In Depth
SAS 70
SAS 70, the auditing standard, is finding its way onto CSOs' desks.
By Michael Fitzgerald
Shamla Naidoo, CISO at Northern Trust, agrees that while SAS 70s can't be treated as gospel, they nevertheless offer plenty of useful information. "SAS 70s should not be used to replace due diligence on a vendor's information security practices," says Naidoo, who came to Northern Trust in early 2005 after four years at ABN Amro. She says SAS 70 reports are best used primarily as a jumping-off point for validating security controls. "We need to use it for what it was designed for. It attests to adequate controls, not information security. Information security controls are much more granular, and you need to go deeper [than SAS 70]," she says.
Companies, then, must also expect to invest a certain amount of time in reviewing SAS 70s—Naidoo says she's seen 300-page SAS 70 write-ups, which makes for a challenging review. But even slogging through a big SAS 70 audit requires less time for Northern Trust than going out and doing its own security review from scratch on a potential provider. The main challenge with a SAS 70 is that there is no standard way of defining controls.
Mostly, that's by design⬠audits aren't supposed to force companies into cookie-cutter approaches. "Each organization defines control objectives uniquely," says Naidoo. "In some cases you may have to look at three objectives to make sure [a SAS 70] covers the areas you're concerned with. In others, it might be 15." Naidoo recommends that her teams first know what level of controls⬠such as access, authentication and intrusion detection⬠they would need in order to verify security for processes, and use that as a framework for comparison with a potential service provider's SAS 70.
In effect, Naidoo creates an internal map of how controls should work, something Bayuk also does at Bear Stearns. Bayuk pays special attention to the first page of a SAS 70 audit, where the auditor gives a summary of the process being audited. "Often you'll see that it doesn't cover the application you're processing, or the infrastructure, or vice versa," she says.
She also says SAS 70 is useful for controls because while it isn't standardized, it follows a set of well-established procedures and tests to see if a company has followed its own controls. "I would never use an ISO 17799—you can have the best process to assess risk and identify vulnerability and have it on your queue to implement and never implement it," she says.
SAS 70
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
