Article

SAS 70 not a certification for security in cloud: Gartner

SearchSecurity.in Staff
According to a recent Gartner release, the Statement on Auditing Standards (SAS) 70 standard is being misused by many vendors, organizations and certified public accountants (CPAs) as a certification "proving" privacy and security in cloud computing.

    Requires Free Membership to View

Intended for use by the customer's auditor, the result of a SAS 70 is either a Type I attestation that the processes as documented are sufficient to meet specific control objectives, or a Type II attestation, which additionally includes an on-site evaluation to determine whether the processes and controls actually function as anticipated.

In the release, Gartner warns enterprises against application hosting, SaaS and cloud computing providers who treat SAS 70 as a form of certification that addresses privacy, continuity and security in the cloud. SAS 70 is only a generic guideline for the preparation, procedure and format of an auditing report. It always places the onus on the service recipient, or more precisely on the recipient's auditor, to ensure that all controls relevant to the recipient's requirements are examined.

Gartner recommends a mix of the following methods to supplement or serve as an alternative to SAS 70 for security in the cloud: background and reference checks; vendor self-assessment and attached evidence (evidence could include Payment Card Industry security assessments, self-testing, and records from other external audits); on-site audit by the enterprise's own internal auditors and application of direct controls on the services provider (for example, having vendor employees undertake the organization's ethics training and sign off on the code-of-conduct policy).

Enterprises can also evaluate alternative assessment standards for vendor security in the cloud, compliance and risk management, such as ISO standard certifications, BITS Shared Assessments, SysTrust and WebTrust (which are formal security certifications that are sponsored by the AICPA and carried out by CPA-qualified auditors), and AT Section 101, which is a flexible attestation procedure sponsored by AICPA that can be used by any CPA-qualified auditor. Gartner also recommends SAS 70's successor Statement on Standards for Attestation Engagements (SSAE) 16 to ensure cloud provider's claims of security in the cloud.