What do you do when your customers want you to do an independent security audit—and your CEO doesn't?
Whether your CEO is backing any initiative to improve the performance of the enterprise they still want to know what it really means to the organization. In this case, the CSO uses the fact that customers are asking for it. And because the customer is the almighty entity to serve and listen to, then we must have to comply.
While customers do provide the core catalyst for many corporate projects, the first priority is to make sure that you select the correct solution for what your customer is really asking for. In the case of a customer asking for a SAS 70, many uninformed CEO's would respond with a large question mark above their head.
For those who don't know, a SAS 70, or Statement on Auditing Standards No. 70, is an internationally recognized standard developed by the American Institute of Certified Public Accountants. A SAS 70 audit represents that an IT services provider (for example, a financial services organization) has been through an in-depth audit of its control activities, which generally include information technology, security and related processes. The Sarbanes-Oxley Act of 2002 makes SAS 70 audits even more important to the process of reporting on effective internal controls at IT services organizations. That's because the reports signify that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm, as Section 404 of Sarbanes-Oxley requires.
All of the SAS 70 audits will never change the culture or the skills of the people who are responsible for the areas of the organization that a SAS 70 audits. In many cases, the fear is that there will be so many "red lights" at the end of the examination that they will not get a favorable opinion letter. One way to avoid this potential hazard, is to inject the organization with a management system far in advance of the SAS 70 audit. A good example is the BS 7799 Information Security Code of Practice.
A brief history of BS 7799
In the early 1990s concern was growing about the security of information due to the proliferation of computer networks and the reliance of businesses on electronic data collection and processing. Security threats to organisations include fraud, espionage, sabotage, vandalism, fire, flood, computer hacking and computer viruses. The concern of the UK government’s Department of Industry (DTI) led them to ask BSI to work with businesses and other concerned communities to develop a standard that would increase awareness of security issues and suggest controls to help protect information within all types of organisations in the UK.
BS 7799 was originally published in 1995 to give guidance on implementing Information Security Management and was substantially revised in April 1999 to take account of developments in the application of information processing technology, particularly in the area of networks and communications. It also gave greater emphasis to business involvement in and responsibility for information security. New controls were included in areas such as e-commerce, teleworking, mobile computing and so on but remained technology-independent.
Against this backdrop was the implementation of the revised UK data protection legislation, the 1998 Data Protection Act, which includes increased obligations on organisations to adopt appropriate data security measures. The objective of this is to prevent unauthorised or unlawful processing and accidental loss or damage to data that relates to living individuals. The new legislation has been extended to include non-computerised, or manual, records. Material held in filing cabinets, index cards, microfilm collections and videotape collections are now also subject to the Act. Consequently, BS 7799 also covers security of all types of information, held both electrically and non-electronically.
By implementing a culture of risk management utilizing the published standards of BS 7799 the enterprise is not only becoming more prepared for the SAS 70, they are well on their way to achieving compliance with US and other Global standards. Relief for the "A" word is only a few key strokes away. See BSI