Security and Integrity and PrivacyOh, My!
April 8, 2011
Few things are worse for a financial institution, data center or company that stores a significant amount of personal information than a breach of security. Negative headlines abound, customers get spooked and the company has to scramble to fix the data leak and reassure customers they wont become victims of identity theft.
In an attempt to strengthen security against such leaks and breaches, the American Institute of Certified Public Accountants (AICPA), which oversees auditing rules in this country, has issued a new set of standards that go into effect this summer. These standards are important for all companies that manage personal data for their clients, including retirement plan service providers, banks, investment houses, insurance companies, data centers and payroll service providers.
Even Google and Amazon are affected. Although these two firms arent typical data warehouses, they hold a lot of personal data. And their customers demand security audit reports to prove that data are safe.
Since 1992, the industry has called these the SAS 70 rulesSAS standing for Statement on Auditing Standards and 70 referring to the number of the statement issued by the Auditing Standards Board of the AICPA. The rules standardize the way auditors review how companies secure their data to assure customers that the data are being handled safely.
While the name is probably important to the chief information and technology officers who might order these reports, the more significant thing for the general business community to understand is how these new standards, which take effect on reports for periods ending on or after June 15, work and why theyre important. The new auditing report rules formally set standards for information technology companies to follow, something that was never before formalized. They also establish predetermined criteria for IT companies that make it easier for IT clients to compare one provider to another.
These reports are designed for companies whose many customers are interested in how the companies holding their data conduct
business and protect personal information. Such firms would hire an auditor to conduct an internal control study to assess the way it handles the data, test to make sure the data are secure and write a report that the company can send to its customers.
For example, lets take a business that manages 401(k) retirement plans for another companys employees. Clients contracting with this firm are giving up sensitive employee information such as Social Security numbers, birthdates, hire dates, names and addresses. Theyre worried about a breach of the retirement fund managers system and want to be sure the information doesnt get hacked, which could lead to identity theft. They also want to make sure the data are accurate. An auditor would do a report, called an SOC 1 (Service Organization Control), and report to the retirement fund managers customers how secure the data are. The clients can use the information to evaluate the safety of the data andif theyre not satisfieddemand changes or find a new manager.
The controls are centered on how information is obtained from a customer and how it is processed. The report will review password and user-name protocols, firewalls and even environmental controls, such as sprinkler systems and backup power. Auditors will look at antihacking controls; theyll stress-test the controls and evaluate the design of the overall system. They must report flaws in the system so the company can address them.
In the past, companies could choose what standards the auditor would focus on. While thats still the case for financially oriented firms, information technology companies, which would do an SOC 2 report, must follow new standards that focus on five areas: security, availability, processing integrity, confidentiality and privacy.
What risks do businesses face if they dont conduct these investigations every year? They may not be able to do business with certain customers that expect these reports. This effort isnt only for compliance; it can also be used as a marketing tool to set one service provider ahead of its competitors.