Call in the security auditors

Independent SAS 70 audits could show you how secure data is with your service provider.

Members of the Web site can exchange their miles or points in select loyalty programs, such as American Airlines AAdvantage, for miles and points in other participating programs, use them to shop on eBay, or trade them for gift certificates at JCPenney and

"We model ourselves like a bank, and we need to be as secure as a bank," says Darlene Higbee Clarkin, CTO and vice president of IT at Points International, operator of the site. That provision extends to Digex , which hosts Points International's entire IT infrastructure.

The company is assured of Digex's approach to security because the hosting firm invites Ernst & Young  to audit annually the IT and business processes and procedures that affect its customers' business. The auditor details its findings in a document called a Statement of Auditing Standards (SAS) No. 70 report.

Developed by the American Institute of Certified Public Accountants (AICPA) and launched in 1992, the internationally recognized SAS 70 provide an independent verification of the descriptions of a service provider's control activities and processes.

"Being SAS 70 audited was the determining factor for us," Higbee Clarkin says of the decision to use Digex. "We feel confident that Digex has the processes and infrastructure that would protect us from potential compromise." The audit also gives Points International's partners peace of mind.

A SAS 70 audit is particularly useful for companies that outsource certain parts of their operations and need to undergo annual financial audits. They can show their auditor the SAS 70 report of their service suppliers so the auditor doesn't need to conduct its own audit of the provider's facility.

Generally, the controls or processes that are audited are those that protect customer data, and that usually includes the IT functions. Because of this, SAS 70 is generating a resurgence of interest from businesses that are required to meet new regulations designed to protect sensitive data.

Pamela Fusco, chief security officer and director of systems security at Digex, says customers request Digex's SAS 70 report to help them meet the requirements of such regulations as the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley financial reporting act and the Gramm-Leach-Bliley privacy act.

A vendor's ability to submit a SAS 70 report is a "make or break" for the Federal Reserve Bank of New York when it comes to signing on the dotted line. "We use a SAS 70 report as a starting point for assessing assurances and controls at external service suppliers," says Sean Mahon, vice president and information security officer for the bank's National Incident Response Team.

The bank recently decided not to use the services of a salary-benchmarking consultancy because it lacked a SAS 70 report. Mahon wanted independent evidence of the consultancy's security processes to protect sensitive employee data.

However, some observers warn against using SAS 70 as an in-depth audit of a provider's IT security controls. "SAS 70 is a way for organizations to describe processes in a consistent way. It's a disclosure tool rather than [a tool that says] whether they're secure. So it has a limited objective and value," says Jonathan Gossels, president of network security consultancy SystemExperts .

The important element to consider, Gossels says in his white paper "SAS 70: The Emperor Has No Clothes," is that SAS 70 doesn't have a predetermined set of standards or checklists that an organization must satisfy. In essence, the service organization sets its own control objectives, and the auditor reports on whether these are met.

"If an organization does not have a security policy covering a particular area, or has one that allows ineffective security ... the SAS 70 audit report would contain a favorable opinion because the control activities matched the stated control objectives," Gossels writes.

Although Chuck Landes, director of auditing standards at the AICPA, agrees that service providers can set the measurement bar, "that is not important. The decision-making is made by the auditor of the [service provider's] customer - if they are not satisfied they can ask for more work to be done," he says.

The Federal Reserve Bank of New York's Mahon says it's up to the customer to review the report to determine whether the service provider has sufficient processes in place. "We use SAS 70 because there is no commonly accepted security metric," he says. "It is as close as it gets to having a common baseline."

"You use your best judgment when you read the SAS-70 report, but we also do our own independent security auditing," Points International's Higbee Clarkin says.

A handful of other security assessments coming into play could address some of these concerns. AICPA developed SysTrust and WebTrust to provide independent verification of a service supplier's systems or e-commerce operation. Auditors test the reliability of systems by measuring against set criteria for four principles: availability, security, integrity and maintainability. If the systems meet the requirements of the SysTrust Principles and Criteria document, an attestation report is issued.

Digex also has been audited for SysTrust and WebTrust, and Fusco says the audits are more technically involved than for SAS 70. "There are set criteria you must meet, and there is testing of control objectives, user accounts, documentation control and data transfer."

The ISO 17799 is a code of practice that offers guidelines and voluntary directions for information security management. It provides guidance on a range of topics, including security policies, personnel security, access control, and communications and operations management, but typically does not go in depth. According to an FAQ developed by the U.S. National Institute of Standards and Technology's Information Technology Laboratory, "ISO 17799 should be augmented by more technical guidance in order to be used effectively for a security review."

Independent security audits
Auditing standardPurposeCoverage Caveats
SAS 70  Lets service providers describe their control activities and processes in a uniform reporting format.  

The controls audited

are those affecting customers’ financial statements.

Lacks a predetermined set of control objectives a service provider must meet. Covers general controls and is not specific to IT or security.

SysTrust and WebTrust (for e-commerce activities)Provides assurances that a service provider’s systems controls meet one or more of the AICPA Trust Services principles and related criteria. Internal controls for security, online privacy, availability, confidentiality and processing integrity.Not a comprehensive security assessment; is focused on systems reliability.
ISO 17799Contains guidelines for security and business continuity. Lets a service organization identify where it falls short of best practices.Identifies itself as a starting point for developing organizational security.Not a set of required practices or technologies. The compliance portion of the standard is not well accepted.
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2003 IDG Communications, Inc.