SAS70 and Information Security

This morning, I attended a networking meeting with colleagues of mine. It was a typical networking event where we went around the table and introduced ourselves. We mentioned our name and gave a quick elevator speech about our company. The last gentleman to tell about his company touted his company’s services like everyone else, and then he said something that didn’t sit well with me.





"We have a SAS 70, Type II certification which tells our clients that we are secure and that they can trust us with their information."





I wanted to stand up and scream "FOUL!", but business etiquette prevented me from doing so in this forum. I don’t doubt that this guy represents a reputable company. Actually we know that he does. We hear the claims of SAS 70 "certification" and information security all of the time. So many times in fact that we published a whitepaper about it. Too many people don’t know any better and are being misled into thinking that a SAS 70 is something that it’s not. We are going to borrow some content from our whitepaper for this article. If you yourself don’t know what’s wrong with this guy’s statement, then you might have been duped like so many others.





People are confused about SAS 70s, and how they relate to information security.





Before you go much farther, consider some important facts. There are many misconceptions about what a SAS 70 is, and what a SAS 70 is not. Let’s start out with what a SAS 70 is. SAS 70 is short for "Statement on Auditing Standards No. 70: Service Organizations". The SAS 70 was originally intended to provide "guidance on the factors an independent auditor should consider when auditing the financial statements of an entity that uses a service organization to process certain transactions." The original guidance, provided by the American Institute of Certified Public Accountants (AICPA) was written in 1992, and the popularity of SAS 70’s exploded after the passage of the Sarbanes-Oxley Act in 2002 ("SOX").





Over the years, the SAS 70 has transformed from an audit report of financial statements and internal controls of a service organization into a data security rubber stamp. SAS 70 was never designed to provide proof of compliance or assurance regarding confidentiality, integrity, and availability (the three tenets of information security). Although the AICPA has provided guidance on the correct use of the SAS 70, some service organizations are misrepresenting their compliance by marketing their SAS 70 report and implying that they are secure and compliant as a result.





What does a SAS 70 state about information security?


"It isn’t a measure of security, it’s a measure of financial controls," says Judith Sherinsky, a technical manager on the audit and test standards team at the American Institute of Certified Public Accountants (AICPA), which created SAS 70.





In a SAS 70 audit, the service organization being audited must first prepare a written description of its goals and objectives. A SAS 70 audit does not rate a company’s security controls against a particular set of defined best practices, and because SAS 70 was meant to look at financial controls, a SAS 70 audit report may contain many items that are not at all related to information security.





The fact that a company has conducted a SAS 70 audit does not necessarily mean any of its systems are secure.





"SAS 70 is basically an expensive auditing process to support compliance with financial reporting rules like the Sarbanes-Oxley Act (SOX)," said French Caldwell, research vice president at Gartner. "Chief information security officers (CISOs), compliance and risk managers, vendor managers, procurement professionals, and others involved in the purchase or sale of IT services and software need to recognize that SAS 70 is not a security, continuity or privacy compliance standard."





Should companies use their SAS 70 audit report in marketing materials?


If we are to take AICPA’s word for it, the answer is no.





The final document is "intended as an auditor-to-auditor report or a service organization report," says Amy Pawlicki, the AICPA’s director of business reporting, assurance, and advisory services. "It’s not a public-use report, and it’s not something that can be used for marketing purposes."





Is there any such thing as SAS 70 "certified"?


No. There is no such certification.





"Many providers of traditional application hosting, SaaS and cloud computing are currently treating SAS 70 as if it were a form of certification, which it is not," said Jay Heiser, research vice president at Gartner. "Furthermore, some claim that SAS 70 addresses security, privacy and continuity, which is misleading. Instead, it is only a generic guideline for the preparation, procedure and format of an auditing report."





Is there a better option for addressing information security in your organization?


Of course there is.





For people who need to specifically address the multiple information security challenges facing their organizations, we recommend an independent information security (or risk) assessment. FRSecure has developed the Enterprise Information Security Assessment ("EISA") to address this need.





What is an FRSecure Enterprise Information Security Assessment ("EISA")?


The FRSecure EISA is a risk-based assessment of an organization’s information security program.





The EISA is:





* Comprehensive – Risks are reviewed and reported upon in thousands of physical, administrative, and technical aspects of an organization.


* Standardized – The EISA is based upon and mapped to the ISO 27002 (17799:2005) standard which ensures that best practices are incorporated into all reviews.


* Compliant – The review of compliance with all major industry and regulatory (GLBA, HIPAA, SOX, FERPA, and various state laws) requirements is built into the EISA.


* Functional – Results are easily understood and recommendations are functionally sound.





Should I engage in a SAS 70 audit or an EISA?


Our recommendation is for you to consider your own motivations, goals, and objectives. If your intentions are to address information security needs, then an EISA is almost always going to be your best option.





Through an EISA:





* Your current information security controls are assessed for risk and compared with industry best-practices,


* Information security goals and objectives are identified, and;


* Plans are created to meet your information security goals and objectives.





The EISA is focused on information security; whereas, the SAS 70 audit may not be.





Will a SAS 70, or an EISA be more valuable to my organization?


It depends on what you are trying to accomplish. An EISA will be more valuable to your organization if you want to understand how information security will provide value to your organization through reduced risk, improved efficiency, and a better educated workforce.





"Given that SAS 70 cannot be considered as proof that an offered IT service is secure, it should be a matter of suspicion when a vendor insists that it is," Mr. Heiser said. "Vendor claims to be ‘SAS 70 certified’ indicate either ignorance or deception, neither of which is a good basis for trust."





According to Gartner, "By 2012, No Customers of Cloud Providers Will Accept SAS 70 Alone as Proof of Effective Security and Compliance."





Will a customer/partner organization accept an EISA in lieu of a SAS 70?


Most likely the answer is yes. Your customer/partner is almost solely concerned with how well your organization is protecting the information entrusted to you by them. We can easily demonstrate how an EISA provides much better assurance than does a typical SAS 70 audit. If you aren’t sure, we suggest that you check with your customer/partner. We often help our clients communicate the advantages of performing an EISA versus a SAS 70 audit.





"SAS 70s should not be used to replace due diligence on a vendor’s information security practices," says Shamla Naidoo, CISO at WellPoint. She says SAS 70 reports are best used primarily as a jumping-off point for validating security controls. "We need to use it for what it was designed for. It attests to adequate controls, not information security. Information security controls are much more granular, and you need to go deeper [than SAS 70]," she says.


About FRSecure





Formed in 2008, FRSecure LLC is a full-service information security consulting company dedicated to information security education, awareness, application, and improvement. FRSecure helps clients understand, design, implement, and manage best-in-class information security solutions; thereby, achieving optimal value for every information security dollar spent.





Regulatory and industry compliance are built into all of our solutions.





For more information about FRSecure, visit us at http://www.frsecure.com.