SAS70: Key to Web Security?

Standard may be waste of time-not seal of approval

Pamela Fusco had no idea what she was getting into when her company decided to go through an SAS70 audit of its security practices and procedures. Director of systems security operations for Web hosting provider Digex Inc., Fusco figured she would meet with the outside audit team once a month or so, answer a few questions and pretty much be done with it.

No such luck.

After a good two years of subjecting processes to exhaustive scrutiny and at a cost of more than $150,000 (not counting internal labor), Digex finally finished the second and last phase of its Statement of Auditing Standards 70 audit in July last year, a fact it touts on its Web site.

So, did all that time and effort improve Digexs security? No—but then, SAS70 certification is not even supposed to improve security. Its merely a sign to others—read, customers—that your security processes are what you say they are. If a company claims its security is lousy, SAS70 will verify the companys site to make sure that, yes indeed, its security is lousy, and thus it meets SAS70 certification standards.

If youre an IT professional, you may well wonder what the SAS70 could possibly have to do with you in the first place. After all, SAS70 was created by the American Institute of Certified Public Accountants as a way for a financial auditor to evaluate and test the quality and completeness of various processes within an enterprise.

At first blush, CPAs and IT people would seem to make pretty strange bedfellows. But service providers (especially in the Internet services industry, as with Digex) are increasingly putting themselves through SAS70 audits as a way to certify to potential partners and customers that their security practices are sound.

As such, an increasing number of IT managers will have to contend with these lengthy and often burdensome audits. Experts say the key to preparing for the ordeal is to make sure documentation is in order.

For IT managers who are trying to gauge the worth of a potential service provider, experts say there are other security certifications—such as TruSecure, WebTrust, ISC2 or SysTrust—that might provide a better security seal of approval.

For their part, Digex executives had decided almost three years ago to undertake an SAS70 audit—performed by Ernst & Young LLP—to signal to their customers that their security operations are sound. Fusco soon found the audit was a much bigger deal than she expected.

"I didnt know this was going to be such a big time commitment. I thought I would be able to meet with the audit team once a month, and that would be it," she said at Digex headquarters in Laurel, Md.

During the grueling six months it took merely to define the scope of what would be included in the SAS70 audit, Fusco met almost daily with the auditors, produced reams of documentation and arranged interviews with all the members of her 15-person security team.

Fusco said potential customers ask to see a copy of the SAS70 audit report, which they then use to show their customers that their hosting provider uses reliable security practices.

"They use the report to reassure their customers," she said. "Our marketing department would say that its a competitive advantage. For me, its a confidence level that someone out there understands our security goals and has certified that we are meeting them."

Web service providers (such as security services company VeriSign Inc.) have been attempting to differentiate themselves from their competitors on the strength of having been through an SAS70. In this case, the SAS70 audit often covers IT-related matters such as backup, authentication and security.

Other types of companies are jumping through the SAS70 hoops in order to signal to the universe that somebody, somewhere has deemed their processes—and, by extension, their IT systems—sound.

But the standard was never intended to be security- or technology- specific, according to David Thompson, an independent IT consultant in Shrewsbury, Mass., who performed SAS70 audits when he worked at PricewaterhouseCoopers.

"VeriSign is using an SAS70 as a way of showing it can be trusted to protect peoples public keys. But [SAS70] doesnt have anything to do with security," said Thompson, who is also an eWeek columnist. "SAS70 is being used as a validation methodology for all kinds of things."

And SAS70 is not a trivial undertaking. Led by a CPA, the audit takes three to six months, costs from $60,000 to $200,000 and has to be done each year to remain valid. "[SAS70] just continues," Fusco said.

An invention of the AICPA, SAS70 sprang up about five years ago. Its primary use, then and now, has nothing to do with information security. Rather, financial services companies engage their accounting companies (usually, although not necessarily, one of the Big 5) to evaluate their service providers processes along with their own as part of their annual financial audits. A credit union would hire Ernst & Young, for example, to audit the soundness of its check-processing providers processes.

SAS70s prime purpose is to audit the controls in place to prevent or detect an error that would be significant to a financial audit, according to Scott Coolidge, CPA, a manager at New York-based Ernst & Young. Coolidge also maintains the SAS70. com Web site.

While the audit team is on-site, the IT managers life may be turned upside down as he or she struggles to find enough documentation to cover the departments practices.

Since the SAS70 process is not standard, the chief auditor will determine exactly what type of documentation is needed, based on the scope of the engagement as defined by the client. The auditor will then render a personal opinion that is not based on a standard set of criteria.

If It Happens to You

If your company decides to undertake an SAS70 that will cover IT systems and processes, get involved in the process. After all, an accountant is going to give an opinion on you. Ignore it at your peril.

The first thing is to get your documentation in order. If you dont have that, youd better begin the process of documenting everything in sight—from detailed backup and disaster recovery procedures to how users are authenticated on the network. Anything that deals with security is fair game.

"A lot of IT organizations are lazy about their processes. They know how to do things, but its not written down anywhere," Thompson said. If this applies to you, try to convince your boss to delay the audit until your documents are in order. If you are not sure whether your processes will pass muster, for about $30,000 you can contract with an accounting company to evaluate your organizations SAS70 readiness.

If you are evaluating service providers, be cautious about picking one based on a successful SAS70 audit.

"SAS70 is an extremely big, extremely complex process. The company can certify that they met a standard, but whats important is whether or not that standard is relevant," said Jody Patilla, an eWeek columnist and chief analyst for Metases, a Meta Group Inc. security services spinoff in Charlotte, N.C.

Gauging the standards relevance can be tough, considering each SAS70 audit is different. Its hard to determine what, if anything, it says about a companys security policies or Web hosting ability. If youre looking for a security seal of approval, it is arguably better to look for one of the many standards-based seals that have cropped up recently.

One of those, for example, is TruSecure. "We evaluate where companies stand against our list of [security] best practices," said Marne Gordan, director of regulatory affairs for TruSecure Corp., in Reston, Va. More than 350 companies have received the TruSecure security seal, according to Gordan.

And while nobody as yet is keeping track of how many companies have passed through the SAS70 gantlet, Digex, for one, has passed both SAS70 and TruSecure. In fact, the company is such a big believer in the value of seal programs that it is also pursuing WebTrust, CyberTrust and SysTrust certification. "Were going to do all of them," Fusco said.

Today, having been through SAS70 and TruSecure, Fusco knows the drill. Said she: "In the beginning, [these audits] were a thorn in my side. Now I know what I need to do, and I accept it as part of my day-to-day business plan."