TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
SAS70 And Information Security
1. SAS70 And Information Security
This morning, I attended a networking meeting with colleagues of mine. It was a typical networking
event where we went around the table and introduced ourselves. We mentioned our name and gave
a quick elevator speech about our company. The last gentleman to tell about his company touted his
companys services like everyone else, and then he said something that didnt sit well with me.
"We have a SAS 70, Type II certification which tells our clients that we are secure and that they can
trust us with their information."
I wanted to stand up and scream "FOUL!", but business etiquette prevented me from doing so in this
forum. I dont doubt that this guy represents a reputable company. Actually we know that he does. We
hear the claims of SAS 70 "certification" and information security all of the time. So many times in fact
that we published a whitepaper about it. Too many people dont know any better and are being misled
into thinking that a SAS 70 is something that its not. We are going to borrow some content from our
whitepaper for this article. If you yourself dont know whats wrong with this guys statement, then you
might have been duped like so many others.
People are confused about SAS 70s , and how they relate to information security.
Before you go much farther, consider some important facts. There are many misconceptions about
what a SAS 70 is , and what a SAS 70 is not. Lets start out with what a SAS 70 is. SAS 70 is short for
"Statement on Auditing Standards No. 70: service Organizations". The SAS 70 was originally
intended to provide "guidance on the factors an independent auditor should consider when auditing
the financial statements of an entity that uses a service organization to process certain transactions."
The original guidance , provided by the American institute of Certified Public accountants (AICPA)
was written in 1992 , and the popularity of SAS 70s exploded after the passage of the Sarbanes-
2. Oxley Act in 2002 ("SOX").
Over the years, the SAS 70 has transformed from an audit report of financial statements and internal
controls of a service organization into a data security rubber stamp. SAS 70 was never designed to
provide proof of compliance or assurance regarding confidentiality , integrity, and availability (the
three tenets of information security). Although the AICPA has provided guidance on the correct use of
the SAS 70 , some service organizations are misrepresenting their compliance by marketing their
SAS 70 report and implying that they are secure and compliant as a result.
What does a SAS 70 state about information security?
"It isnt a measure of security, its a measure of financial controls ," says Judith Sherinsky, a technical
manager on the audit and test standards team at the American Institute of Certified Public
Accountants (AICPA), which created SAS 70.
In a SAS 70 audit, the service organization being audited must first prepare a written description of its
goals and objectives. A SAS 70 audit does not rate a companys security controls against a particular
set of defined best practices, and because SAS 70 was meant to look at financial controls, a SAS 70
audit report may contain many items that are not at all related to information security.
The fact that a company has conducted a SAS 70 audit does not necessarily mean any of its systems
are secure.
3. "SAS 70 is basically an expensive auditing process to support compliance with financial reporting
rules like the Sarbanes-Oxley Act (SOX)," said french Caldwell, research vice president at Gartner.
"Chief information security officers (CISOs), compliance and risk managers, vendor managers ,
procurement professionals, and others involved in the purchase or sale of it services and software
need to recognize that SAS 70 is not a security, continuity or privacy compliance standard."
Should companies use their SAS 70 audit report in marketing materials ?
If we are to take AICPAs word for it, the answer is no.
The final document is "intended as an auditor-to-auditor report or a service organization report ," says
Amy Pawlicki, the AICPAs director of business reporting, assurance, and advisory services. "Its not a
public-use report, and its not something that can be used for marketing purposes."
Is there any such thing as SAS 70 "certified"?
No. There is no such certification.
"Many providers of traditional application hosting , SaaS and cloud computing are currently treating
SAS 70 as if it were a form of certification, which it is not," said Jay Heiser, research vice president at
Gartner. "Furthermore, some claim that SAS 70 addresses security, privacy and continuity , which is
misleading. Instead, it is only a generic guideline for the preparation , procedure and format of an
auditing report."
4. Is there a better option for addressing information security in your organization ?
Of course there is.
For people who need to specifically address the multiple information security challenges facing their
organizations , we recommend an independent information security (or risk) assessment. FRSecure
has developed the enterprise Information Security Assessment ("EISA") to address this need.
What is an FRSecure Enterprise information Security Assessment ("EISA")?
The FRSecure EISA is a risk-based assessment of an organizations information security program.
The EISA is:
* comprehensive Risks are reviewed and reported upon in thousands of physical, administrative,
and technical aspects of an organization.
* Standardized the EISA is based upon and mapped to the ISO 27002 (17799:2005) standard which
ensures that best practices are incorporated into all reviews.
* Compliant the review of compliance with all major industry and regulatory (GLBA, HIPAA, SOX,
FERPA, and various state laws) requirements is built into the EISA.
5. * Functional results are easily understood and recommendations are functionally sound.
Should I engage in a SAS 70 audit or an EISA?
Our recommendation is for you to consider your own motivations , goals, and objectives. If your
intentions are to address information security needs, then an EISA is almost always going to be your
best option.
Through an EISA:
* Your current information security controls are assessed for risk and compared with industry best-
practices,
* Information security goals and objectives are identified, and ;
* Plans are created to meet your information security goals and objectives.
The EISA is focused on information security ; whereas, the SAS 70 audit may not be.
6. Will a SAS 70, or an EISA be more valuable to my organization?
It depends on what you are trying to accomplish. An EISA will be more valuable to your organization if
you want to understand how information security will provide value to your organization through
reduced risk , improved efficiency, and a better educated workforce.
"given that SAS 70 cannot be considered as proof that an offered it service is secure, it should be a
matter of suspicion when a vendor insists that it is," Mr. Heiser said. "Vendor claims to be SAS 70
certified indicate either ignorance or deception, neither of which is a good basis for trust."
According to Gartner, "By 2012, No customers of Cloud Providers will accept SAS 70 Alone as Proof
of Effective Security and Compliance."
Will a customer/partner organization accept an EISA in lieu of a SAS 70 ?
Most likely the answer is yes. Your customer/partner is almost solely concerned with how well your
organization is protecting the information entrusted to you by them. We can easily demonstrate how
an EISA provides much better assurance than does a typical SAS 70 audit. If you arent sure, we
suggest that you check with your customer/partner. We often help our clients communicate the
advantages of performing an EISA versus a SAS 70 audit.
"SAS 70s should not be used to replace due diligence on a vendors information security practices,"
says Shamla Naidoo, CISO at WellPoint. She says SAS 70 reports are best used primarily as a
jumping-off point for validating security controls. "We need to use it for what it was designed for. It
attests to adequate controls , not information security. Information security controls are much more
granular, and you need to go deeper [than SAS 70]," she says.
7. About FRSecure
Formed in 2008, FRSecure LLC is a full-service information security consulting company dedicated to
information security education, awareness, application, and improvement. FRSecure helps clients
understand, design, implement, and manage best-in-class information security solutions; thereby,
achieving optimal value for every information security dollar spent.
Regulatory and industry compliance are built into all of our solutions.
For more information about FRSecure, visit us at http://www.frsecure.com.
procurement professionals