Nothing But Net: Data Security [Part One]

*Data Security (Part One)*
**By Randy Schmidt**

***As a provider of cloud-based applications, I am often asked about data security. Government regulations such as Sarbanes-Oxley and Gramm-Leach-Bliley require many financial institutions and public companies to evaluate the security measures of their outsourced data service providers. The question that I am most often asked is: “Do you have a SAS 70?” While this is certainly an important question to ask, an affirmative response to this question is no guarantee that your data is being properly protected.

****To understand how this is possible, it is important to first understand what a SAS 70, or its upcoming replacement the SSAE 16, really is. A SAS 70 does not rate a service organization’s policies and procedures against a predefined list of controls. Instead, each service organization prepares a written description of the controls and objections that they wish to have audited. The auditor then verifies that those controls are stated correctly, are designed to achieve their objective, are properly in place, and finally whether they are operating effectively. The problem is that since the audit only measures the effectiveness of the controls provided by the organization, an auditor cannot mention missing controls or recommend replacements for existing controls. So if an organization knows that they have a weak or missing control, they just conveniently omit that control from their audit description. Here’s the problem:

****Unfortunately, some financial institutions are treating the fact that a service provider has a SAS 70 as a de facto certificate of data security without really looking at the individual controls and procedures that were audited. Many vendors count on this fact and only provide a minimum list of controls to be audited. In fact, some technology companies don’t even perform their own SAS 70 audit, but instead rely on the audit of the co-location or data center that houses the data. While these audits may show that the data center has proper physical security and the latest in hardware, firewalls and intrusion detection they don’t address whether the technology vendor itself has other policies and procedures in place. Policies like segregation of duties, data access controls, business continuity plans, data destruction policies, change control procedures and many others are just as important to review as the physical security of the data center.

****To properly determine whether a vendor is properly protecting your data, each financial institution needs to do their own risk assessment and determine which controls and procedures are important to them. A vendor review then needs to be performed to make sure that the vendor has all of those controls and procedures in place. A SAS 70 should not be used as a replacement for due diligence, but rather as a tool to make due diligence faster and easier. By cross referencing an institution’s desired controls and objectives against those provided by the vendor, you can quickly determine what follow up questions need to be asked.

****What should you look for when reviewing a SAS 70 or SSAE 16? Although each institution’s list of desired controls and objectives may differ based on the level of risk and type of data involved, there are certain items that should be considered as part of any vendor due diligence process. I’ll discuss these items in my next article, Data Security – Part 2.