SAS70 And Information SecurityThis morning, I attended a networking meeting with colleagues of mine. It was a typical networkingevent where we went around the table and introduced ourselves. We mentioned our name and gavea quick elevator speech about our company. The last gentleman to tell about his company touted hiscompanys services like everyone else, and then he said something that didnt sit well with me."We have a SAS 70, Type II certification which tells our clients that we are secure and that they cantrust us with their information."I wanted to stand up and scream "FOUL!", but business etiquette prevented me from doing so in thisforum. I dont doubt that this guy represents a reputable company. Actually we know that he does. Wehear the claims of SAS 70 "certification" and information security all of the time. So many times in factthat we published a whitepaper about it. Too many people dont know any better and are being misledinto thinking that a SAS 70 is something that its not. We are going to borrow some content from ourwhitepaper for this article. If you yourself dont know whats wrong with this guys statement, then youmight have been duped like so many others.People are confused about SAS 70s , and how they relate to information security.Before you go much farther, consider some important facts. There are many misconceptions aboutwhat a SAS 70 is , and what a SAS 70 is not. Lets start out with what a SAS 70 is. SAS 70 is short for"Statement on Auditing Standards No. 70: service Organizations". The SAS 70 was originallyintended to provide "guidance on the factors an independent auditor should consider when auditingthe financial statements of an entity that uses a service organization to process certain transactions."The original guidance , provided by the American institute of Certified Public accountants (AICPA)was written in 1992 , and the popularity of SAS 70s exploded after the passage of the Sarbanes-
Oxley Act in 2002 ("SOX").Over the years, the SAS 70 has transformed from an audit report of financial statements and internalcontrols of a service organization into a data security rubber stamp. SAS 70 was never designed toprovide proof of compliance or assurance regarding confidentiality , integrity, and availability (thethree tenets of information security). Although the AICPA has provided guidance on the correct use ofthe SAS 70 , some service organizations are misrepresenting their compliance by marketing theirSAS 70 report and implying that they are secure and compliant as a result.What does a SAS 70 state about information security?"It isnt a measure of security, its a measure of financial controls ," says Judith Sherinsky, a technicalmanager on the audit and test standards team at the American Institute of Certified PublicAccountants (AICPA), which created SAS 70.In a SAS 70 audit, the service organization being audited must first prepare a written description of itsgoals and objectives. A SAS 70 audit does not rate a companys security controls against a particularset of defined best practices, and because SAS 70 was meant to look at financial controls, a SAS 70audit report may contain many items that are not at all related to information security.The fact that a company has conducted a SAS 70 audit does not necessarily mean any of its systemsare secure.
"SAS 70 is basically an expensive auditing process to support compliance with financial reportingrules like the Sarbanes-Oxley Act (SOX)," said french Caldwell, research vice president at Gartner."Chief information security officers (CISOs), compliance and risk managers, vendor managers ,procurement professionals, and others involved in the purchase or sale of it services and softwareneed to recognize that SAS 70 is not a security, continuity or privacy compliance standard."Should companies use their SAS 70 audit report in marketing materials ?If we are to take AICPAs word for it, the answer is no.The final document is "intended as an auditor-to-auditor report or a service organization report ," saysAmy Pawlicki, the AICPAs director of business reporting, assurance, and advisory services. "Its not apublic-use report, and its not something that can be used for marketing purposes."Is there any such thing as SAS 70 "certified"?No. There is no such certification."Many providers of traditional application hosting , SaaS and cloud computing are currently treatingSAS 70 as if it were a form of certification, which it is not," said Jay Heiser, research vice president atGartner. "Furthermore, some claim that SAS 70 addresses security, privacy and continuity , which ismisleading. Instead, it is only a generic guideline for the preparation , procedure and format of anauditing report."
Is there a better option for addressing information security in your organization ?Of course there is.For people who need to specifically address the multiple information security challenges facing theirorganizations , we recommend an independent information security (or risk) assessment. FRSecurehas developed the enterprise Information Security Assessment ("EISA") to address this need.What is an FRSecure Enterprise information Security Assessment ("EISA")?The FRSecure EISA is a risk-based assessment of an organizations information security program.The EISA is: * comprehensive Risks are reviewed and reported upon in thousands of physical, administrative,and technical aspects of an organization. * Standardized the EISA is based upon and mapped to the ISO 27002 (17799:2005) standard whichensures that best practices are incorporated into all reviews.* Compliant the review of compliance with all major industry and regulatory (GLBA, HIPAA, SOX,FERPA, and various state laws) requirements is built into the EISA.
* Functional results are easily understood and recommendations are functionally sound.Should I engage in a SAS 70 audit or an EISA?Our recommendation is for you to consider your own motivations , goals, and objectives. If yourintentions are to address information security needs, then an EISA is almost always going to be yourbest option.Through an EISA: * Your current information security controls are assessed for risk and compared with industry best-practices,* Information security goals and objectives are identified, and ;* Plans are created to meet your information security goals and objectives.The EISA is focused on information security ; whereas, the SAS 70 audit may not be.
Will a SAS 70, or an EISA be more valuable to my organization?It depends on what you are trying to accomplish. An EISA will be more valuable to your organization ifyou want to understand how information security will provide value to your organization throughreduced risk , improved efficiency, and a better educated workforce."given that SAS 70 cannot be considered as proof that an offered it service is secure, it should be amatter of suspicion when a vendor insists that it is," Mr. Heiser said. "Vendor claims to be SAS 70certified indicate either ignorance or deception, neither of which is a good basis for trust."According to Gartner, "By 2012, No customers of Cloud Providers will accept SAS 70 Alone as Proofof Effective Security and Compliance."Will a customer/partner organization accept an EISA in lieu of a SAS 70 ?Most likely the answer is yes. Your customer/partner is almost solely concerned with how well yourorganization is protecting the information entrusted to you by them. We can easily demonstrate howan EISA provides much better assurance than does a typical SAS 70 audit. If you arent sure, wesuggest that you check with your customer/partner. We often help our clients communicate theadvantages of performing an EISA versus a SAS 70 audit."SAS 70s should not be used to replace due diligence on a vendors information security practices,"says Shamla Naidoo, CISO at WellPoint. She says SAS 70 reports are best used primarily as ajumping-off point for validating security controls. "We need to use it for what it was designed for. Itattests to adequate controls , not information security. Information security controls are much moregranular, and you need to go deeper [than SAS 70]," she says.
About FRSecureFormed in 2008, FRSecure LLC is a full-service information security consulting company dedicated toinformation security education, awareness, application, and improvement. FRSecure helps clientsunderstand, design, implement, and manage best-in-class information security solutions; thereby,achieving optimal value for every information security dollar spent.Regulatory and industry compliance are built into all of our solutions.For more information about FRSecure, visit us at http://www.frsecure.com.procurement professionals