charles denyer

SAS 70 and Business Continuity Planning (BCM) | What you Need to Know

As a SAS 70 auditor, i’m often asked if Business Continuity and Disaster Recovery (or any of the other similar terms and phrases used) is part of the actual SAS 70 audit. In fairness, it is even though “technically” it does not fall into a scope of a SAS 70 Type I or SAS 70 Type II audit. How’s that, you ask? Simple, according to the AICPA publication on Statement on Auditing Standard No. 70, “plans” such as BCDRP, BCM, etc. are not “controls” thus they are not considered to be part of the audit. Now, that’s the technical understanding. To be blunt, in today’s post 9/11 world we live in, Business Continuity is very much part of any service organization’s critical infrastructure, and as such, many CPA firms actually “test” to ensure an organization has a Business Continuity plan and supporting documentation in place. And no, they don’t test the plan to see if it works, they simply validate that a documented BCM plan is in place.

In short, don’t be surprised if you find information in a SAS 70 Type I or Type II audit relating to BCM. It may be in the form of a control objective that was tested or it may simply be “additional information” provided by the service organization that is actually going through the audit.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

PCI DSS and Service Providers | Common Examples of these Entities

The Payment Card Industry Data Security Standards (PCI DSS) provisions call for both merchants and service providers to become PCI DSS compliant. Though the term “merchant” is easily understood, the term “service provider” has created some confusion as to who these entities really are. With that said, here is a list of common service providers that are being required to become PCI DSS compliant:

Transaction Processors
Payment Gateways
Independent Sales Organizations (ISO)
External Sales Agents (ESA)
Call Centers and Customer Service Entities
Plastic Card Embossing Companies
Remittance Processing Companies
Managed Service Providers
Data Centers
Co-location Entities
Web Hosting Providers
Email (Microsoft Exchange) Providers

In short, any entity other than a merchant that is directly involved in the processing, storage, or transmission of cardholder data will need to become Payment Card Industry Data Security Standards (PCI DSS) compliant.

To learn more about PCI compliance, visit the official PCI DSS Resource Guide.

PCI DSS Compliance and the Major Payment Brands | What you may NOT Know

Merchants and service providers seeking to become Payment Card Industry Data Security Standards (PCI DSS) compliant may not actually know that the five (5) major payment brand also have their own security risk management and compliance programs. However, rest assured that, by and large, these security risk management and compliance programs are essentially “encapsulated” into the overall PCI DSS framework for purposes of compliance.

Thus, with that said, here they are:

AMEX: Its the “American Express Data Security Operating Policy” (DSOP)
Discover: Its the “Discover Information Security Compliance” (DISC)
JCB: Its the “Data Security Program”
Mastercard: Its the “Site Data Protection” (SDP)
VISA: Its the “Cardholder Information Security Program” (CISP)

So, to learn more about these five requirements, simply “google” the respective programs and you’ll find some very interesting (and hopefully useful) information. These payment brand programs include tracking and enforcement provisions, penalties, fees and compliance deadlines along with other essential information.

To learn more about PCI DSS compliance, visit the official PCI Resource Guide.

PCI DSS Readiness Assessments | Hire a Qualified Security Assessor (QSA)

PCI DSS compliance can be an arduous undertaking for many service providers and merchants in today’s business arena. Add to the fact the many organizations are unsure of the roadmap for PCI DSS compliance, it makes sense to hire a Qualified Security Assessor (QSA) in helping you conduct a PCI DSS Readiness Assessment.

The most important findings and deliverables out of a PCI DSS Readiness Assessment are that your organization will truly understand what the scope of the assessment process is, that is, what systems, processes, and activities are to be included.

Secondly, your organization will also have identified what gaps or weaknesses are currently in place that will need to be corrected before you can even plausibly think of becoming PCI DSS compliant.

Additionally, a host of other helpful information can be provided by a Qualified Security Assessor when undertaking a PCI DSS Readiness Assessment. To learn more about PCI compliance, visit the official PCI DSS Resource Guide.

SAS 70 Audits | How Expensive are They and What is the true Cost?

As a SAS 70 auditor for a nationally recognized boutique CPA firm, i can honestly attest to the fact that SAS 70 pricing is still all over the map. I hear of SAS 70 Type I audits costing as little as $12,000 to SAS 70 Type II reports costing as much as $70,000. That’s not too say these prices are “incorrect”, rather, you have to try and understand the true “scope” of the audit and what is actually being covered in the SAS 70 Type I or SAS 70 Type II audit. Remember, there is without question a baseline cost involved in every SAS 70, but the scope of the audit is what will ultimately determine the fee for a Type I or a Type II audit.

If you want to learn more about pricing for SAS 70 audits along with other essential auditing information concerning Type I and Type II audits, then visit the official SAS 70 Resource Guide, where a wealth of information is provided on Statement on Auditing Standards No. 70 (SAS 70).

And remember, the lowest fee is by no means the best fee for your organization. Pricing alone should not dictate who you would use to conduct your SAS 70 Type I or Type II audit.

PCI DSS Compliance for Service Providers | A Growing Trend

PCI DSS compliance for service providers is growing at quite an astonishing rate, to say the least. One of the biggest contributors is that of data centers, co-location facilities, and other types of organizations providing managed services. In short, they are quickly being identified as “in scope” and in the loop in regards to storing, processing or transmitting cardholder data. Compliance for many of these service providers is not as explicit as it is for merchants; this due in large part to the unique service offerings provided by each respective service provider themselves.

Listed below are some common examples of Service Providers that are now being requested to become Payment Card Industry Data Security Standards (PCI DSS) compliant:

Transaction Processors
Payment Gateways
Web Hosting companies
Data Centers
Managed Service providers.

And the major payment brands have varying terms for what they actually call a service provider. Some are called a “Third Party Processor”, a “Data Storage Entity”, or a “Payment Service Provider”.

Two things to remember: First, compliance for service providers will continue to grow, and rapidly. Second, storing, processing, or transmitting data in any type of capacity will immediately place you under the category of a merchant or a service provider.

Visit the official PCI DSS Resource Guide to learn more about PCI compliance.

PCI DSS | SAS 70 | Finding Resources to Learn about Compliance

PCI DSS and SAS 70 Type I and Type II audits are a mainstay in today’s regulatory arena. As such, i’m often asked what are some of the best resources available to learn about the Payment Card Industry Data Security Standards (PCI DSS) initiative and the SAS 70 audit requirements.

PCI DSS
pcisecuritystandards is the official site for PCI DSS compliance. It was put forth by the Payment Card Industry Security Standards Council, commonly known as the PCI SSC. The major payment brands have effectively endorsed the PCI DSS standards, thus you can learn all you need to know about PCI DSS by visiting their site. The left column gives you quick links to all the important PCI DSS information. Their are also some very helpful forums such as pcianswers and pcidssguru. These sites are managed by industry veterans in the Payments Industry and they give you unbiased and straight answers to any questions you may have.

SAS 70
The official AICPA website offers little in the way of education on SAS 70 audits. They do sell a book on SAS 70, but it is primarily geared towards auditors and is written in a technical manner. The other solution is to visit the Official SAS 70 Resource Guide, where you can watch training videos and learn all aspects of SAS 70 Type I and Type II audits.

SAS 70 Audits for Data Centers | Why the Trend will Continue

SAS 70 audits have quickly become a high priority for data centers, co-location entities and managed service providers as of late. And there are plenty of reasons why this trend will continue go grow. The number of organizations that have buried the client server architecture is growing every day, resulting in a huge surge for data centers. In fact, most quality data centers in the United States are having little or no challenges in filling up their data center floor space. From traditional ping, power and pipe to fully managed services, data centers are becoming a necessity for most businesses today. As a result of this, their respective compliance requirements will continue to expand also. From SAS 70 to PCI DSS, just to name a few, data centers are being hit hard with the regulatory compliance bug.

Add to the fact that many data centers are now physically housing sensitive health care and financial information for many of their clients. As such, client requests for the security, confidentiality and integrity of this data are being validated via SAS 70 Type II audits. This “trend” if you want to call it that, will become a mandatory requirement for any data center seeking to grow and prosper in the coming years.

Visit the official SAS 70 Resource Guide to learn more about SAS 70 Type I and Type II audits.

GLBA and Data Centers | Tips for Compliance

GLBA Privacy Rule
Protecting the privacy of consumer information held by “financial institutions” and other third party vendors and service providers that provide “support services” to these “financial institutions” is at the heart of the financial privacy provisions of the Gramm-Leach-Bliley Financial Modernization Act of 1999. The GLB Act requires companies to give consumers privacy notices that explain the institutions’ information-sharing practices. In turn, consumers have the right to limit some - but not all - sharing of their information.

The GLB Act applies to “financial institutions” and other third party vendors and service providers; companies that offer and support financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission has authority to enforce the law with respect to “financial institutions” that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities. Among the institutions that fall under FTC jurisdiction for purposes of the GLB Act are non-bank mortgage lenders, loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors. At the same time, the FTC’s regulation applies only to companies that are “significantly engaged” in such financial activities, such as DATA CENTERS.

The law requires that financial institutions protect information collected about individuals; it does not apply to information collected in business or commercial activities.

Consumers and Customers
A company’s obligations under the GLB Act depend on whether the company has consumers or customers who obtain its services. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family or household reasons. A customer is a consumer with a continuing relationship with a financial institution. Generally, if the relationship between the financial institution and the individual is significant and/or long-term, the individual is a customer of the institution. For example, a person who gets a mortgage from a lender or hires a broker to get a personal loan is considered a customer of the lender or the broker, while a person who uses a check-cashing service is a consumer of that service.

Thus, in short data centers may very well be called upon to become GLBA compliant via an audit or assessment process. My advice, find a competent SAS 70 auditor who can help incorporate GLBA tests into a SAS 70 or find a competent GLBA auditor.

HIPAA Compliance for Data Centers | The How and Why

HIPAA compliance for data centers is fast becoming a hot topic in regulatory compliance. It first started with Statement on Auditing Standards No. 70 (SAS 70), it is now moving onto the Payment Card Industry Data Security Standards (PCI DSS) provisions, and how the Health Information Portability and Accountability Act (HIPAA) mandates may very well be next on the horizon.

In short, it is a string of compliance requirements that has and will continue to be had for data centers, co-location, and managed service entities. And why? Because these types of businesses are at the forefront of virtualization, cloud computing, hybrid clouds, software as a service (SaaS) platforms

So, if a data center undertakes a HIPAA assessment or audit, are they HIPAA compliant, do they get a HIPAA certificate, etc? The best way to answer that is an accounting firm would undertake an Agreed Upon Procedure (AUP) audit an the audit itself would test the requirements as stated in the HIPAA provisions. You would then end up with a data center that is compliant with these very provisions.

In subsequent blogs, i’ll discuss the scope of a HIPAA assessment/audit for a data center.