November, 2009

SAS 70 and Business Continuity Planning (BCM) | What you Need to Know

As a SAS 70 auditor, i’m often asked if Business Continuity and Disaster Recovery (or any of the other similar terms and phrases used) is part of the actual SAS 70 audit. In fairness, it is even though “technically” it does not fall into a scope of a SAS 70 Type I or SAS 70 Type II audit. How’s that, you ask? Simple, according to the AICPA publication on Statement on Auditing Standard No. 70, “plans” such as BCDRP, BCM, etc. are not “controls” thus they are not considered to be part of the audit. Now, that’s the technical understanding. To be blunt, in today’s post 9/11 world we live in, Business Continuity is very much part of any service organization’s critical infrastructure, and as such, many CPA firms actually “test” to ensure an organization has a Business Continuity plan and supporting documentation in place. And no, they don’t test the plan to see if it works, they simply validate that a documented BCM plan is in place.

In short, don’t be surprised if you find information in a SAS 70 Type I or Type II audit relating to BCM. It may be in the form of a control objective that was tested or it may simply be “additional information” provided by the service organization that is actually going through the audit.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

PCI DSS and Service Providers | Common Examples of these Entities

The Payment Card Industry Data Security Standards (PCI DSS) provisions call for both merchants and service providers to become PCI DSS compliant. Though the term “merchant” is easily understood, the term “service provider” has created some confusion as to who these entities really are. With that said, here is a list of common service providers that are being required to become PCI DSS compliant:

Transaction Processors
Payment Gateways
Independent Sales Organizations (ISO)
External Sales Agents (ESA)
Call Centers and Customer Service Entities
Plastic Card Embossing Companies
Remittance Processing Companies
Managed Service Providers
Data Centers
Co-location Entities
Web Hosting Providers
Email (Microsoft Exchange) Providers

In short, any entity other than a merchant that is directly involved in the processing, storage, or transmission of cardholder data will need to become Payment Card Industry Data Security Standards (PCI DSS) compliant.

To learn more about PCI compliance, visit the official PCI DSS Resource Guide.

PCI DSS Compliance and the Major Payment Brands | What you may NOT Know

Merchants and service providers seeking to become Payment Card Industry Data Security Standards (PCI DSS) compliant may not actually know that the five (5) major payment brand also have their own security risk management and compliance programs. However, rest assured that, by and large, these security risk management and compliance programs are essentially “encapsulated” into the overall PCI DSS framework for purposes of compliance.

Thus, with that said, here they are:

AMEX: Its the “American Express Data Security Operating Policy” (DSOP)
Discover: Its the “Discover Information Security Compliance” (DISC)
JCB: Its the “Data Security Program”
Mastercard: Its the “Site Data Protection” (SDP)
VISA: Its the “Cardholder Information Security Program” (CISP)

So, to learn more about these five requirements, simply “google” the respective programs and you’ll find some very interesting (and hopefully useful) information. These payment brand programs include tracking and enforcement provisions, penalties, fees and compliance deadlines along with other essential information.

To learn more about PCI DSS compliance, visit the official PCI Resource Guide.

PCI DSS Readiness Assessments | Hire a Qualified Security Assessor (QSA)

PCI DSS compliance can be an arduous undertaking for many service providers and merchants in today’s business arena. Add to the fact the many organizations are unsure of the roadmap for PCI DSS compliance, it makes sense to hire a Qualified Security Assessor (QSA) in helping you conduct a PCI DSS Readiness Assessment.

The most important findings and deliverables out of a PCI DSS Readiness Assessment are that your organization will truly understand what the scope of the assessment process is, that is, what systems, processes, and activities are to be included.

Secondly, your organization will also have identified what gaps or weaknesses are currently in place that will need to be corrected before you can even plausibly think of becoming PCI DSS compliant.

Additionally, a host of other helpful information can be provided by a Qualified Security Assessor when undertaking a PCI DSS Readiness Assessment. To learn more about PCI compliance, visit the official PCI DSS Resource Guide.

SAS 70 Audits | How Expensive are They and What is the true Cost?

As a SAS 70 auditor for a nationally recognized boutique CPA firm, i can honestly attest to the fact that SAS 70 pricing is still all over the map. I hear of SAS 70 Type I audits costing as little as $12,000 to SAS 70 Type II reports costing as much as $70,000. That’s not too say these prices are “incorrect”, rather, you have to try and understand the true “scope” of the audit and what is actually being covered in the SAS 70 Type I or SAS 70 Type II audit. Remember, there is without question a baseline cost involved in every SAS 70, but the scope of the audit is what will ultimately determine the fee for a Type I or a Type II audit.

If you want to learn more about pricing for SAS 70 audits along with other essential auditing information concerning Type I and Type II audits, then visit the official SAS 70 Resource Guide, where a wealth of information is provided on Statement on Auditing Standards No. 70 (SAS 70).

And remember, the lowest fee is by no means the best fee for your organization. Pricing alone should not dictate who you would use to conduct your SAS 70 Type I or Type II audit.

PCI DSS Roadmap to Compliance | Phase I

Merchants and service providers seeking to become Payment Card Industry Data Security Standards (PCI DSS) compliant, will need to embark on a structured “PCI DSS Roadmap to Compliance” for ensuring a seamless and transparent process. So what does this really mean and entail? It essentially requires all organizations to follow a path for PCI DSS compliance that is scalable, efficient, and gets you the results you need.

With that said, the first phase to undertake for any PCI DSS assessment is essentially a Readiness Assessment. This is a vital process that must always be the first step to undertake. In this phase, your organization will essentially identify the “who, what, where, and why” of the PCI DSS cardholder data environment. You will come to understand what the essential scope of the overall PCI DSS assessment will be, what “system components” are included in the scope of the assessment, and most importantly, what gaps or remediation activities have been found that will need to be corrected. To learn more about PCI DSS compliance, visit the official PCI DSS resource guide.