[ISN] Offsite security complicates compliance

From: InfoSec News (isn@private)
Date: Tue Mar 22 2005 - 00:12:33 PST


By Ann Bednarz
Network World Fusion

Offsite security conditions are always a factor to consider when a
company enters an outsourcing deal, but regulatory initiatives are
raising the stakes.

IT executives need to ensure service providers have proper system
controls in place before and after they enter into sourcing and
hosting arrangements, analysts say. It's not only a good business
practice, it's also increasingly required by law.

One law putting a spotlight on outsourcing deals is the Sarbanes-Oxley
(SOX) Act of 2002, which Congress passed in the wake of accounting
scandals at firms such as Enron and WorldCom.

SOX has IT and finance departments working closely to review and
modernize companies' financial reporting systems to comply with its
regulations. Of particular concern is Section 404 of the legislation,
which calls for company executives and third-party auditors to certify
the effectiveness of internal controls - technologies and processes
put in place to preserve the integrity of financial reports.

Doing due diligence to Section 404 means looking into conditions at
outsourcing and hosting providers' sites, where sensitive corporate
data might be accessible, processed or stored. That's where Statement
on Auditing Standards (SAS) 70 comes in.

SAS 70 is an auditing standard developed by the American Institute of
Certified Public Accountants for service organizations. It prescribes
a method for an auditor to examine control activities at a service
organization or outsourcing firm.

There are two types of SAS 70 audits. A Type 1 audit focuses on
general controls at a single point in time and doesn't include testing
by auditors. A Type 2 audit is more intensive - and more appropriate
for SOX compliance. It looks at conditions over a prolonged period of
time, and auditors perform testing to verify the effectiveness of
controls at service organizations.

SOX compliance efforts have elevated interest in the auditing
standard, which has been around since 1992. "We are doing a lot more
SAS 70s lately," says Ed Byers, a principal at Deloitte & Touche.

Outsourcers agree that users are beginning to ask for SAS 70 audits.  
"It was something our customers were looking for," says John Engates,
CTO at Rackspace Managed Hosting.

Ernst & Young recently concluded an SAS 70 Type 2 audit for the San
Antonio managed hosting provider. The audit covered controls related
to service delivery and operations, infrastructure maintenance, change
management, back-up processes, and logical and physical data center
access, Engates says.

Rackspace underwent the audit at the request of some of its largest
customers, which are facing SOX Section 404 deadlines, Engates says.  
Section 404 says companies must prepare reports - to accompany their
annual reports filed with the Securities and Exchange Commission -
assessing the effectiveness of their internal control structures and
financial reporting procedures. Section 404 deadlines are staggered
and begin this spring.

"They really need some assurance that the controls that are in place
outside of the walls of their companies are as effective as the
controls inside their companies," he says.

At the same time, Rackspace benefits from having gone through a formal
process to analyze and document its internal controls. "It put a
spotlight on our documentation and the formalization of our policies
and processes," Engates says.

Securing SAS 70 certification requires a commitment - of personnel and
budgets - on the outsourcing providers' part. At Rackspace, the
certification process took almost one year, from the early stages of
defining the scope of the audit to the full-blown testing of controls.

Sierra Atlantic will spend about $25,000 to achieve SAS 70
certification this year, says Marc Hebert, executive vice president at
the Fremont, Calif., company, which offers a range of offshore
application services. Sierra Atlantic is in the process of securing
SAS 70 Type 2 certification.

Like Rackspace, Sierra Atlantic decided to pursue SAS 70 certification
because of customer demand, Hebert says.

In general, there's a tendency for

companies to secure more SAS 70 certifications from outsourcers than
are needed, Byers says. "Companies are so scared about Sarbanes-Oxley
they want to audit everything," he says.

There's confusion over when an SAS 70 audit is required and when it
isn't - particularly when it comes to smaller service providers that
might not have the necessary controls in place, Byers says.

The most common scenario that would require a company to secure an SAS
70 audit from its service provider is when the company outsources
application processing such as payroll. "If you outsource a
transaction process like payroll, then you probably want an SAS 70 -
because the control is at the service provider," Byers says.

But not every outsourcing arrangement necessitates an SAS 70. For
example, a company that uses contract employees from an IT service
provider to help manage its applications probably doesn't need an SAS
70 from the service provider because control over the systems remains

Likewise, if a company uses an outsourcer for certain application
development activities but retains control over application testing
and change control, an SAS 70 might not be required. "If management is
providing all the control, you don't need to have an audit of the
service provider," Byers says.

Some arrangements are particularly cloudy about SAS 70 requirements.  
In a hosting arrangement, it's important to determine who has control
over updates to an application, Byers says. Additionally, even if a
company retains control over application testing and updates, an SAS
70 audit might be required to assess physical and environmental
controls at the service provider's site, Byers says.

Even if an SAS 70 audit has been completed, it might not be adequate
for SOX compliance, Meta Group says. The SAS 70 standard was developed
long before SOX regulations and doesn't necessarily focus on the type
of controls that SOX requires, according to the research firm.

There's no standard prescription for what is covered in an SAS 70
audit, Byers agrees. A service provider typically defines the control
objectives and activities covered in an SAS 70 audit of its
operations. "An SAS 70 can include as much or as little as a service
provider wants. It's not a standardized audit report," Byers says.

Because the comprehensiveness of SAS 70 audits varies, it's up to the
contracting company and its auditors to assess a service provider's
SAS 70 for completeness and adequacy.

"Since the SAS 70 isn't standardized, you need to assess its
completeness," Byers says. "Does it cover all your general computer
controls? Does it cover applicable business process controls via the
application controls?" In theory, a service provider could exclude
areas from an SAS 70 audit where it knows it's vulnerable. But that's
not typical, Byers says. In general, SAS 70 audits have become more
comprehensive in light of SOX, he says.

Bellua Cyber Security Asia 2005 -

This archive was generated by hypermail 2.1.3 : Tue Mar 22 2005 - 02:52:39 PST