Memo to Ops Teams - get Savvy about SAS70

Monday, November 02, 2009 11:20
Memo to Ops Teams - get Savvy about SAS70

Bill Winterberg made an excellent comment on my last article about information security - regarding outsourcing our applications to third-party web-based providers. This is coined "cloud computing" - i.e. our data and software is utilized and accessed via the web browser.

As Operations frequently deals with the most delicate information about your customers and may be managing some of the most complex processes in the practice - choosing your service providers is a critical process.  You are handing off the data and connecting to them remotely with an assumed trust factor that your activities and database(s) are secure.

This Website Is For Financial Professionals Only

Without getting too deep ito the weeds - security is handled on three levels:

  • By the service provider - by using various techniques and technologies to secure the access, communication and storage of data
  • By your practice - by utilizing hardware and software to secure our network and computers
  • By your users - being careful with their usernames and passwords and how they handle the data you manage

The latter two are clearly under your control. The service provider security is not. An important component for any service provider who works in the "cloud" of the Internet should be a SAS 70 audit. SAS 70 is shorthand for Statement on Auditing Standards: Number 70. It was established by the American Institute of Certified Public Accountants (AICPA). The SAS 70 defines the processes and controls a service provider has in place to correctly manage their business. As it is most popular with service organizations - it also reflects how the process and controls in place to insure the information they have about you and your business is secure.

There are two types of SAS 70 reports - a Type 1 and Type II. The Type I documents the aforementioned process and controls. The Type II - more valuable to you as a decision maker in selecting a vendor - also includes the affirmation of an independent auditor's review and testing of the process and controls.

In my view - for the most critical and confidential data your business handles (account numbers, tax ids, bank and medical data, etc.) a Type II SAS 70 should be required for vendor selection. This is an investment by your service provider to attest and confirm they have the process and controls in place to effectively manage their business and secure your confidential data.

A final note - not only should technology vendors be asked for a SAS 70 by your practice - but also any other service provider who interacts or stores your data at some point in the business process.



Comments (3)

Blaine, thanks for this added information on what advisors should be requesting of prospective technology and outsourcing vendors. It is essential that advisors perform this due diligence to ensure the practice's most valuable data, the client's, is protected and safeguarded.
billwinterberg , November 03, 2009
Blaine (or Bill?): I use drobox for synching office PC data and for its cloud backup. The dropbox website security information states that they use Amazon S3 for dropbox which claims to have SAS70 Type 2 certification. Does that mean that dropbox (in your opinion) would be a secure cloud data providor for an RIA? I enclose the Amazon S3 security url that dropbox references clients use (!default.jspa?categoryID=152&externalID=1697&fromSearchPage=true) which is hard for a non IT professional to understand. Would referencing this url and the dropbox security url be (in your opinion) an adequate due diligence responce for an RIA to have on file as to taking steps to analyze security for using dropbox?
polarbear , November 03, 2009
You are thinking in the right direction. I also use Dropbox and consider it a moderately secure option for managing files I need to sync across multiple systems. It is not my core backup nor my core file storage solution.

Dropbox focuses on giving users the avenue for keeping files private versus sharing - and as long as you follow that protocol - you should be fine.

If you need to share overly sensitive documents with other - you may want to evaluate some of the premium services versus the Dropbox security model to see if you receive any further assurance. I am thinking of YouSend It and Files Anywhere.

My suggestion is not to get rid of Dropbox - way too valuable! Just take a look at any user friendly heightened security the other might offer for sharing sensitive client documents. Alternatively - you could also look at a solution with a client vault - like eMoney or Advisor Products.

Feel free to contact me with further questions.
bwarrene , November 05, 2009

Write comment

You must be logged in to post a comment. Please register if you do not have an account yet.