SlideShare a Scribd company logo

SAS70 And Information Security

T
Tamra598Schlenker

A SAS 70 audit is intended to assess financial controls, not information security. While many companies claim to be "SAS 70 certified" or imply that a SAS 70 demonstrates security, this is misleading. A SAS 70 does not evaluate security practices against standards and may include unrelated items. For organizations seeking to properly assess information security, the document recommends an independent security assessment modeled after the ISO 27002 standard, such as FRSecure's Enterprise Information Security Assessment.

Technology
1 of 7
Download to read offline
SAS70 And Information Security This morning, I attended a networking meeting with colleagues of mine. It was a typical networking event where we went around the table and introduced ourselves. We mentioned our name and gave a quick elevator speech about our company. The last gentleman to tell about his company touted his companys services like everyone else, and then he said something that didnt sit well with me. "We have a SAS 70, Type II certification which tells our clients that we are secure and that they can trust us with their information." I wanted to stand up and scream "FOUL!", but business etiquette prevented me from doing so in this forum. I dont doubt that this guy represents a reputable company. Actually we know that he does. We hear the claims of SAS 70 "certification" and information security all of the time. So many times in fact that we published a whitepaper about it. Too many people dont know any better and are being misled into thinking that a SAS 70 is something that its not. We are going to borrow some content from our whitepaper for this article. If you yourself dont know whats wrong with this guys statement, then you might have been duped like so many others. People are confused about SAS 70s , and how they relate to information security. Before you go much farther, consider some important facts. There are many misconceptions about what a SAS 70 is , and what a SAS 70 is not. Lets start out with what a SAS 70 is. SAS 70 is short for "Statement on Auditing Standards No. 70: service Organizations". The SAS 70 was originally intended to provide "guidance on the factors an independent auditor should consider when auditing the financial statements of an entity that uses a service organization to process certain transactions." The original guidance , provided by the American institute of Certified Public accountants (AICPA) was written in 1992 , and the popularity of SAS 70s exploded after the passage of the Sarbanes-
Oxley Act in 2002 ("SOX"). Over the years, the SAS 70 has transformed from an audit report of financial statements and internal controls of a service organization into a data security rubber stamp. SAS 70 was never designed to provide proof of compliance or assurance regarding confidentiality , integrity, and availability (the three tenets of information security). Although the AICPA has provided guidance on the correct use of the SAS 70 , some service organizations are misrepresenting their compliance by marketing their SAS 70 report and implying that they are secure and compliant as a result. What does a SAS 70 state about information security? "It isnt a measure of security, its a measure of financial controls ," says Judith Sherinsky, a technical manager on the audit and test standards team at the American Institute of Certified Public Accountants (AICPA), which created SAS 70. In a SAS 70 audit, the service organization being audited must first prepare a written description of its goals and objectives. A SAS 70 audit does not rate a companys security controls against a particular set of defined best practices, and because SAS 70 was meant to look at financial controls, a SAS 70 audit report may contain many items that are not at all related to information security. The fact that a company has conducted a SAS 70 audit does not necessarily mean any of its systems are secure.
"SAS 70 is basically an expensive auditing process to support compliance with financial reporting rules like the Sarbanes-Oxley Act (SOX)," said french Caldwell, research vice president at Gartner. "Chief information security officers (CISOs), compliance and risk managers, vendor managers , procurement professionals, and others involved in the purchase or sale of it services and software need to recognize that SAS 70 is not a security, continuity or privacy compliance standard." Should companies use their SAS 70 audit report in marketing materials ? If we are to take AICPAs word for it, the answer is no. The final document is "intended as an auditor-to-auditor report or a service organization report ," says Amy Pawlicki, the AICPAs director of business reporting, assurance, and advisory services. "Its not a public-use report, and its not something that can be used for marketing purposes." Is there any such thing as SAS 70 "certified"? No. There is no such certification. "Many providers of traditional application hosting , SaaS and cloud computing are currently treating SAS 70 as if it were a form of certification, which it is not," said Jay Heiser, research vice president at Gartner. "Furthermore, some claim that SAS 70 addresses security, privacy and continuity , which is misleading. Instead, it is only a generic guideline for the preparation , procedure and format of an auditing report."
Is there a better option for addressing information security in your organization ? Of course there is. For people who need to specifically address the multiple information security challenges facing their organizations , we recommend an independent information security (or risk) assessment. FRSecure has developed the enterprise Information Security Assessment ("EISA") to address this need. What is an FRSecure Enterprise information Security Assessment ("EISA")? The FRSecure EISA is a risk-based assessment of an organizations information security program. The EISA is: * comprehensive Risks are reviewed and reported upon in thousands of physical, administrative, and technical aspects of an organization. * Standardized the EISA is based upon and mapped to the ISO 27002 (17799:2005) standard which ensures that best practices are incorporated into all reviews. * Compliant the review of compliance with all major industry and regulatory (GLBA, HIPAA, SOX, FERPA, and various state laws) requirements is built into the EISA.
* Functional results are easily understood and recommendations are functionally sound. Should I engage in a SAS 70 audit or an EISA? Our recommendation is for you to consider your own motivations , goals, and objectives. If your intentions are to address information security needs, then an EISA is almost always going to be your best option. Through an EISA: * Your current information security controls are assessed for risk and compared with industry best- practices, * Information security goals and objectives are identified, and ; * Plans are created to meet your information security goals and objectives. The EISA is focused on information security ; whereas, the SAS 70 audit may not be.
Will a SAS 70, or an EISA be more valuable to my organization? It depends on what you are trying to accomplish. An EISA will be more valuable to your organization if you want to understand how information security will provide value to your organization through reduced risk , improved efficiency, and a better educated workforce. "given that SAS 70 cannot be considered as proof that an offered it service is secure, it should be a matter of suspicion when a vendor insists that it is," Mr. Heiser said. "Vendor claims to be SAS 70 certified indicate either ignorance or deception, neither of which is a good basis for trust." According to Gartner, "By 2012, No customers of Cloud Providers will accept SAS 70 Alone as Proof of Effective Security and Compliance." Will a customer/partner organization accept an EISA in lieu of a SAS 70 ? Most likely the answer is yes. Your customer/partner is almost solely concerned with how well your organization is protecting the information entrusted to you by them. We can easily demonstrate how an EISA provides much better assurance than does a typical SAS 70 audit. If you arent sure, we suggest that you check with your customer/partner. We often help our clients communicate the advantages of performing an EISA versus a SAS 70 audit. "SAS 70s should not be used to replace due diligence on a vendors information security practices," says Shamla Naidoo, CISO at WellPoint. She says SAS 70 reports are best used primarily as a jumping-off point for validating security controls. "We need to use it for what it was designed for. It attests to adequate controls , not information security. Information security controls are much more granular, and you need to go deeper [than SAS 70]," she says.
About FRSecure Formed in 2008, FRSecure LLC is a full-service information security consulting company dedicated to information security education, awareness, application, and improvement. FRSecure helps clients understand, design, implement, and manage best-in-class information security solutions; thereby, achieving optimal value for every information security dollar spent. Regulatory and industry compliance are built into all of our solutions. For more information about FRSecure, visit us at http://www.frsecure.com. supply leadership

Recommended

Guide: Security and Compliance
Guide: Security and ComplianceGuide: Security and Compliance
Guide: Security and ComplianceQuestionPro
 
Unrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALUnrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALWayne Anderson
 
Haystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax Technology
 
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraThe Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraLuca Martelli
 
NLMK: 12M 2012 and Q4 2012 US GAAP Financials
NLMK: 12M 2012 and Q4 2012 US GAAP Financials NLMK: 12M 2012 and Q4 2012 US GAAP Financials
NLMK: 12M 2012 and Q4 2012 US GAAP Financials Sergey Takhiev
 
Wahid’s clarification – the objective of external audit
Wahid’s clarification – the objective of external auditWahid’s clarification – the objective of external audit
Wahid’s clarification – the objective of external auditMohammad Wahid Abdullah Khan
 
Us gaap q1 2011 eng f
Us gaap q1 2011 eng fUs gaap q1 2011 eng f
Us gaap q1 2011 eng fSergey Takhiev
 
Wahid system –the appropriate approach to understand the purposes of an exter...
Wahid system –the appropriate approach to understand the purposes of an exter...Wahid system –the appropriate approach to understand the purposes of an exter...
Wahid system –the appropriate approach to understand the purposes of an exter...Mohammad Wahid Abdullah Khan
 

Recommended

Guide: Security and Compliance
Guide: Security and ComplianceGuide: Security and Compliance
Guide: Security and ComplianceQuestionPro
 
Unrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALUnrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALWayne Anderson
 
Haystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax Technology
 
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraThe Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraLuca Martelli
 
NLMK: 12M 2012 and Q4 2012 US GAAP Financials
NLMK: 12M 2012 and Q4 2012 US GAAP Financials NLMK: 12M 2012 and Q4 2012 US GAAP Financials
NLMK: 12M 2012 and Q4 2012 US GAAP Financials Sergey Takhiev
 
Wahid’s clarification – the objective of external audit
Wahid’s clarification – the objective of external auditWahid’s clarification – the objective of external audit
Wahid’s clarification – the objective of external auditMohammad Wahid Abdullah Khan
 
Us gaap q1 2011 eng f
Us gaap q1 2011 eng fUs gaap q1 2011 eng f
Us gaap q1 2011 eng fSergey Takhiev
 
Wahid system –the appropriate approach to understand the purposes of an exter...
Wahid system –the appropriate approach to understand the purposes of an exter...Wahid system –the appropriate approach to understand the purposes of an exter...
Wahid system –the appropriate approach to understand the purposes of an exter...Mohammad Wahid Abdullah Khan
 
Presentation us gaap (q2 2014) +
Presentation us gaap (q2 2014) +Presentation us gaap (q2 2014) +
Presentation us gaap (q2 2014) +Sergey Takhiev
 
NLMK Q2 2012 US GAAP
NLMK Q2 2012 US GAAP NLMK Q2 2012 US GAAP
NLMK Q2 2012 US GAAP Sergey Takhiev
 
E- maketplace, una estrategia empresarial exitosa
E- maketplace, una estrategia empresarial exitosaE- maketplace, una estrategia empresarial exitosa
E- maketplace, una estrategia empresarial exitosaClaudio Alberto Moreno López
 
CEO MBUintelligence - Soluções de Gestão, Marketing Digital e Estratégia Empr...
CEO MBUintelligence - Soluções de Gestão, Marketing Digital e Estratégia Empr...CEO MBUintelligence - Soluções de Gestão, Marketing Digital e Estratégia Empr...
CEO MBUintelligence - Soluções de Gestão, Marketing Digital e Estratégia Empr...Ricardo Andorinho
 
Business Communications
Business CommunicationsBusiness Communications
Business Communicationsguest8e0b5f4d
 
Nlmk presentation q1 2015 (us gaap) 21 05 15
Nlmk presentation q1 2015 (us gaap) 21 05 15Nlmk presentation q1 2015 (us gaap) 21 05 15
Nlmk presentation q1 2015 (us gaap) 21 05 15Sergey Takhiev
 
Business communications with Scriptura Engage 8.0
Business communications with Scriptura Engage 8.0Business communications with Scriptura Engage 8.0
Business communications with Scriptura Engage 8.0Scriptura Engage
 
External Audit Plan Sept 2014
External Audit Plan Sept 2014External Audit Plan Sept 2014
External Audit Plan Sept 2014Kenneth Salvador
 
Journal entries
Journal entriesJournal entries
Journal entriesarunda67
 
Presentation q3 2014 (us gaap) eng nov 2014 +
Presentation q3 2014 (us gaap) eng nov 2014 +Presentation q3 2014 (us gaap) eng nov 2014 +
Presentation q3 2014 (us gaap) eng nov 2014 +Sergey Takhiev
 
The “internal audit” versus “external audit” in details
The “internal audit” versus “external audit” in detailsThe “internal audit” versus “external audit” in details
The “internal audit” versus “external audit” in detailsMohammad Wahid Abdullah Khan
 
The impact of information technology on external audit fees a field study i...
The impact of information technology on external audit fees a field study i...The impact of information technology on external audit fees a field study i...
The impact of information technology on external audit fees a field study i...Alexander Decker
 
Journal entries chinese cultural revolution
Journal entries chinese cultural revolutionJournal entries chinese cultural revolution
Journal entries chinese cultural revolutionnavy959
 
The Impact of Information and Communications Technologies on the Teaching of...
The Impact of Information and Communications Technologies on the Teaching of...The Impact of Information and Communications Technologies on the Teaching of...
The Impact of Information and Communications Technologies on the Teaching of...Hicham El Moueden
 
IFRS for SMEs
IFRS for SMEsIFRS for SMEs
IFRS for SMEsMMarcellan
 
The importance of foreign languages
The importance of foreign languagesThe importance of foreign languages
The importance of foreign languagesBarnesc5
 
Cyber Security - The New Threats to Internal Controls
Cyber Security - The New Threats to Internal ControlsCyber Security - The New Threats to Internal Controls
Cyber Security - The New Threats to Internal ControlsDecosimoCPAs
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsVisionet Systems, Inc.
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?PECB
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliantDivya Kothari
 
Myths of PCI DSS
Myths of PCI DSSMyths of PCI DSS
Myths of PCI DSSAnton Chuvakin
 
Information Security Statutory Compliance
Information Security Statutory ComplianceInformation Security Statutory Compliance
Information Security Statutory ComplianceSkillmine Technology Consulting
 

More Related Content

Viewers also liked

Presentation us gaap (q2 2014) +
Presentation us gaap (q2 2014) +Presentation us gaap (q2 2014) +
Presentation us gaap (q2 2014) +Sergey Takhiev
 
CEO MBUintelligence - Soluções de Gestão, Marketing Digital e Estratégia Empr...
CEO MBUintelligence - Soluções de Gestão, Marketing Digital e Estratégia Empr...CEO MBUintelligence - Soluções de Gestão, Marketing Digital e Estratégia Empr...
CEO MBUintelligence - Soluções de Gestão, Marketing Digital e Estratégia Empr...Ricardo Andorinho
 
Business Communications
Business CommunicationsBusiness Communications
Business Communicationsguest8e0b5f4d
 
Nlmk presentation q1 2015 (us gaap) 21 05 15
Nlmk presentation q1 2015 (us gaap) 21 05 15Nlmk presentation q1 2015 (us gaap) 21 05 15
Nlmk presentation q1 2015 (us gaap) 21 05 15Sergey Takhiev
 
Business communications with Scriptura Engage 8.0
Business communications with Scriptura Engage 8.0Business communications with Scriptura Engage 8.0
Business communications with Scriptura Engage 8.0Scriptura Engage
 
External Audit Plan Sept 2014
External Audit Plan Sept 2014External Audit Plan Sept 2014
External Audit Plan Sept 2014Kenneth Salvador
 
Journal entries
Journal entriesJournal entries
Journal entriesarunda67
 
Presentation q3 2014 (us gaap) eng nov 2014 +
Presentation q3 2014 (us gaap) eng nov 2014 +Presentation q3 2014 (us gaap) eng nov 2014 +
Presentation q3 2014 (us gaap) eng nov 2014 +Sergey Takhiev
 
The “internal audit” versus “external audit” in details
The “internal audit” versus “external audit” in detailsThe “internal audit” versus “external audit” in details
The “internal audit” versus “external audit” in detailsMohammad Wahid Abdullah Khan
 
The impact of information technology on external audit fees a field study i...
The impact of information technology on external audit fees a field study i...The impact of information technology on external audit fees a field study i...
The impact of information technology on external audit fees a field study i...Alexander Decker
 
Journal entries chinese cultural revolution
Journal entries chinese cultural revolutionJournal entries chinese cultural revolution
Journal entries chinese cultural revolutionnavy959
 
The Impact of Information and Communications Technologies on the Teaching of...
The Impact of Information and Communications Technologies on the Teaching of...The Impact of Information and Communications Technologies on the Teaching of...
The Impact of Information and Communications Technologies on the Teaching of...Hicham El Moueden
 
The importance of foreign languages
The importance of foreign languagesThe importance of foreign languages
The importance of foreign languagesBarnesc5
 
Cyber Security - The New Threats to Internal Controls
Cyber Security - The New Threats to Internal ControlsCyber Security - The New Threats to Internal Controls
Cyber Security - The New Threats to Internal ControlsDecosimoCPAs
 

Viewers also liked (17)

Presentation us gaap (q2 2014) +
Presentation us gaap (q2 2014) +Presentation us gaap (q2 2014) +
Presentation us gaap (q2 2014) +
 
NLMK Q2 2012 US GAAP
NLMK Q2 2012 US GAAP NLMK Q2 2012 US GAAP
NLMK Q2 2012 US GAAP
 
E- maketplace, una estrategia empresarial exitosa
E- maketplace, una estrategia empresarial exitosaE- maketplace, una estrategia empresarial exitosa
E- maketplace, una estrategia empresarial exitosa
 
CEO MBUintelligence - Soluções de Gestão, Marketing Digital e Estratégia Empr...
CEO MBUintelligence - Soluções de Gestão, Marketing Digital e Estratégia Empr...CEO MBUintelligence - Soluções de Gestão, Marketing Digital e Estratégia Empr...
CEO MBUintelligence - Soluções de Gestão, Marketing Digital e Estratégia Empr...
 
Business Communications
Business CommunicationsBusiness Communications
Business Communications
 
Nlmk presentation q1 2015 (us gaap) 21 05 15
Nlmk presentation q1 2015 (us gaap) 21 05 15Nlmk presentation q1 2015 (us gaap) 21 05 15
Nlmk presentation q1 2015 (us gaap) 21 05 15
 
Business communications with Scriptura Engage 8.0
Business communications with Scriptura Engage 8.0Business communications with Scriptura Engage 8.0
Business communications with Scriptura Engage 8.0
 
External Audit Plan Sept 2014
External Audit Plan Sept 2014External Audit Plan Sept 2014
External Audit Plan Sept 2014
 
Journal entries
Journal entriesJournal entries
Journal entries
 
Presentation q3 2014 (us gaap) eng nov 2014 +
Presentation q3 2014 (us gaap) eng nov 2014 +Presentation q3 2014 (us gaap) eng nov 2014 +
Presentation q3 2014 (us gaap) eng nov 2014 +
 
The “internal audit” versus “external audit” in details
The “internal audit” versus “external audit” in detailsThe “internal audit” versus “external audit” in details
The “internal audit” versus “external audit” in details
 
The impact of information technology on external audit fees a field study i...
The impact of information technology on external audit fees a field study i...The impact of information technology on external audit fees a field study i...
The impact of information technology on external audit fees a field study i...
 
Journal entries chinese cultural revolution
Journal entries chinese cultural revolutionJournal entries chinese cultural revolution
Journal entries chinese cultural revolution
 
The Impact of Information and Communications Technologies on the Teaching of...
The Impact of Information and Communications Technologies on the Teaching of...The Impact of Information and Communications Technologies on the Teaching of...
The Impact of Information and Communications Technologies on the Teaching of...
 
IFRS for SMEs
IFRS for SMEsIFRS for SMEs
IFRS for SMEs
 
The importance of foreign languages
The importance of foreign languagesThe importance of foreign languages
The importance of foreign languages
 
Cyber Security - The New Threats to Internal Controls
Cyber Security - The New Threats to Internal ControlsCyber Security - The New Threats to Internal Controls
Cyber Security - The New Threats to Internal Controls
 

Similar to SAS70 And Information Security

IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsVisionet Systems, Inc.
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?PECB
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliantDivya Kothari
 
PCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and RealityPCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and RealityAnton Chuvakin
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
Security as a Service flyer
Security as a Service flyerSecurity as a Service flyer
Security as a Service flyerScott Fields
 
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070retheauditors
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performanceAbhishek Sood
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119FitCEO, Inc. (FCI)
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016FitCEO, Inc. (FCI)
 
7 Things You Should Know About People Analytics
7 Things You Should Know About People Analytics7 Things You Should Know About People Analytics
7 Things You Should Know About People AnalyticsPixentia
 
Everything you wanted to know about compliance but were afraid to ask - GRC20...
Everything you wanted to know about compliance but were afraid to ask - GRC20...Everything you wanted to know about compliance but were afraid to ask - GRC20...
Everything you wanted to know about compliance but were afraid to ask - GRC20...Amazon Web Services
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 URAlcala65
 
BAI Security - Brochure - IT Security Assessment (Financial)
BAI Security - Brochure - IT Security Assessment (Financial)BAI Security - Brochure - IT Security Assessment (Financial)
BAI Security - Brochure - IT Security Assessment (Financial)Prahlad Reddy
 

Similar to SAS70 And Information Security (20)

IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet Systems
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
 
Myths of PCI DSS
Myths of PCI DSSMyths of PCI DSS
Myths of PCI DSS
 
Information Security Statutory Compliance
Information Security Statutory ComplianceInformation Security Statutory Compliance
Information Security Statutory Compliance
 
PCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and RealityPCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and Reality
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance report
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report
 
Security as a Service flyer
Security as a Service flyerSecurity as a Service flyer
Security as a Service flyer
 
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
 
7 Things You Should Know About People Analytics
7 Things You Should Know About People Analytics7 Things You Should Know About People Analytics
7 Things You Should Know About People Analytics
 
Everything you wanted to know about compliance but were afraid to ask - GRC20...
Everything you wanted to know about compliance but were afraid to ask - GRC20...Everything you wanted to know about compliance but were afraid to ask - GRC20...
Everything you wanted to know about compliance but were afraid to ask - GRC20...
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 U
 
BAI Security - Brochure - IT Security Assessment (Financial)
BAI Security - Brochure - IT Security Assessment (Financial)BAI Security - Brochure - IT Security Assessment (Financial)
BAI Security - Brochure - IT Security Assessment (Financial)
 

Recently uploaded

ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureFemke de Vroome
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastUXDXConf
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024Stephanie Beckett
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyUXDXConf
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 

Recently uploaded (20)

ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 

SAS70 And Information Security

  • 1. SAS70 And Information Security This morning, I attended a networking meeting with colleagues of mine. It was a typical networking event where we went around the table and introduced ourselves. We mentioned our name and gave a quick elevator speech about our company. The last gentleman to tell about his company touted his companys services like everyone else, and then he said something that didnt sit well with me. "We have a SAS 70, Type II certification which tells our clients that we are secure and that they can trust us with their information." I wanted to stand up and scream "FOUL!", but business etiquette prevented me from doing so in this forum. I dont doubt that this guy represents a reputable company. Actually we know that he does. We hear the claims of SAS 70 "certification" and information security all of the time. So many times in fact that we published a whitepaper about it. Too many people dont know any better and are being misled into thinking that a SAS 70 is something that its not. We are going to borrow some content from our whitepaper for this article. If you yourself dont know whats wrong with this guys statement, then you might have been duped like so many others. People are confused about SAS 70s , and how they relate to information security. Before you go much farther, consider some important facts. There are many misconceptions about what a SAS 70 is , and what a SAS 70 is not. Lets start out with what a SAS 70 is. SAS 70 is short for "Statement on Auditing Standards No. 70: service Organizations". The SAS 70 was originally intended to provide "guidance on the factors an independent auditor should consider when auditing the financial statements of an entity that uses a service organization to process certain transactions." The original guidance , provided by the American institute of Certified Public accountants (AICPA) was written in 1992 , and the popularity of SAS 70s exploded after the passage of the Sarbanes-
  • 2. Oxley Act in 2002 ("SOX"). Over the years, the SAS 70 has transformed from an audit report of financial statements and internal controls of a service organization into a data security rubber stamp. SAS 70 was never designed to provide proof of compliance or assurance regarding confidentiality , integrity, and availability (the three tenets of information security). Although the AICPA has provided guidance on the correct use of the SAS 70 , some service organizations are misrepresenting their compliance by marketing their SAS 70 report and implying that they are secure and compliant as a result. What does a SAS 70 state about information security? "It isnt a measure of security, its a measure of financial controls ," says Judith Sherinsky, a technical manager on the audit and test standards team at the American Institute of Certified Public Accountants (AICPA), which created SAS 70. In a SAS 70 audit, the service organization being audited must first prepare a written description of its goals and objectives. A SAS 70 audit does not rate a companys security controls against a particular set of defined best practices, and because SAS 70 was meant to look at financial controls, a SAS 70 audit report may contain many items that are not at all related to information security. The fact that a company has conducted a SAS 70 audit does not necessarily mean any of its systems are secure.
  • 3. "SAS 70 is basically an expensive auditing process to support compliance with financial reporting rules like the Sarbanes-Oxley Act (SOX)," said french Caldwell, research vice president at Gartner. "Chief information security officers (CISOs), compliance and risk managers, vendor managers , procurement professionals, and others involved in the purchase or sale of it services and software need to recognize that SAS 70 is not a security, continuity or privacy compliance standard." Should companies use their SAS 70 audit report in marketing materials ? If we are to take AICPAs word for it, the answer is no. The final document is "intended as an auditor-to-auditor report or a service organization report ," says Amy Pawlicki, the AICPAs director of business reporting, assurance, and advisory services. "Its not a public-use report, and its not something that can be used for marketing purposes." Is there any such thing as SAS 70 "certified"? No. There is no such certification. "Many providers of traditional application hosting , SaaS and cloud computing are currently treating SAS 70 as if it were a form of certification, which it is not," said Jay Heiser, research vice president at Gartner. "Furthermore, some claim that SAS 70 addresses security, privacy and continuity , which is misleading. Instead, it is only a generic guideline for the preparation , procedure and format of an auditing report."
  • 4. Is there a better option for addressing information security in your organization ? Of course there is. For people who need to specifically address the multiple information security challenges facing their organizations , we recommend an independent information security (or risk) assessment. FRSecure has developed the enterprise Information Security Assessment ("EISA") to address this need. What is an FRSecure Enterprise information Security Assessment ("EISA")? The FRSecure EISA is a risk-based assessment of an organizations information security program. The EISA is: * comprehensive Risks are reviewed and reported upon in thousands of physical, administrative, and technical aspects of an organization. * Standardized the EISA is based upon and mapped to the ISO 27002 (17799:2005) standard which ensures that best practices are incorporated into all reviews. * Compliant the review of compliance with all major industry and regulatory (GLBA, HIPAA, SOX, FERPA, and various state laws) requirements is built into the EISA.
  • 5. * Functional results are easily understood and recommendations are functionally sound. Should I engage in a SAS 70 audit or an EISA? Our recommendation is for you to consider your own motivations , goals, and objectives. If your intentions are to address information security needs, then an EISA is almost always going to be your best option. Through an EISA: * Your current information security controls are assessed for risk and compared with industry best- practices, * Information security goals and objectives are identified, and ; * Plans are created to meet your information security goals and objectives. The EISA is focused on information security ; whereas, the SAS 70 audit may not be.
  • 6. Will a SAS 70, or an EISA be more valuable to my organization? It depends on what you are trying to accomplish. An EISA will be more valuable to your organization if you want to understand how information security will provide value to your organization through reduced risk , improved efficiency, and a better educated workforce. "given that SAS 70 cannot be considered as proof that an offered it service is secure, it should be a matter of suspicion when a vendor insists that it is," Mr. Heiser said. "Vendor claims to be SAS 70 certified indicate either ignorance or deception, neither of which is a good basis for trust." According to Gartner, "By 2012, No customers of Cloud Providers will accept SAS 70 Alone as Proof of Effective Security and Compliance." Will a customer/partner organization accept an EISA in lieu of a SAS 70 ? Most likely the answer is yes. Your customer/partner is almost solely concerned with how well your organization is protecting the information entrusted to you by them. We can easily demonstrate how an EISA provides much better assurance than does a typical SAS 70 audit. If you arent sure, we suggest that you check with your customer/partner. We often help our clients communicate the advantages of performing an EISA versus a SAS 70 audit. "SAS 70s should not be used to replace due diligence on a vendors information security practices," says Shamla Naidoo, CISO at WellPoint. She says SAS 70 reports are best used primarily as a jumping-off point for validating security controls. "We need to use it for what it was designed for. It attests to adequate controls , not information security. Information security controls are much more granular, and you need to go deeper [than SAS 70]," she says.
  • 7. About FRSecure Formed in 2008, FRSecure LLC is a full-service information security consulting company dedicated to information security education, awareness, application, and improvement. FRSecure helps clients understand, design, implement, and manage best-in-class information security solutions; thereby, achieving optimal value for every information security dollar spent. Regulatory and industry compliance are built into all of our solutions. For more information about FRSecure, visit us at http://www.frsecure.com. supply leadership