SlideShare uma empresa Scribd logo

SAS70 And Information Security

E
Edgar352Harris
Tecnologia
1 de 7
Baixar para ler offline
SAS70 And Information Security This morning, I attended a networking meeting with colleagues of mine. It was a typical networking event where we went around the table and introduced ourselves. We mentioned our name and gave a quick elevator speech about our company. The last gentleman to tell about his company touted his companys services like everyone else, and then he said something that didnt sit well with me. "We have a SAS 70, Type II certification which tells our clients that we are secure and that they can trust us with their information." I wanted to stand up and scream "FOUL!", but business etiquette prevented me from doing so in this forum. I dont doubt that this guy represents a reputable company. Actually we know that he does. We hear the claims of SAS 70 "certification" and information security all of the time. So many times in fact that we published a whitepaper about it. Too many people dont know any better and are being misled into thinking that a SAS 70 is something that its not. We are going to borrow some content from our whitepaper for this article. If you yourself dont know whats wrong with this guys statement, then you might have been duped like so many others. People are confused about SAS 70s , and how they relate to information security. Before you go much farther, consider some important facts. There are many misconceptions about what a SAS 70 is , and what a SAS 70 is not. Lets start out with what a SAS 70 is. SAS 70 is short for "Statement on Auditing Standards No. 70: service Organizations". The SAS 70 was originally intended to provide "guidance on the factors an independent auditor should consider when auditing the financial statements of an entity that uses a service organization to process certain transactions." The original guidance , provided by the American institute of Certified Public accountants (AICPA) was written in 1992 , and the popularity of SAS 70s exploded after the passage of the Sarbanes-
Oxley Act in 2002 ("SOX"). Over the years, the SAS 70 has transformed from an audit report of financial statements and internal controls of a service organization into a data security rubber stamp. SAS 70 was never designed to provide proof of compliance or assurance regarding confidentiality , integrity, and availability (the three tenets of information security). Although the AICPA has provided guidance on the correct use of the SAS 70 , some service organizations are misrepresenting their compliance by marketing their SAS 70 report and implying that they are secure and compliant as a result. What does a SAS 70 state about information security? "It isnt a measure of security, its a measure of financial controls ," says Judith Sherinsky, a technical manager on the audit and test standards team at the American Institute of Certified Public Accountants (AICPA), which created SAS 70. In a SAS 70 audit, the service organization being audited must first prepare a written description of its goals and objectives. A SAS 70 audit does not rate a companys security controls against a particular set of defined best practices, and because SAS 70 was meant to look at financial controls, a SAS 70 audit report may contain many items that are not at all related to information security. The fact that a company has conducted a SAS 70 audit does not necessarily mean any of its systems are secure.
"SAS 70 is basically an expensive auditing process to support compliance with financial reporting rules like the Sarbanes-Oxley Act (SOX)," said french Caldwell, research vice president at Gartner. "Chief information security officers (CISOs), compliance and risk managers, vendor managers , procurement professionals, and others involved in the purchase or sale of it services and software need to recognize that SAS 70 is not a security, continuity or privacy compliance standard." Should companies use their SAS 70 audit report in marketing materials ? If we are to take AICPAs word for it, the answer is no. The final document is "intended as an auditor-to-auditor report or a service organization report ," says Amy Pawlicki, the AICPAs director of business reporting, assurance, and advisory services. "Its not a public-use report, and its not something that can be used for marketing purposes." Is there any such thing as SAS 70 "certified"? No. There is no such certification. "Many providers of traditional application hosting , SaaS and cloud computing are currently treating SAS 70 as if it were a form of certification, which it is not," said Jay Heiser, research vice president at Gartner. "Furthermore, some claim that SAS 70 addresses security, privacy and continuity , which is misleading. Instead, it is only a generic guideline for the preparation , procedure and format of an auditing report."
Is there a better option for addressing information security in your organization ? Of course there is. For people who need to specifically address the multiple information security challenges facing their organizations , we recommend an independent information security (or risk) assessment. FRSecure has developed the enterprise Information Security Assessment ("EISA") to address this need. What is an FRSecure Enterprise information Security Assessment ("EISA")? The FRSecure EISA is a risk-based assessment of an organizations information security program. The EISA is: * comprehensive Risks are reviewed and reported upon in thousands of physical, administrative, and technical aspects of an organization. * Standardized the EISA is based upon and mapped to the ISO 27002 (17799:2005) standard which ensures that best practices are incorporated into all reviews. * Compliant the review of compliance with all major industry and regulatory (GLBA, HIPAA, SOX, FERPA, and various state laws) requirements is built into the EISA.
* Functional results are easily understood and recommendations are functionally sound. Should I engage in a SAS 70 audit or an EISA? Our recommendation is for you to consider your own motivations , goals, and objectives. If your intentions are to address information security needs, then an EISA is almost always going to be your best option. Through an EISA: * Your current information security controls are assessed for risk and compared with industry best- practices, * Information security goals and objectives are identified, and ; * Plans are created to meet your information security goals and objectives. The EISA is focused on information security ; whereas, the SAS 70 audit may not be.
Will a SAS 70, or an EISA be more valuable to my organization? It depends on what you are trying to accomplish. An EISA will be more valuable to your organization if you want to understand how information security will provide value to your organization through reduced risk , improved efficiency, and a better educated workforce. "given that SAS 70 cannot be considered as proof that an offered it service is secure, it should be a matter of suspicion when a vendor insists that it is," Mr. Heiser said. "Vendor claims to be SAS 70 certified indicate either ignorance or deception, neither of which is a good basis for trust." According to Gartner, "By 2012, No customers of Cloud Providers will accept SAS 70 Alone as Proof of Effective Security and Compliance." Will a customer/partner organization accept an EISA in lieu of a SAS 70 ? Most likely the answer is yes. Your customer/partner is almost solely concerned with how well your organization is protecting the information entrusted to you by them. We can easily demonstrate how an EISA provides much better assurance than does a typical SAS 70 audit. If you arent sure, we suggest that you check with your customer/partner. We often help our clients communicate the advantages of performing an EISA versus a SAS 70 audit. "SAS 70s should not be used to replace due diligence on a vendors information security practices," says Shamla Naidoo, CISO at WellPoint. She says SAS 70 reports are best used primarily as a jumping-off point for validating security controls. "We need to use it for what it was designed for. It attests to adequate controls , not information security. Information security controls are much more granular, and you need to go deeper [than SAS 70]," she says.
About FRSecure Formed in 2008, FRSecure LLC is a full-service information security consulting company dedicated to information security education, awareness, application, and improvement. FRSecure helps clients understand, design, implement, and manage best-in-class information security solutions; thereby, achieving optimal value for every information security dollar spent. Regulatory and industry compliance are built into all of our solutions. For more information about FRSecure, visit us at http://www.frsecure.com. procurement professionals

Recomendados

Guide: Security and Compliance
Guide: Security and ComplianceGuide: Security and Compliance
Guide: Security and Compliance
QuestionPro
 
Unrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALUnrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINAL
Wayne Anderson
 
Haystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous Evaluation
Haystax Technology
 
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraThe Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
Luca Martelli
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet Systems
Visionet Systems, Inc.
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
PECB
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
Divya Kothari
 
Myths of PCI DSS
Myths of PCI DSSMyths of PCI DSS
Myths of PCI DSS
Anton Chuvakin
 

Recomendados

Guide: Security and Compliance
Guide: Security and ComplianceGuide: Security and Compliance
Guide: Security and Compliance
QuestionPro
 
Unrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALUnrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINAL
Wayne Anderson
 
Haystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax carbon for Insider Threat Management & Continuous Evaluation
Haystax carbon for Insider Threat Management & Continuous Evaluation
Haystax Technology
 
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraThe Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
Luca Martelli
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet Systems
Visionet Systems, Inc.
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
PECB
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
Divya Kothari
 
Myths of PCI DSS
Myths of PCI DSSMyths of PCI DSS
Myths of PCI DSS
Anton Chuvakin
 
Information Security Statutory Compliance
Information Security Statutory ComplianceInformation Security Statutory Compliance
Information Security Statutory Compliance
Skillmine Technology Consulting
 
PCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and RealityPCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and Reality
Anton Chuvakin
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance report
Bee_Ware
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report
- Mark - Fullbright
 
Security as a Service flyer
Security as a Service flyerSecurity as a Service flyer
Security as a Service flyer
Scott Fields
 
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
retheauditors
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
Abhishek Sood
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
FitCEO, Inc. (FCI)
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
FitCEO, Inc. (FCI)
 
7 Things You Should Know About People Analytics
7 Things You Should Know About People Analytics7 Things You Should Know About People Analytics
7 Things You Should Know About People Analytics
Pixentia
 
Everything you wanted to know about compliance but were afraid to ask - GRC20...
Everything you wanted to know about compliance but were afraid to ask - GRC20...Everything you wanted to know about compliance but were afraid to ask - GRC20...
Everything you wanted to know about compliance but were afraid to ask - GRC20...
Amazon Web Services
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 U
RAlcala65
 
BAI Security - Brochure - IT Security Assessment (Financial)
BAI Security - Brochure - IT Security Assessment (Financial)BAI Security - Brochure - IT Security Assessment (Financial)
BAI Security - Brochure - IT Security Assessment (Financial)
Prahlad Reddy
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
AlienVault
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
Tripwire
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Erg
mjschreck
 
Cyber Security Certifications.pdf
Cyber Security Certifications.pdfCyber Security Certifications.pdf
Cyber Security Certifications.pdf
roguelogics
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Mais conteúdo relacionado

Semelhante a SAS70 And Information Security

Security as a Service flyer
Security as a Service flyerSecurity as a Service flyer
Security as a Service flyer
Scott Fields
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
FitCEO, Inc. (FCI)
 
BAI Security - Brochure - IT Security Assessment (Financial)
BAI Security - Brochure - IT Security Assessment (Financial)BAI Security - Brochure - IT Security Assessment (Financial)
BAI Security - Brochure - IT Security Assessment (Financial)
Prahlad Reddy
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
Tripwire
 

Semelhante a SAS70 And Information Security (20)

Information Security Statutory Compliance
Information Security Statutory ComplianceInformation Security Statutory Compliance
Information Security Statutory Compliance
 
PCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and RealityPCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and Reality
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance report
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report
 
Security as a Service flyer
Security as a Service flyerSecurity as a Service flyer
Security as a Service flyer
 
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
 
7 Things You Should Know About People Analytics
7 Things You Should Know About People Analytics7 Things You Should Know About People Analytics
7 Things You Should Know About People Analytics
 
Everything you wanted to know about compliance but were afraid to ask - GRC20...
Everything you wanted to know about compliance but were afraid to ask - GRC20...Everything you wanted to know about compliance but were afraid to ask - GRC20...
Everything you wanted to know about compliance but were afraid to ask - GRC20...
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 U
 
BAI Security - Brochure - IT Security Assessment (Financial)
BAI Security - Brochure - IT Security Assessment (Financial)BAI Security - Brochure - IT Security Assessment (Financial)
BAI Security - Brochure - IT Security Assessment (Financial)
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Erg
 
Cyber Security Certifications.pdf
Cyber Security Certifications.pdfCyber Security Certifications.pdf
Cyber Security Certifications.pdf
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

SAS70 And Information Security

  • 1. SAS70 And Information Security This morning, I attended a networking meeting with colleagues of mine. It was a typical networking event where we went around the table and introduced ourselves. We mentioned our name and gave a quick elevator speech about our company. The last gentleman to tell about his company touted his companys services like everyone else, and then he said something that didnt sit well with me. "We have a SAS 70, Type II certification which tells our clients that we are secure and that they can trust us with their information." I wanted to stand up and scream "FOUL!", but business etiquette prevented me from doing so in this forum. I dont doubt that this guy represents a reputable company. Actually we know that he does. We hear the claims of SAS 70 "certification" and information security all of the time. So many times in fact that we published a whitepaper about it. Too many people dont know any better and are being misled into thinking that a SAS 70 is something that its not. We are going to borrow some content from our whitepaper for this article. If you yourself dont know whats wrong with this guys statement, then you might have been duped like so many others. People are confused about SAS 70s , and how they relate to information security. Before you go much farther, consider some important facts. There are many misconceptions about what a SAS 70 is , and what a SAS 70 is not. Lets start out with what a SAS 70 is. SAS 70 is short for "Statement on Auditing Standards No. 70: service Organizations". The SAS 70 was originally intended to provide "guidance on the factors an independent auditor should consider when auditing the financial statements of an entity that uses a service organization to process certain transactions." The original guidance , provided by the American institute of Certified Public accountants (AICPA) was written in 1992 , and the popularity of SAS 70s exploded after the passage of the Sarbanes-
  • 2. Oxley Act in 2002 ("SOX"). Over the years, the SAS 70 has transformed from an audit report of financial statements and internal controls of a service organization into a data security rubber stamp. SAS 70 was never designed to provide proof of compliance or assurance regarding confidentiality , integrity, and availability (the three tenets of information security). Although the AICPA has provided guidance on the correct use of the SAS 70 , some service organizations are misrepresenting their compliance by marketing their SAS 70 report and implying that they are secure and compliant as a result. What does a SAS 70 state about information security? "It isnt a measure of security, its a measure of financial controls ," says Judith Sherinsky, a technical manager on the audit and test standards team at the American Institute of Certified Public Accountants (AICPA), which created SAS 70. In a SAS 70 audit, the service organization being audited must first prepare a written description of its goals and objectives. A SAS 70 audit does not rate a companys security controls against a particular set of defined best practices, and because SAS 70 was meant to look at financial controls, a SAS 70 audit report may contain many items that are not at all related to information security. The fact that a company has conducted a SAS 70 audit does not necessarily mean any of its systems are secure.
  • 3. "SAS 70 is basically an expensive auditing process to support compliance with financial reporting rules like the Sarbanes-Oxley Act (SOX)," said french Caldwell, research vice president at Gartner. "Chief information security officers (CISOs), compliance and risk managers, vendor managers , procurement professionals, and others involved in the purchase or sale of it services and software need to recognize that SAS 70 is not a security, continuity or privacy compliance standard." Should companies use their SAS 70 audit report in marketing materials ? If we are to take AICPAs word for it, the answer is no. The final document is "intended as an auditor-to-auditor report or a service organization report ," says Amy Pawlicki, the AICPAs director of business reporting, assurance, and advisory services. "Its not a public-use report, and its not something that can be used for marketing purposes." Is there any such thing as SAS 70 "certified"? No. There is no such certification. "Many providers of traditional application hosting , SaaS and cloud computing are currently treating SAS 70 as if it were a form of certification, which it is not," said Jay Heiser, research vice president at Gartner. "Furthermore, some claim that SAS 70 addresses security, privacy and continuity , which is misleading. Instead, it is only a generic guideline for the preparation , procedure and format of an auditing report."
  • 4. Is there a better option for addressing information security in your organization ? Of course there is. For people who need to specifically address the multiple information security challenges facing their organizations , we recommend an independent information security (or risk) assessment. FRSecure has developed the enterprise Information Security Assessment ("EISA") to address this need. What is an FRSecure Enterprise information Security Assessment ("EISA")? The FRSecure EISA is a risk-based assessment of an organizations information security program. The EISA is: * comprehensive Risks are reviewed and reported upon in thousands of physical, administrative, and technical aspects of an organization. * Standardized the EISA is based upon and mapped to the ISO 27002 (17799:2005) standard which ensures that best practices are incorporated into all reviews. * Compliant the review of compliance with all major industry and regulatory (GLBA, HIPAA, SOX, FERPA, and various state laws) requirements is built into the EISA.
  • 5. * Functional results are easily understood and recommendations are functionally sound. Should I engage in a SAS 70 audit or an EISA? Our recommendation is for you to consider your own motivations , goals, and objectives. If your intentions are to address information security needs, then an EISA is almost always going to be your best option. Through an EISA: * Your current information security controls are assessed for risk and compared with industry best- practices, * Information security goals and objectives are identified, and ; * Plans are created to meet your information security goals and objectives. The EISA is focused on information security ; whereas, the SAS 70 audit may not be.
  • 6. Will a SAS 70, or an EISA be more valuable to my organization? It depends on what you are trying to accomplish. An EISA will be more valuable to your organization if you want to understand how information security will provide value to your organization through reduced risk , improved efficiency, and a better educated workforce. "given that SAS 70 cannot be considered as proof that an offered it service is secure, it should be a matter of suspicion when a vendor insists that it is," Mr. Heiser said. "Vendor claims to be SAS 70 certified indicate either ignorance or deception, neither of which is a good basis for trust." According to Gartner, "By 2012, No customers of Cloud Providers will accept SAS 70 Alone as Proof of Effective Security and Compliance." Will a customer/partner organization accept an EISA in lieu of a SAS 70 ? Most likely the answer is yes. Your customer/partner is almost solely concerned with how well your organization is protecting the information entrusted to you by them. We can easily demonstrate how an EISA provides much better assurance than does a typical SAS 70 audit. If you arent sure, we suggest that you check with your customer/partner. We often help our clients communicate the advantages of performing an EISA versus a SAS 70 audit. "SAS 70s should not be used to replace due diligence on a vendors information security practices," says Shamla Naidoo, CISO at WellPoint. She says SAS 70 reports are best used primarily as a jumping-off point for validating security controls. "We need to use it for what it was designed for. It attests to adequate controls , not information security. Information security controls are much more granular, and you need to go deeper [than SAS 70]," she says.
  • 7. About FRSecure Formed in 2008, FRSecure LLC is a full-service information security consulting company dedicated to information security education, awareness, application, and improvement. FRSecure helps clients understand, design, implement, and manage best-in-class information security solutions; thereby, achieving optimal value for every information security dollar spent. Regulatory and industry compliance are built into all of our solutions. For more information about FRSecure, visit us at http://www.frsecure.com. procurement professionals