS multi-tenancy and virtualized/shared computing resources, how are SAS 70 issues getting resolved?

It’s a bit out of date to just get a traditional data center SAS 70 certification when resources are being co-mingled across customers, and often hosted at a sub- contracted vendor...

Depending on SAS 70s for a real level of assurance in a SaaS environment is shortsighted. Do your applications have the controls needed to insure the integrity of financial reporting as well as support complex business needs?

Statement on Auditing Standards No. 70 (SAS 70) • An international auditing standard that enables businesses that provide services to other organizations to provide an independent, trustworthy account of their internal control practices.

Oracle and SaaS • Leading vendors have adopted the Oracle SaaS Platform for developing and delivering secure, scalable and easy to integrate Software as a Service offerings. • The move to SaaS or On-Demand presents several technical challenges for software vendors and hosting service providers. • ISVs have to support multi-tenancy, integration and customization. • Hosting service providers have to support scalability, performance, security, patching, service level management and billing.

SaaS vs. On-Demand • SaaS architectures generally can be classified as belonging to one of four quot;maturity levels,quot; whose key attributes are configurability, multi-tenant efficiency, and scalability. • SaaS means software. • On-Demand can mean anything - (bandwidth, computing power, storage, etc.)

Pre-SaaS • Level 1 - Ad-Hoc/Custom: Each customer has its own customized version of the hosted application and runs its own instance of the application on the host's servers. Reduces operating costs by consolidating server hardware and administration. (ASP model) • Level 2 - Configurable: Provides greater program flexibility through configurable metadata, so that many customers can use separate instances of the same application code. Vendor meets different needs of each customer through detailed configuration options, while simplifying maintenance and updating of a common code base. (Modified ASP) • Level 3 - Configurable, Multi-Tenant-Efficient: Adds multi- tenancy to the second level, so that a single program instance serves all customers. This approach enables more efficient use of server resources without any apparent difference to the end user, but ultimately is limited in its scalability. (Standardized ASP or Software On-Demand)

True SaaS • Level 4 - Scalable, Configurable, Multi- Tenant-Efficient: At the fourth and final SaaS maturity level, scalability is added through a multi-tier architecture supporting a load- balanced farm of identical application instances, running on a variable number of servers. The system's capacity can be increased or decreased to match demand by adding or removing servers, without the need for any further alteration of application software architecture.

What is the implication for SAS 70? • In an ASP, the vendor hosts your application controls in their ITGC environment. Do they maintain your app controls and meet your standards on ITGC? • In a pure SaaS with standardized instance, you accept the vendor’s application and ITGC and controls. Do they meet your standards?

Who performs a SAS 70 “audit” • A SAS 70 audit is performed by an independent auditor and results in a SAS 70 report, provided by service provider to its customers and clients for use when they themselves are audited.

Current uses and objectives of SAS 70s • SAS 70 is not a law, but an auditing and disclosure standards in various jurisdictions around the world such as Sarbanes-Oxley in the United States. This means up-to-date SAS 70 reports are a de facto requirement for any business that provides IT services to other businesses.

Due diligence therefore requires that you not only request a SAS 70 report from a prospective SaaS provider, but that you examine it thoroughly to determine whether the provider will be able to comply with your own internal standards for privacy, data security, and so on. The earlier you start this conversation, the better.

What purpose does a SAS 70 report serve? • All SaaS providers should be prepared to provide SAS 70 reports. • Not a stamp of approval. • No minimum standards. • A SAS 70 report documents internal control practices of an organization, without offering any judgment as to whether they are satisfactory. This is up to the user organization.

Customers must tell providers which controls are important and what standards are expected. • Example: If local privacy laws require your customers' personal financial data be stored in encrypted form at all times, a SAS 70 report will document whether the provider's own data- storage practices will enable the customer to be in compliance with the law.

SaaS providers should be prepared to answer questions from potential customers during demos/evaluations. They often point to controls to be expected later and attested to by SaaS provider’s auditor.

IT General Controls - The Auditors Bottom Line • The COBIT framework may be used to assist with SOX compliance, although COBIT is considerably wider in scope. • 2007 SOX guidance from the PCAOB and SEC state that IT controls should only be part of the SOX 404 assessment to the extent that specific financial risks are addressed. • Scoping decision part of entity's SOx top-down risk assessment. Statements on Auditing Standards 109 (SAS109) discusses the IT risks and control objectives pertinent to a financial audit.

IT General Controls • Control Environment, or those controls designed to shape the corporate culture or quot;tone at the top.” • Change management procedures - controls designed to ensure changes meet business requirements and are authorized. • Source code/document version control procedures - controls designed to protect the integrity of program code • Software development life cycle standards - controls designed to ensure IT projects are effectively managed. • Security policies, standards and processes - controls designed to secure access based on business need.

More IT General Controls • Incident management policies and procedures - controls designed to address operational processing errors. • Technical support policies and procedures - policies to help users perform more efficiently and report problems. • Hardware/software configuration, installation, testing, management standards, policies and procedures. • Disaster recovery/backup and recovery procedures, to enable continued processing despite adverse conditions.

Where’s my data? •Due to compliance and data privacy laws in many countries, knowing data locality is critically important to meeting compliance requirements. •With cloud computing and Saas, issue is a challenge. You often don’t know where data is being stored or where application is really being run. •“Don’t worry. Be happy.”

Separate but equal - data segregation • Multi-tenancy is a SaaS advantage, but mixing my data with my competitors is icky. • Users must never see data they are not authorized to see. • My data should never be seen by other customers, especially competitors.

Right user, right time - Data access • You know how to protect data from unauthorized access within your organization. Roles, responsibilities, access, and authorization policies and procedures controlled within most IT organizations. • Saas providers must be able to reassure regarding access, authorization, activity monitoring and segregation of duties.

Who is watching and how? • Log management and security information and event management solutions readily available for internal IT. • Access logs are critical to compliance, operations and security. SaaS providers should provide logs as part of normal service.

Who are you? Why are you here? Authentication and authorization. •Many companies have designed IT infrastructure so all authentication, goes through single application such as Active Directory. •If user credentials stored in SaaS provider databases, controls must be in place for removing/disabling/editing accounts. •Could insist on delegation of authentication process to your LDAP/AD server to maintain control if provider’s controls not up to internal standard.

Too much of a good thing? Web Application Security •SaaS applications have to be used and managed over the web (in a browser.) How secure is your provider’s web application from breaches such as hacking? •Verizon says 59% of breaches are due to hacking. Maybe SaaS providers should start considering providing something similar to what PCI DSS has required of merchants.

The Enemy Within - Data breaches from insiders •Responsibility for segregation of duties and access authorization still falls on customers, not providers when data is on the cloud. •Take into consideration provider employees. They have access to even more info and a single incident exposes info from many customers. •Example: Soc Gen - All IT controls implemented by IT management, but no one was monitoring.

PCI DSS - Not Optional •SaaS providers must be compliant with PCI DSS in order to host merchants that are required to comply. •Similar non-negotiable requirements for other industries such as financial services or health care.

Sources • Tough Security Questions For SaaS Providers Part 1 and 2 at the Blog for Loglogic.com • Wikipedia Information Technology Controls entry (from COBit) • Wikipedia entry on Software as a Service • ISACA - The Information Systems Audit and Control Association

Questions

SpearMC Education Sessions:  Now that SOX is behind us. What about SAS70? – Session 52070 on Thursday 12/4/08 – Utopia D from 8:30 – 9:30  Project Costing and Workflow at Transunion – Session 51850 on Thursday 12/4/08 – Nirvana B from 1:30 – 2:30  Advanced PeopleSoft Financial Security Reporting – Session 52060 on Friday 12/5/08 – Nirvana B from 8:30 – 9:30

Contact Information  Francine McKenna, President, McKenna Partners LLC fmckenna@mckennapartners.com  Marcus Bode, Principal, SpearMC mbode@spearmc.com  David Pigman, Tech Specialist, SpearMC dpigman@spearmc.com  Millie Babicz, Financials Specialist, SpearMC mbabicz@spearmc.com

SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070

by retheauditors on Dec 03, 2008

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 14

Statistics

SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070 — Presentation Transcript

http://www.slideshare.net	13
http://localhost	1