Posted by: Jeromie Jackson
aicpa, sas 70, sas70 certification, sas70 type ii, ssae 16
June 15, 2011 is the date set to begin implementation of the standard. The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) maintains the SAS 70 standard. The SAS 70 is the de-facto standard used to document a service provider’s internal security controls. Too bad it misses the boat in truly documenting a service provider’s security posture.
The primary problem with the SAS 70, and the upcoming SSAE 16, is the lack of standard control requirements. The SAS 70/SSAE 16 allows the service provider to define what controls are utilized. The audit only confirms the implementation of documented controls- review of sufficient controls is not conducted. Without a standard the quality and comprehensiveness of the controls becomes questionable.
Mature organization’s have adopted control frameworks such as COBIT and ISO 27000-series. The Control OBjectives for IT (COBIT) defines control focus areas, key performance indicators (KPIs), key goal indicators (KGIs), and governance to assist organizations in reaching high levels of maturity. COBIT defines Maturity much like the SEI Capability Maturity Model (SEI-CMM).
Level 0: Non-existent
Level 1: Initial/ad hoc
Level 2: Repeatable but Intuitive
Level 3: Defined Process
Level 4: Managed and Measurable
- Level 5: Optimized
There are two primary changes between the SAS 70 & the SSAE 16. With SSAE 16 service provider executives will now be required to have attestations about the presentation and accuracy of the system and supporting controls. Secondly, as opposed to the SAS 70 which was to represent a specific date, the SSAE will represent a period of time.
Contrary to a popular misconception there is no SAS 70 Type certification process. The SAS 70 & SSAE 16 are meant to be used as a standard communications vehicle between auditors. While reviewing SAS 70 & SSAE reports from vendors is prudent, and may provide some security from a legal perspective, a deep-dive into the reports are required to truly understand the quality of information security within the service provider. I recommend always asking for the ability to audit the service provider in contractual agreements. As with most negotiations ask for twice as much as what you expect. If they decline I recommend the ability to review the most recent penetration testing and vulnerability assessment reports at minimum. Ensure your intellectual property is protected with both vendors with whom you share data or physical location, as well as those who may remotely connect into your networks. Always remember-