|
Paragraph Number |
Area |
Control |
Comments |
Guidance |
|
17.03.a |
Information Security Responsibility |
Designating one or more employees to maintain the
comprehensive information security program; |
Most SAS70's refer to a Security Policy, often the
person responsible is not identified |
refer to the Security Officer in the Control Environment
section of the SAS70 |
|
17.03.b.i |
Information Security Training |
Ongoing employee (including temporary and contract
employee) training |
Most SAS70 indicate that employees do get training on
information security |
Make sure there is some proof that employees get some
sort of training yearly |
|
17.03.b.ii |
Information Security Compliance |
employee compliance with policies and procedures; |
Most SAS70 refer to policies and procedures and even
have people indicate they have read and understand them.
Seldom is there any proof that people actually follow
them. |
Identifying a policy as a control will have the auditor
look for six months worth of proof that people are
following procedures. Difficult and costly to do. |
|
17.03.b.iii |
Information Security Monitoring |
means for detecting and preventing security system
failures |
most SAS70 document the incident reporting system, but
do little to identify what the actual mechanism is for
detecting controls |
Identify an objective that addresses a reasonable level
of assurance that security breaches are identified and
responded to. |
|
17.03.c |
Information Security Policies |
Developing security policies for employees that take
into account whether and how employees should be allowed
to keep access and transport records containing personal
information outside of business premises. |
Most SAS70's don't address something like this, however
these types of items are often identified in the
security policy |
The security policy can potentially be given to the
person who requests to review the SAS70. |
|
17.03.d |
Disciplinary measures |
Imposing disciplinary measures for violations of the
comprehensive information security program rules. |
Most SAS70's don't address something like this, however
these types of items are often identified in the
security policy |
The security policy can potentially be given to the
person who requests to review the SAS70. |
|
17.03.3 |
Terminated Employees |
Preventing terminated employees from accessing records
containing personal information by immediately
terminating their physical and electronic access to such
records, including deactivating their passwords and user
names. |
Most SAS70's address this requirement. However, may
providers be able to prove they handle this immediately? |
This will involve putting in procedures that allows HR
to ensure access is terminated simultaneously to
termination. |
|
17.03.f.i |
Capable Third party providers |
Taking reasonable steps to verify that third-party
service providers with access to personal information
have the capacity to protect such personal information,
including (i) selecting and retaining service providers
that are capable of maintaining safeguards for personal
information; and . |
This typically applies to a SaaS provider who uses and
Infrastructure provider. Often they include that SAS70
as part of their own. |
Ensure third party SAS70's are addressed in yours if
appropriate. |
|
17.03.f.ii |
SLAs with Third Parties |
Contractually requiring service providers to maintain
such safeguards. Prior to permitting third-party service
providers access to personal information, the person
permitting such access shall obtain from the third-party
service provider a written certification that such
service provider has a written, comprehensive
information security program that is in compliance with
the provisions of these regulations. |
Service Level Agreements are usually not mentioned in
the SAS70. Service Level Agreements are usually written
on favorable terms for the provider and as such
sometimes do not satisfy this requirement. |
Review your Service Level Agreements to ensure that
these requirements are addressed. |
|
17.03.g |
Limitations and Retention |
Limiting the amount of personal information collected to
that reasonably necessary to accomplish the legitimate
purpose for which it is collected; limiting the time
such information is retained to that reasonably
necessary to accomplish such purpose; and limiting
access to those persons who are reasonably required to
know such information in order to accomplish such
purpose or to comply with state or federal record
retention requirements. |
These types of items are usually not identified in any
SAS70 since they are typically a part of the application
and SAS70's do not address application code. |
You may elect to have an independent third party do a
code review and/or penetration test when they can
provide an independent third parties view of meeting
this requirement. |
|
17.03.h |
Personal Info Xref |
Identifying paper, electronic and other records,
computing systems, and storage media, including laptops
and portable devices used to store personal information,
to determine which records contain personal information,
except where the comprehensive information security
program provides for the handling of all records as if
they all contained personal information. |
SAS70's seldom identify this type of list as a control |
This list may be provided along with the SAS70 until it
can be included in your next SAS70. |
|
17.03.i |
Physical Access |
Reasonable restrictions upon physical access to records
containing personal information, including a written
procedure that sets forth the manner in which physical
access to such records is restricted; and storage of
such records and data in locked facilities, storage
areas or containers. |
SAS70's usually address physical access to computers and
files and seldom address personal information which can
also be found outside of the data center. |
Develop a control that provides reasonable assurance
that records cannot be stored outside of those
designated secure areas. Make sure your test data isn't
mealy an un-sanitized copy of production data. |
|
17.03.j |
Monitoring |
Regular monitoring to ensure that the comprehensive
information security program is operating in a manner
reasonably calculated to prevent unauthorized access to
or unauthorized use of personal information; and
upgrading information safeguards as necessary to limit
risks. |
SAS70's usually address monitoring for security
breaches, but seldom address monitoring to make sure the
entire security policy is operating effectively. |
The person identified as the owner of the security
program will have to show evidence of monitoring its
effectiveness. |
|
17.03.k |
Periodic Review of Security Strategy |
Reviewing the scope of the security measures at least
annually or whenever there is a material change in
business practices that may reasonably implicate the
security or integrity of records containing personal
information. |
Most SAS70's indicate that policies are reviewed yearly
but not necessarily after a security breach.
|
Evidence of a review against the policy for any security
breach would have to be documented. |
|
17.03.l |
Incident management |
Documenting responsive actions taken in connection with
any incident involving a breach of security, and
mandatory post-incident review of events and actions
taken, if any, to make changes in business practices
relating to protection of personal information. |
Most SAS70's identify incident tracking but seldom is
there any proof that business practices were reviewed to
assist in making sure the breach does not occur again. |
Evidence of a review against the procedure for any
security breach would have to be documented. |
|
17.04.1.i |
User ID |
control of user IDs and other identifiers; |
Usually covered by all SAS70's |
|
|
17.04.1.ii |
Use of Passwords |
a reasonably secure method of assigning and selecting
passwords, or use of unique identifier technologies,
such as biometrics or token devices; |
Most SAS70's refer to the Security policy to address
this requirement. |
The security policy can potentially be given to the
person who requests to review the SAS70. |
|
17.04.1.iii |
Securing passwords |
control of data security passwords to ensure that such
passwords are kept in a location and/or format that does
not compromise the security of the data they protect; |
Most SAS70's do not address this requirement. |
make sure passwords are protected or are encrypted to
all but the end user |
|
17.04.1.iv |
Active users and accounts |
restricting access to active users and active user
accounts only |
These types of items are usually not identified in any
SAS70 since they are typically a part of the application
and SAS70's do not address application code. |
Can be addressed by an independent third party
assessment of the code. |
|
17.04.1.v |
Multiple Attempts |
blocking access to user identification after multiple
unsuccessful attempts to gain access or the limitation
placed on access for the particular system; |
Most SAS70's address "reasonable" controls and do not
necessarily specifically address multiple attempts.
This may be addressed in your security policy. |
The security policy can potentially be given to the
person who requests to review the SAS70. |
|
17.04.2.i |
Need to know |
restrict access to records and files containing personal
information to those who need such information to
perform their job duties; |
This is usually addressed in most SAS70's. |
|
|
17.04.2.ii |
No default passwords |
information to perform their job duties; and (ii) assign
unique identifications plus passwords, which are not
vendor supplied default passwords, to
each person with computer access, that are reasonably
designed to maintain the integrity of the security of
the access controls |
Seldom is this requirement specifically addressed in a
SAS70. |
Make sure default passwords are removed from vendor
software. |
|
17.04.3 |
Encryption of data in flight |
To the extent technically feasible, encryption of all
transmitted records and files containing personal
information that will travel across public networks, and
encryption of all data to be transmitted wirelessly |
Most SAS70's will address this requirement if in fact
encryption is used. |
Make sure encryption is used for data in flight. |
|
17.04.4 |
Monitoring for unauthorized use |
Reasonable monitoring of systems, for unauthorized use
of or access to personal information |
Most SAS70's address this requirement. |
|
|
17.04.5 |
Encryption of mobile data |
Encryption of all personal information stored on laptops
or other portable devices; |
Most SAS70's will address this requirement if in fact
encryption is used. |
Make sure encryption is used for mobile data. |
|
17.04.6 |
Firewall protection |
For files containing personal information on a system
that is connected to the Internet, there must be
reasonably up-to-date firewall protection and operating
system security patches, reasonably designed to maintain
the integrity of the personal information |
Most SAS70's address this requirement. |
|
|
17.04.7 |
Malware protection |
Reasonably up-to-date versions of system security agent
software which must include malware protection and
reasonably up-to-date patches and virus definitions, or
a version of such software that can still be supported
with up-to-date patches and virus definitions, and is
set to receive the most current security updates on a
regular basis. |
Most SAS70's address this requirement. |
|
|
17.04.8 |
Education and Training |
Education and training of employees on the proper use of
the computer security system and the importance of
personal information security |
Most SAS70's address the fact the training occurs but
not necessarily what is covered in the training. The
Security policy usually identifies that needs to be in
the training. |
The security policy can potentially be given to the
person who requests to review the SAS70. |
