In Depth
SAS 70
SAS 70, the auditing standard, is finding its way onto CSOs' desks.
By Michael Fitzgerald
SAS70 On the Rise
Service providers say they're being asked more and more often for SAS 70 audits, often instead of governance standards like Cobit or ISO 17799. That's even true for companies that handle security functions, traditionally more oriented toward granular best-practice tests than the broad audit test of SAS 70. Michael Scher, general counsel and compliance architect at Nexum, a security product and service provider, says his company is preparing to undergo its first SAS 70 audit. "It's an efficiency-type move," Scher says. It will save his company the trouble of having to be audited by every potential client, or generate reams of documentation in answer to questions. Scher knows that SAS 70 objectives can be loosely written⬠something that does fine in an audit "could definitely have some big gaps in the real world," he notes. But he says the same is true for ISO 17799. In fact, he asks, rhetorically, "Is there any regime that's oh so wonderful?"
"All these things are slippery," agrees Richard E. Mackey Jr., a principal at SystemExperts. SystemExperts is the home of Gossels, the consultant who excoriates SAS 70 as ineffective makework for CPAs. But his colleague Mackey says SAS 70 is the de facto standard for checking out security. "If you have policies you want to maintain, the SAS 70 will check that you in fact met those policies and are compliant with them," he says.
There are issues with how to structure objective controls that are meaningful, and how to look for things that perhaps were left out of the control statement entirely, such as whether systems with passwords in fact have controls on who can access them, and what policies guide who can or cannot have access.
The bottom line with SAS 70, then, is this: There are no silver bullets for corporate IT security. SAS 70 is another weapon in the arsenal⬠one to wield with due care.
SAS 70
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
