Security auditors

Independent SAS 70 audits could show you how secure data is with your service provider

It’s a no-brainer – security is easily the No. 1 concern of network executives today. It’s top of mind in all industries, to be sure, but it’s even more critical in areas such as finance and healthcare, in which federal legislation mandates certain security practices and safeguards.

This week’s Management Strategies story in Network World examines one approach many companies are taking to ensure their data is secure - a Statement of Auditing Standards (SAS) No. 70 report. Firms such as Ernst & Young  are now conducting security audits, the findings of which are included in an SAS No. 70 report.

The report was developed by the American Institute of Certified Public Accountants and launched in 1992. Internationally recognized, it provides an independent verification of the descriptions of a service provider's control activities and processes.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

It’s a no-brainer – security is easily the No. 1 concern of network executives today. It’s top of mind in all industries, to be sure, but it’s even more critical in areas such as finance and healthcare, in which federal legislation mandates certain security practices and safeguards.

This week’s Management Strategies story in Network World examines one approach many companies are taking to ensure their data is secure - a Statement of Auditing Standards (SAS) No. 70 report. Firms such as Ernst & Young  are now conducting security audits, the findings of which are included in an SAS No. 70 report.

The report was developed by the American Institute of Certified Public Accountants and launched in 1992. Internationally recognized, it provides an independent verification of the descriptions of a service provider's control activities and processes.

The audit can be useful to companies that outsource part of their business and must have yearly financial audits. The report will verify the compliance of the provider that carries the company’s data, so the primary auditor doesn’t have to conduct one themselves.

But not everyone thinks the SAS 70 report is bulletproof. Security consultant Jonathan Gossels wrote a white paper, “SAS 70: The Emperor Has No Clothes.”

"SAS 70 is a way for organizations to describe processes in a consistent way. It's a disclosure tool rather than [a tool that says] whether they're secure. So it has a limited objective and value," he says.

Is SAS 70 a great new tool or something less spectacular? Check out this week’s Management Strategies stories in its entirety for more on SAS 70, its uses and expert opinion:  http://www.nwfusion.com/careers/2003/0728man.html

Read more about infrastructure management in Network World's Infrastructure Management section.