As a SAS 70 auditor, i’m often asked if Business Continuity and Disaster Recovery (or any of the other similar terms and phrases used) is part of the actual SAS 70 audit. In fairness, it is even though “technically” it does not fall into a scope of a SAS 70 Type I or SAS 70 Type II audit. How’s that, you ask? Simple, according to the AICPA publication on Statement on Auditing Standard No. 70, “plans” such as BCDRP, BCM, etc. are not “controls” thus they are not considered to be part of the audit. Now, that’s the technical understanding. To be blunt, in today’s post 9/11 world we live in, Business Continuity is very much part of any service organization’s critical infrastructure, and as such, many CPA firms actually “test” to ensure an organization has a Business Continuity plan and supporting documentation in place. And no, they don’t test the plan to see if it works, they simply validate that a documented BCM plan is in place.
In short, don’t be surprised if you find information in a SAS 70 Type I or Type II audit relating to BCM. It may be in the form of a control objective that was tested or it may simply be “additional information” provided by the service organization that is actually going through the audit.
To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.
The Payment Card Industry Data Security Standards (PCI DSS) provisions call for both merchants and service providers to become PCI DSS compliant. Though the term “merchant” is easily understood, the term “service provider” has created some confusion as to who these entities really are. With that said, here is a list of common service providers that are being required to become PCI DSS compliant:
Independent Sales Organizations (ISO)
External Sales Agents (ESA)
Call Centers and Customer Service Entities
Plastic Card Embossing Companies
Remittance Processing Companies
Managed Service Providers
Web Hosting Providers
Email (Microsoft Exchange) Providers
In short, any entity other than a merchant that is directly involved in the processing, storage, or transmission of cardholder data will need to become Payment Card Industry Data Security Standards (PCI DSS) compliant.
To learn more about PCI compliance, visit the official PCI DSS Resource Guide.
Merchants and service providers seeking to become Payment Card Industry Data Security Standards (PCI DSS) compliant may not actually know that the five (5) major payment brand also have their own security risk management and compliance programs. However, rest assured that, by and large, these security risk management and compliance programs are essentially “encapsulated” into the overall PCI DSS framework for purposes of compliance.
Thus, with that said, here they are:
AMEX: Its the “American Express Data Security Operating Policy” (DSOP)
Discover: Its the “Discover Information Security Compliance” (DISC)
JCB: Its the “Data Security Program”
Mastercard: Its the “Site Data Protection” (SDP)
VISA: Its the “Cardholder Information Security Program” (CISP)
So, to learn more about these five requirements, simply “google” the respective programs and you’ll find some very interesting (and hopefully useful) information. These payment brand programs include tracking and enforcement provisions, penalties, fees and compliance deadlines along with other essential information.
To learn more about PCI DSS compliance, visit the official PCI Resource Guide.
PCI DSS compliance can be an arduous undertaking for many service providers and merchants in today’s business arena. Add to the fact the many organizations are unsure of the roadmap for PCI DSS compliance, it makes sense to hire a Qualified Security Assessor (QSA) in helping you conduct a PCI DSS Readiness Assessment.
The most important findings and deliverables out of a PCI DSS Readiness Assessment are that your organization will truly understand what the scope of the assessment process is, that is, what systems, processes, and activities are to be included.
Secondly, your organization will also have identified what gaps or weaknesses are currently in place that will need to be corrected before you can even plausibly think of becoming PCI DSS compliant.
Additionally, a host of other helpful information can be provided by a Qualified Security Assessor when undertaking a PCI DSS Readiness Assessment. To learn more about PCI compliance, visit the official PCI DSS Resource Guide.
As a SAS 70 auditor for a nationally recognized boutique CPA firm, i can honestly attest to the fact that SAS 70 pricing is still all over the map. I hear of SAS 70 Type I audits costing as little as $12,000 to SAS 70 Type II reports costing as much as $70,000. That’s not too say these prices are “incorrect”, rather, you have to try and understand the true “scope” of the audit and what is actually being covered in the SAS 70 Type I or SAS 70 Type II audit. Remember, there is without question a baseline cost involved in every SAS 70, but the scope of the audit is what will ultimately determine the fee for a Type I or a Type II audit.
If you want to learn more about pricing for SAS 70 audits along with other essential auditing information concerning Type I and Type II audits, then visit the official SAS 70 Resource Guide, where a wealth of information is provided on Statement on Auditing Standards No. 70 (SAS 70).
And remember, the lowest fee is by no means the best fee for your organization. Pricing alone should not dictate who you would use to conduct your SAS 70 Type I or Type II audit.
Merchants and service providers seeking to become Payment Card Industry Data Security Standards (PCI DSS) compliant, will need to embark on a structured “PCI DSS Roadmap to Compliance” for ensuring a seamless and transparent process. So what does this really mean and entail? It essentially requires all organizations to follow a path for PCI DSS compliance that is scalable, efficient, and gets you the results you need.
With that said, the first phase to undertake for any PCI DSS assessment is essentially a Readiness Assessment. This is a vital process that must always be the first step to undertake. In this phase, your organization will essentially identify the “who, what, where, and why” of the PCI DSS cardholder data environment. You will come to understand what the essential scope of the overall PCI DSS assessment will be, what “system components” are included in the scope of the assessment, and most importantly, what gaps or remediation activities have been found that will need to be corrected. To learn more about PCI DSS compliance, visit the official PCI DSS resource guide.
PCI DSS compliance for service providers is growing at quite an astonishing rate, to say the least. One of the biggest contributors is that of data centers, co-location facilities, and other types of organizations providing managed services. In short, they are quickly being identified as “in scope” and in the loop in regards to storing, processing or transmitting cardholder data. Compliance for many of these service providers is not as explicit as it is for merchants; this due in large part to the unique service offerings provided by each respective service provider themselves.
Listed below are some common examples of Service Providers that are now being requested to become Payment Card Industry Data Security Standards (PCI DSS) compliant:
Web Hosting companies
Managed Service providers.
And the major payment brands have varying terms for what they actually call a service provider. Some are called a “Third Party Processor”, a “Data Storage Entity”, or a “Payment Service Provider”.
Two things to remember: First, compliance for service providers will continue to grow, and rapidly. Second, storing, processing, or transmitting data in any type of capacity will immediately place you under the category of a merchant or a service provider.
Visit the official PCI DSS Resource Guide to learn more about PCI compliance.
PCI DSS and SAS 70 Type I and Type II audits are a mainstay in today’s regulatory arena. As such, i’m often asked what are some of the best resources available to learn about the Payment Card Industry Data Security Standards (PCI DSS) initiative and the SAS 70 audit requirements.
pcisecuritystandards is the official site for PCI DSS compliance. It was put forth by the Payment Card Industry Security Standards Council, commonly known as the PCI SSC. The major payment brands have effectively endorsed the PCI DSS standards, thus you can learn all you need to know about PCI DSS by visiting their site. The left column gives you quick links to all the important PCI DSS information. Their are also some very helpful forums such as pcianswers and pcidssguru. These sites are managed by industry veterans in the Payments Industry and they give you unbiased and straight answers to any questions you may have.
The official AICPA website offers little in the way of education on SAS 70 audits. They do sell a book on SAS 70, but it is primarily geared towards auditors and is written in a technical manner. The other solution is to visit the Official SAS 70 Resource Guide, where you can watch training videos and learn all aspects of SAS 70 Type I and Type II audits.
Payment Card Industry Data Security Standards (PCI DSS) compliance for data centers is here to stay, thus your facility should be prepared to undergo the PCI DSS assessment in a cost-effective and efficient manner. Here are some tips for PCI DSS compliance for data centers.
1. PCI DSS compliance is NOT just limited to Appendix A of the PCI DSS requirements.
2. Conduct a PCI DSS Readiness Assessment for truly understanding the scope of the engagement for compliance.
3. Make sure you have policy and procedural documentation in place as this is a very large and time consuming effort for any organization, especially data centers.
4. Understand the requirements for quarterly scanning and penetration testing and what is in scope for the PCI DSS assessment.
5. Correctly SCOPE the assessment. This sounds like an easy process, but it can become quite complex with all the products and services (managed services) that data centers offer for businesses today.
6. Understand the initial “roadblocks” which many service providers run into, such as having to implement two-factor authentication for remote access into the production environment along with having password requirements for all system components that fall within the scope of the actual PCI DSS assessment. (These are just two of the many roadblocks that organizations encounter).
7. Find a competent, well-qualified QSA to assist with all your compliance needs.
Visit the official PCI DSS Resource Guide to learn about PCI DSS compliance.
SAS 70 audits have quickly become a high priority for data centers, co-location entities and managed service providers as of late. And there are plenty of reasons why this trend will continue go grow. The number of organizations that have buried the client server architecture is growing every day, resulting in a huge surge for data centers. In fact, most quality data centers in the United States are having little or no challenges in filling up their data center floor space. From traditional ping, power and pipe to fully managed services, data centers are becoming a necessity for most businesses today. As a result of this, their respective compliance requirements will continue to expand also. From SAS 70 to PCI DSS, just to name a few, data centers are being hit hard with the regulatory compliance bug.
Add to the fact that many data centers are now physically housing sensitive health care and financial information for many of their clients. As such, client requests for the security, confidentiality and integrity of this data are being validated via SAS 70 Type II audits. This “trend” if you want to call it that, will become a mandatory requirement for any data center seeking to grow and prosper in the coming years.
Visit the official SAS 70 Resource Guide to learn more about SAS 70 Type I and Type II audits.