SAS-70 in the Data Center
Standardization, and associated certification to prove compliance to standards, can be both an indispensable assurance of quality for consumers and an unwelcome expense for vendors.
During the Internet’s “wild west” boom phase in the early 1990s, the pace of technological innovation was so fast that there was little time for rigid standardization or certification. Most of the technologies we rely upon today, such as TCP/IP networking, were developed without formal methodologies; internet standards generally consisted of “Request For Comments” (RFC) and “Best Current Practices” (BCP) papers written by the parties with an interest in the emerging technologies.
As the Internet matured and real money began to flow through the network, technologies that were once mere research projects became part of real-world, critical infrastructures essential to business and government. The globalization of business fueled by the Internet meant that it was no longer sufficient to allow organizations to manage their own data processing without oversight.
One of the most important standards documents in today’s information economy is SAS-70, or “the Statement on Auditing Standards, #70”. The standard, originally titled “Reports on the Processing of Transactions by Service Organizations” provides guidance to auditors assessing security controls. The standard was released by the American Institute of Certified Public Accountants (AICPA) in 1992, well before the internet was widely used as an electronic commerce platform.
Information security is now the foremost requirement of most organizations when selecting a data center. In the wake of the Enron scandal in 2001 in which deceptive accounting techniques were used to defraud investors of some $11 billion, public faith in existing accounting standards deteriorated, and there were widespread demands for more comprehensive safeguards to prevent future occurrences. Section 404 of the Sarbanes-Oxley (SOX) act required all publicly traded companies to utilize SAS-70 “type II certified” data centers.
A data center qualifies as a “service organization” if it provides services which impact it’s customer’s financial record-keeping in any way; such services include managed security, data storage and general IT support.
Unlike other important IT security standards, SAS-70 does not describe the actual controls implemented to safeguard the integrity of transaction information; rather it outlines the processes used when conducting audits of these controls. A SAS-70 report contains the opinions of an auditor on how verifiable an organization’s IT security policies are. This means there is technically no way to be “SAS-70 certified”, since there is no control framework mandated. There are two primary types of SAS-70 reports – “type I” covers the controls implemented by an organization; “type II” includes a comprehensive assessment of effectiveness of these controls.
To the managers of a data center, completion of a SAS-70 audit is a way to attract high-end business. To customers, the audit provides assurance that the data center has an audit-able set of information security controls in place to safeguard critical data. SAS-70 does not certify that the controls are implemented and sufficiently secure, only that they are readily verifiable by an auditor.
To achieve a satisfactory SAS-70 report, data center managers must identify which information security standards are relevant, implement the controls mandated by those standards, and finally ensure that proof of standards compliance is readily available to auditors. Compliance is more than a business requirement to a data center; it is a vital part of the value delivered to customers. Products and services that are certified to comply with security standards justify higher pricing, and security auditing solutions offer very high profit margins. Pricing for high-end data centers offering SAS-70 compliance can be much higher than the market average.
It is important to ensure that internal auditing processes are in place to verify compliance with an organization’s adopted standards; this reduces the cost of third-party services and helps to ensure that the organization realizes long-term benefits from information security investments.
The main information security standards relevant to the data center are :
Control Objectives for Information Technology (COBIT)
Information Technology Infrastructure Library (ITIL)
Payment Card Industry Data Security Standard (PCI DSS)
IPEDA (Personal Information Protection and Electronics Document Act)
ISO 15443 : Framework for IT Security Assurance
ISO 20000 : Information Security : Service Management
ISO 27002 : Code of Practice for Information Security Management
FIPS : National Institute of Standards and Technology Federal Information Processing Standards (NIST FIPS)
Committee of Sponsoring Organizations of the Treadway Commission framework (COSO)
The primary areas covered by these standards are :
policy : leadership, training and governance
confidentiality : protection of critical data from unauthorized disclosure via physical and virtual access controls
service management : IT operations, support and incident reponse
integrity : change management processes
continuity / availability : high-availability systems, backup/restore and disaster recovery
For more quality articles and insights visit DataCenterTalk.