I don't need a SAS70 because....

A significant number of SaaS (Software as a Service), IaaS (Infrastructure as a Service), or AaaS (Anything as a Service) providers have not obtained a SAS70 or other type of certification addressing their controls around information security, availability, etc. However, they are increasingly being asked and will continue to be asked for SAS70s to ensure a company’s business and regulatory objectives are being met. The reasons some vendors give for not having a SAS70 are varied and include:

  • I don’t have any public customers

  • I do not process any financial information

  • My hardware (IaaS) vendor has a SAS70

  • A SAS70 doesn’t prove anything

  • I have some other type of certification

·         My customers are not asking me for one.

The only valid reason for not getting some type of certification is the last one, there is not a valid business reason. However, more and more customers are asking their service providers for a SAS70. Any organization that has an external audit of their financial statements or an external regulatory audit are being asked to produce evidence that they have verified that their business and regulatory requirements are met if any of their operations are outsourced.

Let’s take a look a closer look at some of the other reasons mentioned.

Public Companies and Financial information can be addressed together. Sarbanes-Oxley requires a set of controls over processing of financial information and general information technology (IT) controls. So some SaaS vendors believe that if they are not processing financial information for a public company they don’t need to product one. However, what if the vendor is processing and storing:

  • CRM data – ever ask anyone to give you their prospect list? How about a list of their customers?

  • Strategic information – Does the system handle strategic planning initiatives?

  • Compliance Information – Does the system handle your ability to comply with regulations?

  • Security Related Information – Does your service provide logins, passwords and security rights of individuals?

  • Employee Information – even if there is not payroll information involved, employee personal information including resumes, performance reviews, etc. is protected by a variety of regulations

This information should be considered strategic and can damage a company’s ability to compete if this information was to get into competitors hands.  If the customer’s data is sensitive to them, you will need to produce some kind of verification that their data is protected.

Relying on a IaaS vendors SAS70 only addresses part a typical customer’s concerns, i.e. physical security, network security, and back-up and recovery concerns. However there are a number of responsibilities that are shared or that the SaaS vendor is solely responsible for. Things like application change management and application security are controlled by the software vendor. Also a good security design by the IaaS vendor can be ruined by poor security practice of the SaaS vendor. Vulnerabilities such as buffer overflows are not the result of bad design, but they are the fault of the programmers. Unless coders have been given some training in secure practices, or a vulnerability assessment has been performed on the code, they are likely to create bug-ridden code that falls over as soon as some "hacker" reverse engineers it and exposes it.

What does a SAS70 prove anyway?

A SAS70 is Statement on Auditing Standards No. 70 that is developed by the AICPA. It is a process where a CPA verifies that the controls are reasonable to mitigate risks that some objectives are being met. It really depends on the stated objectives of the SAS70 to determine if the controls are reasonable to protect what is important to your business.

Other Certifications:

There are other standards that your vendor may have, but you should realize that those certifications may not cover everything you must depend on from that vendor:

  • ISO27001 – Addresses that Management Processes are in place to address Information Security Concerns.

  • PCI – ensures that a regimented set of controls protect credit card information.

  • HIPPA - protects health related information.

  • SysTrust, ITIL and CobiT all have a set of standards to be followed, but none have gained significant traction in this context.

A SAS70 is the most flexible of these certifications and the vendor controls what the objectives are and the timing of the certification, which makes it the prime certification choice of a vendor. It will satisfy your external auditors and regulators ONLY IF the vendors SAS70 objectives meet your business objectives and you can prove you have done your due diligence to ensure that they do.

A Valid Business Purpose

At the end of the day, if a certification does not improve your business, there is no reason to obtain one. If it does not help you increase revenue, decrease expenses, improve customer or employee loyalty then there is absolutely no reason for certification. The only thing you can assume that there will be a breach of security and there will be business disruptions, Murphy’s Law. The question will be, how else can you mitigate your risk?

In closing, review these two tactical guidelines published by Garner from their recent Gartner Information Security Summit:

·         If you can't prove otherwise, the only safe assumption is that an external provider is not meeting your security, continuity or compliance requirements.

·         Never assume that a SaaS application is appropriately secure for your business requirements. Demand that vendors provide evidence.

 About Visage Solutions – www.VisageSolutions.com

Visage Solutions is a consulting company operating in the areas of regulatory compliance, risk assessment, information security, risk management and compliance processes. Utilizing our proprietary SingleVue™ and OpsAudit™ methodologies, the company focuses on assisting business entities in mitigating operational risk. Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals. Our team is comprised of experienced executives, managers and consultants who can assist clients with the development, implementation and execution of their risk management and compliance strategy.

 
 


"The Visage Risk assessment tool and methodology allowed us to respond the risk assessment requirements of the FFIEC in a timely and cost effective manner ".
   Robert Kernodle, SVP and Risk Officer of Cornerstone Bank
 
"Although there is always a degree of subjectivity in any risk assessment, the Visage Risk Assessment tool and methodology is one of the best I've seen in removing subjectivity and providing the underlying support for the scoring system".
   Patrick Camblin Senior Partner in Camblin CPA, PLLC

if you would no longer like to receive periodic updates from VisageSolutions, please follow the unsubscription instructions at the bottom of the email.
Copyright © 2009 Visage Solutions, LLC.