This posting is intended for my fellow auditors working in the Fortune 1000 world.
The Yankees are no longer winning the World Series every year, Bill Clinton lives in NY not Washington DC, and Y2K is a laughable memory, not a potential Armageddon. Its 2009, not 1999, so please, please, stop requesting SAS-70 reports from entities that process information on your behalf.
I will begrudgingly give the AICPA some credit for realizing in 1993 that the world needed a standard way to say “How do I know what you are doing due diligence to keep our data secure”?
However, they encumbered it with 2 basic flaws.
- It was a mechanism to document a control environment and its operation, not a standard for the operation of a secure environment. Sadly, too many of my fellow auditors took it as the latter, not the former, and just checked the box on their paperwork instead of “opining” on whether the documented environment was aligned with their information security requirements.
- The AICPA, in a very self serving manner, mandated that only a CPA (to be clear — an accountant) could issue a SAS-70. Apologies to those whom I may offend, but with rare exception, the CPA’s turned Information Systems auditors I have met are marginal information systems auditors (at best).
I believe ISO27001 (though not without a few flaws) is probably the best general purpose form of Information Security attestation available right now. NIST has some great stuff, especially if you work in the government space. If the data being processed on your behalf is “mono-compliant” you may be able to get away with the associated standard (e.g., HIPAA, PCI, PII).
Yes, that was “Guns and Roses” you just heard on the radio. However, it was a Classic Rock station, not a Top 40 station (which now plays Pink adnauseam), so please change your “due diligence” paperwork to reflect the year.
Related Articles That Might Interest You
Free Download: ISO 27001 Implementation Roadmap
Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.
Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!
Free Whitepaper: Five Best Practices for SIEM
The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.
Download: Information Security Attestation Guide
A Best-Practices Guide to Information Security Attestation
Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.
Free Whitepaper: Stop Wasting Money on Penetration Testing
Penetration Testing is most frequently performed to:
- Substantiate the net effectiveness of a mature control environment
- Prove to a third party that an environment is secure/trustworthy
- Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
- To validate that significant changes did not have unanticipated results
Free Download: A Best Practices Guide to Database Security
Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.
Is ISO 27001 Right for (Y)our Organization?
Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar
- How to deal with increasing threats
- How to manage multiple regulatory requirements
- How to handle client requests for attestation
- To validate that significant changes did not have unanticipated results
Best Practices for Firing A Network Security Administrator
Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.
Risky Business Blog
Simplified Blog
Techno Blog
In The News
RSS Feed
About the Author:
John Verry, CISA, 27001 Certified Lead Auditor, CCSE, CRISC - "Security Sherpa" - Information Security Auditor