SAS 70 Is Not Proof Of Security, Continuity, Privacy Compliance

According to Gartner, the Statement on Auditing Standards (SAS) 70 is being misused by many vendors, and often their customers and certified public accountants (CPAs), in the hosted-application, software as a service (SaaS) and cloud computing spaces.

"SAS 70 is basically an expensive auditing process to support compliance with financial reporting rules like the Sarbanes-Oxley Act (SOX)," said French Caldwell, Research Vice President, Gartner. "Chief Information Security Officers (CISOs), compliance and risk managers, vendor managers, procurement professionals, and others involved in the purchase or sale of IT services and software need to recognise that SAS 70 is not a security, continuity or privacy compliance standard."

Jay Heiser, Research Vice President, Gartner said, "Many providers of traditional application hosting, SaaS and cloud computing are currently treating SAS 70 as if it was a form of certification, which it is not." "Given that SAS 70 cannot be considered as proof that an offered IT service is secure, it should be a matter of suspicion when a vendor insists that it is."

"Vendor claims to be 'SAS 70 certified' indicate either ignorance or deception, neither of which is a good basis for trust. The only thing that can conclusively be said about having a SAS 70 Type II attestation is that an auditing firm has agreed that the service provider is effectively performing those controls that they paid the auditing firm to evaluate," Heiser added.

Nevertheless, Gartner analysts said a SAS 70 Type II evaluation does provide a very high degree of assurance that the examined controls are effective. The performance of controls is evaluated over a period of time; it is not just a snapshot of control effectiveness.

SAS 70 is one of several mechanisms that can be used to evaluate a service provider's control environment. Gartner recommends a mix of the following methods that can be used to supplement, or serve as an alternative to SAS 70 background and reference checks vendor self-assessment, and attached evidence (evidence could include SAS 70, Payment Card Industry security assessments, self-testing, and records from other external audits and assessors).

Also, on-site audit or assessment by the enterprise's own security assessors or internal auditors and application of direct controls on the services provider, for example having vendor employees undertake the organisation's ethics training and sign off on the code-of-conduct policy.

"Organisations are in the process of adapting their standards to better address the unique risk issues of cloud computing. Their efforts are iterative and service providers, customers and auditors must ensure that the standards and assessment procedures that they adopt, align with the specific cloud environment of the service provider," Caldwell said.

"To ensure that vendor controls are effective for security, privacy compliance and vendor risk management, SAS 70, its successor Statement on Standards for Attestation Engagements (SSAE) 16, and other national audit standard equivalents should be supplemented with self-assessments and agreed-upon audit procedures," Caldwell added.

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.

Updated Date: Feb 02, 2017 22:38:59 IST