Advertisement
Check these out next
Data Center Audit Standards
Nov. 9, 2014•0 likes•5,510 views
1 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Data & Analytics
Primer on audit standards for data centers.
Keyur ThakoreFollow
Senior Manager, Product Management & DeliveryAdvertisement
Advertisement
Advertisement
Recommended
New ISO 20000-1:2018 Changes, Implementation StepsIntegration Technologies Group Inc
ISO 27001:2022 What has changed.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
ISO 27001n|u - The Open Security Community
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
Iso 27001 2013 Standard RequirementsUppala Anand
Isms awareness presentationPranay Kumar
Data Center Audit Standards
- Data Center Audit Standards Keyur Thakore
- Audit Standards Reasoned Insights 2 The standard logos are registered trademarks of their respective organizations.
- AUDIT STANDARDS - AICPA Reasoned Insights 3
- AICPA SAS 70 •American Institute of Certified Public Accountants Statement on Auditing Standards No. 70 audit, often referred to as SAS 70 audit, was first introduced in 1992. •The SAS 70 audit is meant to measure internal controls over financial reporting. •The SAS 70 audit has been one of the primary means used by data center operators to measure their technical processes around security and assure businesses of its data security practices. 4 Reasoned Insights
- AICPA SAS 70 •The SAS 70 audit, according to the AICPA, was never intended to be used by data centers to verify security. •The SAS 70 audit report was never intended to be a “certification”, rather a measure of whether a data center operator adheres to the controls it has established for itself. •The SAS 70 audit requires that the operators develop their own control framework, and then audit their security controls to report back to the customers. 5 Reasoned Insights
- AUDIT STANDARDS - SSAE Reasoned Insights 6
- SSAE 16 •In 2011, AICPA introduced the Statements on Standards for Attestation Engagements No. 16 (SSAE 16) for reporting on controls at services organizations including data centers. •SSAE 16 is the next generation of AICPA auditing standards, that goes beyond SAS 70 by requiring the auditor to obtain a written report regarding the design and operating effectiveness of the controls being reviewed. •An audit that is conducted under the SSAE 16 will result in a Service Organization Control (SOC) report. 7 Reasoned Insights
- SOC 1 Report •A Service Organization Control (SOC) 1 report is produced upon the completion of an SSAE 16 audit. •SOC 1 reports are focused on internal controls over financial reporting. •SOC 1 reports are restricted use reports intended only for existing customers, not prospective customers or the general public. •SOC 1 report is available as Type 1 or Type 2 report: Type 1 reports is auditors’ opinion on the accuracy and completeness of management’s description of the system or service as of a specific date. Type 2 report audits the operating effectiveness of the controls throughout a declared time period, generally between six months and one year. 8 Reasoned Insights
- SOC 2 Report •A SOC 2 report is intended to provide assurance about controls related to: 1) security, 2) availability, 3) processing integrity, 4) confidentiality and 5) privacy of a system and its information. •A SOC 2 report is based on pre-defined controls criteria contained in the AICPA Trust Services Principles and Criteria. Thereby it offers a standard benchmark by which two data center audits can be compared against the same set of criteria. •SOC 2 audit requires a minimum reporting period of six months, thereby requiring at least six months of data showing the company has met its control objectives. •SOC 2 reports are seldom released publicly, typically distributed under an NDA to customers and prospects alike. 9 Reasoned Insights
- SOC 3 Report •A SOC 3 report is intended for general release and includes a summary opinion regarding the effectiveness of the controls in place at the data center or service organization. •A SOC 3 report provides the same level of assurance about controls over security, availability, processing integrity, confidentiality and/or privacy as a SOC 2 report, however it does not contain the detailed description of the testing performed by the auditor. •A SOC 3 seal is designed to be published on the service provider’s website, or in some similar fashion. It assures users that the data center meets the stringent certification demands laid out by the trust services criteria. 10 Reasoned Insights
- AUDIT STANDARDS - PCI Reasoned Insights 11
- PCI DSS •Payment Card Industry (PCI) Security Standards Council was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. •Payment Card Industry (PCI) Data Security Standard (DSS) are a set of guidelines, intended to alleviate vulnerabilities and protect cardholder data, for all entities that store, process or transmit cardholder data. •The latest PCI Security Standards, v2.0, were published in October 2010. 12 Reasoned Insights
- PCI DSS •PCI Security Standards Council administers PCI DSS and related security standards. •PCI DSS follows common sense steps that mirror best security practices. There are three ongoing steps for adhering to the PCI DSS1: Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data. Remediate — fixing vulnerabilities and not storing cardholder data unless you need it. Report — compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with. 13 Reasoned Insights 1 - PCI DSS Quick Reference Guide.
- PCI DSS Requirements Goals PCI DSS Requirements Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to cardholder data by business need to know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy Maintain a policy that addresses information security for all personnel 14 Reasoned Insights
- PCI DSS PCI Data Security Standard (DSS) •The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. •PCI DSS covers technical and operational system components included in or connected to cardholder data. •The security controls and processes required by PCI DSS are vital for protecting cardholder account data, including the PAN – the primary account number printed on the front of a payment card. •Merchants and any other service providers involved with payment card processing must never store sensitive authentication data after authorization. This includes sensitive data that is printed on a card, or stored on a card’s magnetic stripe or chip – and personal identification numbers entered by the cardholder. 15 Reasoned Insights
- PA-DSS Payment Application Data Security Standard (PA-DSS) •The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement. •Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. PCI lists validated applications on its website. 16 Reasoned Insights
- PCI DSS Compliance Report1 Template information contained in PCI DSS Report on compliance: 1. Executive Summary (description of entity’s payment card business; high level network diagram) 2. Description of Scope of Work and Approach Taken (description of how the assessment was made, environment, network segmentation used, details for each sample set selected and tested, wholly owned or international entities requiring compliance with PCI DSS, wireless networks or applications that could impact security of cardholder data, version of PCI DSS used to conduct the assessment) 3. Details about Reviewed Environment (diagram of each network, description of cardholder data environment, list of all hardware and software in the CDE, service providers used, third party payment applications, individuals interviewed, documentation reviewed, details for reviews of managed service providers) 4. Contact Information and Report Date 5. Quarterly Scan Results (summary of four most recent ASV scan results) 6. Findings and Observations (detailed findings on each requirement and sub- requirement, including explanations of all N/A responses and validation of all compensating controls) 17 Reasoned Insights 1 - PCI DSS Quick Reference Guide.
- Data Center Audit Standards Reasoned Insights 18
- Relevant Links •AICPA Council: http://www.aicpa.org/About/Governance/AICPACouncil/Pages/default.aspx •SSAE Guide: http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/SOC/PRDOVR~PC-0127910/PC-0127910.jsp •PCI Security Standards Council: https://www.pcisecuritystandards.org/index.php 19 Reasoned Insights
Advertisement