This article refers to the outdated SAS 70 reporting standard. SSAE 16 replaced SAS 70 in June 2011.
SAS 70/SSAE 16 reports only on controls related to financial reporting. If you need assurance of controls directly related to data centers, including privacy, security and availability, you should look for a SOC 2 report.
Read SAS 70, SSAE 16 & SOC Comparison for the latest on data center standards.
(SAS 70 has been replaced recently by a new certification, SSAE 16. Find out more information about SSAE 16 hosting).
Audits create apprehension. They take significant effort and often result in required updates to your infrastructure and policies. A SAS 70 audit is no different. The SAS 70 audit process includes an in-depth examination of the effectiveness of a data center’s security and internal control processes.
At Online Tech, we’ve successfully thrived through a number of SAS 70 audits (SAS 70 has been replaced recently by a new certification, SSAE 16. Find out more information about SSAE 16 hosting). We recently completed an audit on all three of our data centers and have also assisted a number of our colocation and managed dedicated server clients survive their own SAS 70 audits. It’s these experiences from both the auditee and the service provider’s perspective that has helped us identify five key elements for not only surviving a SAS 70 audit, but thriving as a result of the audit.
First, let’s summarize what a SAS 70 audit is and is not. A SAS 70 audit does not prescribe a “standard” for any specific IT infrastructure or operation. For example, it does not prescribe that you must have a specific firewall policy. Rather, it prescribes a standard for auditing the “description of controls” of an IT function, as defined by the auditee. For instance, defining a process for making changes to a firewall is a good example of an IT control activity.
With that said, here are five tips that can help you succeed on your next SAS 70 audit.
Tip # 1 – You Need Executive Sponsorship to Survive
A successful SAS 70 audit begins with one or more executives committing the corporate-will to the cause. Often the SAS 70 audit is assigned to the security department or an IT staffer, but in reality, security is everyone’s job. Only an executive has the perspective and authority to make changes that affect everyone’s job.
Even a well run security department tends to isolate security expertise and practice which is just the opposite of what you want. To successfully engrain security or reliability throughout an organization requires a company-wide, cross department perspective that is the purview of executive leadership.
At Online Tech, our CEO and CFO worked closely with the auditors, our entire organization and clients to engrain the proper attitudes. We began by articulating the motivation for the audit to the entire company, rallying the staff around the process and gaining their acceptance of the procedures and structures that SAS 70 requires. The result was positive as new procedures and practices were deployed on behalf of our audit. This would not have happened without executive sponsorship for SAS 70.
Tip #2 – The Scope Will Make or Break You
The SAS 70 audit covers the controls you claim to have. However, there are no standards for those controls. To control the scope of the audit you need to control the scope of your claim. Claim less and the audit is easier. Claim too little and the auditor’s opinion on your controls will be weak. Claim more than you can reliably deliver every time and you will fail the audit.
We found it helpful to craft the controls so that they address the core motivation for the audit. If the motivation is to assure superior service delivery then your list of controls must be complete enough to ensure that superior service.
In Online Tech’s case, the core motivation was to deliver a reliable and repeatable set of secure data and network services. Therefore, we designed our controls to assure reliability and security. An example of a control for reliability is that “generators are tested and that the test is documented on a regularly scheduled basis”. An example of a control for security is that “all requests for firewall rule changes must come from approved sources and those sources must be verified on a specific schedule”. Both these controls were claimed and audited because they pertained to our core business and were in scope.
This is another reason executive leadership is critical. As you craft your controls, you are really describing how you assure your business model is being followed. This is exactly what executives want to know about their organization.
Tip # 3 – 1% Vision and 99% Process - The Process Really Counts
Encryption, firewalls, intrusion detection, anomaly prevention and a plethora of other technologies provide a robust suite of security tools for network protection. Unfortunately this entire security net can be undone by a few incidents of poor practice - intentional or not. Common culprits are weak and seldom changed passwords; typos during a configuration change to critical infrastructure; and out of date documentation.
For this reason, a well designed set of controls must address policies and their adherence. Password policy is a common place to start. For example, you might have a policy that says all passwords must be changed every 90 days. What controls are in place to assure adherence to that policy? What controls are in place to mitigate risks should someone violate that policy?
Change management is one of the most important policies. It describes how it is that the organization manages changes to critical components. For example, you might have a change policy that allows no changes to be made without signoff by more than 1 engineer on certain network devices. How do you enforce that policy? What documentation do you have to show who authorized the change and when? These change control policies protect you against accident or intentional changes to critical devices. They are an important component of a successful SAS 70 audit.
At Online Tech, we have a documented change management procedure that we summarize into an acronym called PACT: Plan, Approve, Change, and Test. The details of the process are determined by the category of the change. We have four categories of change, determined by the severity and risk of the change itself. A category I change is the least risky while a category IV change is the riskiest. We also have a separate change category for emergency situations.
Tip #4 - Technology Can Amplify Your Success or Failure
We discussed how the process controls are the toughest and some of the most important controls to have in place. The good news is that technology is great for automating the processes. If you automate the process properly, you can build in the change management, such as logging of all changes, with no additional overhead.
Automating work flow with a database and email integration can help you reduce operating costs and increase the quality of your controls. We took advantage of the audit to justify automating a number of business processes. This automation provided the necessary logging and change management tools. In the end, by using technology to prepare for SAS 70, we improved our infrastructure and reduced our operating costs.
One secret we stumbled on years ago that has proven incredibly helpful is the integration of email into our databases. This enabled our tracking systems to read emails between our staff as it relates to orders, support tickets and other important business information. Our systems read the email and put it directly into our management systems. This allows our stakeholders (clients, staff, and vendors) to use their favorite and most common interface – the inbox – to interact with our core systems. This increased usage, increased documentation trails and allowed us to gather more information.
Tip # 5 - Choose Your Partner Carefully and Be a Good Partner Back
SAS 70 audits are conducted by a CPA firm in conjunction with one or more data center experts. While many CPA firms are entering the SAS 70 audit market, many of the firms lack the technical competencies required to audit certain controls such as the physical data center and network. Understanding these controls requires someone with more than a CPA. It requires a technical understanding of the operating components of data centers and networks.
In our experience, it requires a well coordinated team of data center, network and process experts. Not many organizations have all these skills. We chose UHY LLP, a large CPA firm with a national data center auditing practice so we could benefit from their expertise and experience working with a broad set of data centers.
Equally important as selecting the right partner is the approach you take to the audit. The attitude spectrum ranges from “how little can we get away with?” to “let’s do this right - this is going to make us better”. With the right attitude, you increase not only the commitment of the entire organization to a higher quality process, but you also increase the rate and quality of information you can provide the auditors. With better, faster information, the auditors are more efficient and effective, leaving more time for suggesting improvements.
Conclusion – Survive or Thrive? It’s Your Choice
You have a number of choices when it comes to engaging in the SAS 70 process. You can choose to outsource some or part of your data center to a SAS 70 audited data center operator that uses the SAS 70 process as part of its core competency to run its business. You can also choose to hire an outside auditor to take your firm through the audit process. In either case, the approach and attitude you take towards the SAS 70 process can make the difference between just trying to survive a SAS 70 audit, or thriving as a result of the audit.
To thrive through the SAS 70 process, it requires executive leadership and commitment to articulate a clear cause to keep the team motivated through the process. A solid understanding of the goals and well defined scope make it easier to design your control systems against which you’ll be audited.
Our experience also taught us that a focus on the processes and a willingness to invest in the technology to automate those processes can make a significant difference in the results.
And finally, as with all major process commitments, selecting the right firm for the SAS 70 audit and treating them as a partner can play a key role in how productive your audit actually is.