Information Security -Whitepaper Consistent, Reliable and Secure Operating Environment
All information copyright ÂŠ 2009 STEELWEDGE SOFTWARE, Inc.
Table of Contents
→ Abstract ................................................ 1 SAS 70 for assurances around information security ......... 1 Trusted Cloud Computing Platform .................................. 2 Building on established trends .......................................... 2 The on-demand, self-service, pay-by-use model .............. 3 Services are delivered over the network .......................... 3 Cloud computing infrastructure models ........................... 3
→ Software as a Service (SaaS) .................. 3 S A S 7 0 – an effective, independent evaluation.............. 4 SAS Institute, history, and importance to the industry..... 4 Benefits of SAS 70 ............................................................. 5 SAS 70 Certified Organisation ........................................... 5
Information Security With SAS-70 organization. Several of the traditional on-premise software manufacturers did their best to fuel this fear and further surrounded security concerns with FUD (fear, uncertainty and doubt). Seven years later the security concern has diminished for most – not because it is any less of a concern but instead because many SaaS vendors have demonstrated admirable security safeguards that go well beyond what most client organizations could achieve internally. Because information security is a rapidly evolving discipline managed with creative strategies and a plethora of new technology tools, few SaaS vendors use similar strategies or defenses. These differences clearly translate to varying levels of information security protection by different SaaS vendors. The primary areas where SaaS application vendors differ in their information security approaches include strategy, risk analysis, staffing, depth of defenses and independent certifications.
A Proactive Approach Strongly Recommended ................ 5
→ Our Process ........................................... 6 SAS 70 Audits that is Cost Effective for our Organization . 6 Service organizations demonstrates their commitment to internal controls ................................................................ 6 Solutions with high standards ........................................... 6
Abstract Steelwedge Software links Sales & Operations Planning (S&OP) processes to existing CRM and ERP systems through familiar desktop applications including email and Excel. Steelwedge helps companies improve the effectiveness of their Collaborative Planning, Forecasting, and Performance Management activities.
SAS 70 for assurances around information security The introduction of software as a service (SaaS) at the turn of the century was met with intrigue by the business value proposition and concern regarding the safeguarding of sensitive data over the wild, wild web by an outside
To some organizations, information security seems most focused on keeping out hackers. To more mature security conscience organizations, information security is about preserving the confidentiality, integrity and availability (CIA) of information. Confidentiality ensures that information is accessible only to those authorized. Integrity safeguards the accuracy and completeness of information and processing methods. Availability ensures that authorized users have access to the information when required. A short conversation with a potential SaaS vendor should permit you to determine their information security strategy, maturity and focus. Security preparedness begins with risk analysis, security awareness and a company-wide culture which includes executive sponsorship, management commitment and specialized staffing. A thoughtful risk analysis should always precede a security strategy so that security measures are prioritized toward high risk and/or high impact events. It’s also useful to note that risk analysis exercises generally show that a failure in CIA is far more likely to be caused by a hardware malfunction, improperly applied change management procedure or internal human error then by a caffeine addicted teenage hacker working out of his parents basement from the other side of the All information copyright © 2009 STEELWEDGE SOFTWARE, Inc.
world during the middle of the night. Again, to form your own opinion, talk with your SaaS provider and understand whether they believe service is more likely to be impaired by a broken router or badly behaved juvenile. Security is a process, not a product or procedure. Security begins and ends with people. Information security is primarily a management issue rather than a technical issue. SaaS companies that get this often follow the risk analysis with an ISMS (Information Security Management System) which is a part of the overall management system. When speaking with a potential SaaS CRM or ERP provider, find out if they approach security as a process or a product and whether they have an ISMS or the equivalent. Depth of defenses speaks to the rigors and intensity applied to enforcing security strategy. This is the area where layers of tools and products reinforce the strategy and this area varies greatly by SaaS companies. For example, does the SaaS company utilize simple packet filtering firewalls or deep packet inspection (DPI) firewalls? Do they simply use an intrusion detection system (IDS) or do they also use an intrusion prevention system (IPS)? Does the SaaS provider have competent security staff and resources who review logs, are alerted to unusual events, monitor an early warning system and perform periodic announced and unannounced internal audits? Are the security staff trained to isolate an intrusion and equipped with the forensic tools to successfully prosecute a violator? Few SaaS vendors measure up well to each of these scenarios. A final difference among SaaS vendors information security preparedness and assurednessâ€™ comes from independent certifications. Simply put, some SaaS vendors complete information security audits and most do not. The most relevant information security audit is the ISO (International Standards Organization) 27001 certification. It deals specifically with information security in a hosting environment. Other audits may be obtained from recognized security consultancies who periodically perform vulnerability assessments (VA), penetration (PEN) tests and simulated attacks. Due to the changes in information security postures and the constantly evolving threats, security audits and certifications should be performed at least annually. I continue to be amazed to
Information Security With SAS-70 this day by the high number of SaaS providers who choose to ignore these valuable exercises.
Trusted Cloud Computing Platform In an economic environment where demands are high and margins often thin, problems with critical business applications can quickly turn profits to losses. With Verizon Business' new Application Assurance service, however, business customers are better able to keep their networkbased business processes running smoothly and reliably. Cloud service makes a substantial effort to secure systems, in order to minimize the threat of insider attacks, and reinforce the confidence of customers. For example, it protect and restrict access to the hardware facilities, adopt stringent accountability and auditing procedures, and minimize the number of staff who have access to critical components of the infrastructure. Nevertheless, insiders that administer the software systems at the provider backend ultimately still possess the technical means to access customersâ€™ VMs. Thus, there is a clear need for a technical solution that guarantees the confidentiality and integrity of computation, in a way that is verifiable by the customers of the service.
Building on established trends Cloud computing builds on established trends for driving the cost out of the delivery of services while increasing the speed and agility with which services are deployed. It shortens the time from sketching out an application architecture to actual deployment. Cloud computing incorporates virtualization, on-demand deployment, Internet delivery of services, and open source software. From one perspective, cloud computing is nothing new because it uses approaches, concepts, and best practices that have already been established. From another perspective, everything is new because cloud computing changes how we invent, develop, deploy, scale, update, maintain, and pay for applications and the infrastructure on which they run. In this chapter, we examine the trends and how they have become core to what cloud computing is all about.
All information copyright ÂŠ 2009 STEELWEDGE SOFTWARE, Inc.
Information Security With SAS-70
The on-demand, self-service, pay-by-use model The on-demand, self-service, pay-by-use nature of cloud computing is also an extension of established trends. From an enterprise perspective, the on-demand nature of cloud computing helps to support the performance and capacity aspects of service-level objectives. The self-service nature of cloud computing allows organizations to create elastic environments that expand and contract based on the workload and target performance parameters. And the pay-by-use nature of cloud computing may take the form of equipment leases that guarantee a minimum level of service from a cloud provider.
Services are delivered over the network It almost goes without saying that cloud computing extends the existing trend of making services available over the network. Virtually every business organization has recognized the value of Web-based interfaces to their applications, whether they are made available to customers over the Internet, or whether they are internal applications that are made available to authorized employees, partners, suppliers, and consultants. The beauty of Internet-based service delivery, of course, is that applications can be made available anywhere, and at any time.
Cloud computing infrastructure models There are many considerations for cloud computing architects to make when moving from a standard enterprise application deployment model to one based on cloud computing. There are public and private clouds that offer complementary benefits, there are three basic service models to consider, and there is the value of open APIs versus proprietary ones. Cloud computing benefits:
Reduce run time and response time Minimize infrastructure risk Lower cost of entry Increased pace of innovation
Software as a Service (SaaS) Software as a service features a complete application offered as a service on demand. A single instance of the software runs on the cloud and services multiple end users or client organizations. The new Software-as-a-Service (SaaS)-based offering, available to customers around the world, enables customers to efficiently monitor both application and network traffic. The service provides an enterprise wide view of how applications such as e-commerce Web sites, voice-over-IP and CRM (customer relationship management) software are performing and how that performance is affecting end-users. As a result, customers can quantify the effect of performance problems. Since the new cloud-based capability is offered to Private IP customers via a Software-as-a-Service (SaaS) model, it eliminates the need for companies to purchase or maintain network-management software and hardware. The SaaS delivery model is ideal for small and mediumsized businesses and large enterprises because services can be purchased a la carte. As a result, customers can better control costs while attaining the required levels of security, performance, scalability and reliability. In addition, customers can gain energy-conservation benefits by using IT resources (connectivity, server and storage) on an as-needed basis. Application Assurance provides a powerful combination of passive network monitoring -- which allows for real-time tracking of who is using an application, for what purpose, when and where -- and active monitoring, which employs customized software agents to generate synthetic network traffic for measuring network availability and performance. The flexible and cost-effective SaaS delivery model makes it simple to deploy Application Assurance when and where needed. In addition, both short-term and long-term service contracts are available. SaaS delivery model is ideal for small and medium-sized businesses and large enterprises because services can be purchased. As a result, customers can better control costs while attaining the required levels of security,
All information copyright © 2009 STEELWEDGE SOFTWARE, Inc.
performance, scalability and reliability. In addition, customers can gain energy-conservation benefits by using IT resources (connectivity, server and storage) on an asneeded basis. These applications are appealing to IT departments because they adapt quickly to the changing pace of business and technology, have a low IT impact, and are easy to use. Despite these benefits, Saas applications will deliver limited value if critical customer information cannot be accessed because of a lack of integration. SaaS, Quickly connect applications with few resources and increase ROI Gains a real-time end-to-end view of customers Eliminates the need for specialist integration skills Easily change connectivity, update transformations and modify workflows without custom code
S A S 7 0 – an effective, independent evaluation The SAS 70 standard involves an external, independent auditor’s evaluation of a service organization’s controls and the execution of those controls. The examination covers critical benchmarks, including the completeness, accuracy, and timeliness of services rendered. The SAS 70 report, generated at the conclusion of the examination, is invaluable to a company’s financial statement auditors. Without such a report, the auditors might have to conduct their own examination of the internal controls at the service organizations used by the company to support key financial transactions. For customers that have highly sensitive data and require SAS 70 Certified hosting services, steelwedge services have been audited and received SAS 70 Type II Certification. Steelwedge software’s is proud to announce that it has successfully completed a Statement on Auditing Standards (SAS) No. 70. SAS 70 is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). This rigorous process places the highest level of scrutiny on the operational effectiveness of a service organization’s internal controls. Completion of
Information Security With SAS-70 a SAS 70 signifies that a company has had its internal controls examined and tested by an outside firm. With increased emphasis on integrity and security in today’s business environment, obtaining a reputable third party opinion on the soundness of our controls demonstrates our commitment to operational excellence. Our customers can be assured that our services are safe, reliable and meet the industry’s highest standards and best practices.
SAS Institute, history, and importance to the industry Prior to SAS 70 the AICPA instituted SAS 55. This required any company that outsourced services which materially impacted information provided for financial audits, to complete an audit of the service organization providing those services. As service organizations became increasingly overwhelmed with individual audit requests from each user organization, the AICPA issued SAS 70. This allowed service organizations to complete one standardized report that could be relied on by each user organization. Additionally, a SAS 70 report satisfies the requirements of the Sarbanes-Oxley Act of 2002, which mandates that auditors of all publicly traded companies generate an opinion on internal controls for financial reporting. In the data center industry, the SAS 70 report is becoming more and more crucial as competition grows and public companies place greater reliance upon outsourced IT services. The SAS 70 report is recognized as a comprehensive analysis of control objectives and activities in place by service organizations, such as data centers. The AICPA lays out detailed guidelines for the auditing agency based upon standards for fieldwork, quality control, and reporting. The extensive amount of testing going into a SAS 70 makes the report a valuable asset to both the user organization and the service organization. The user is saved time and money by not having to hire additional consultants to evaluate the service organization. And while it is an expense to the service organization, the report demonstrates secure and reliable controls giving confidence to prospective clients.
All information copyright © 2009 STEELWEDGE SOFTWARE, Inc.
Benefits of SAS 70 In addition to illustrating to our clients that internal controls within our organization are in place and working as designed, SAS 70 audits allow corporations to distinguish themselves from the competition by: Strengthening our company’s reputation Reducing operating costs for our clients, due to the fact that they will no longer have to send auditors to audit our organization Assisting in fulfilling our customers’ and their independent auditors audit responsibilities Demonstrating that controls are designed and implemented based on an excepted internal control framework Internally, a SAS 70 audit can: Reduce the impact on our resources by minimizing disruption from other outside parties Identify and document your control objectives Analyze the effectiveness of our control activities Determine the consistency with which our controls are applied throughout the organization Assess the strength of our management oversight Identify opportunities for improvement throughout audited operational areas Advantages for Using SAS 70 Reports from the Service Organization Perspective: Service organizations are essentially third-party outsourcing entities that provide critical services to another company. Example of these service organizations are payroll companies, third party administrators (TPA), data centers, Software as a Service (SaaS) providers, medical claims and billing companies, fulfillment houses, along with many others. Provides management insight into the effectiveness of controls and possible areas for improvement Eliminates or mitigates repeat audits from users Provides independent assurance Provides a competitive advantage Allows the service organization to respond to regulatory inquiries Reduce disruption to operations through a single audit request for information. Satisfy Service Level Agreements or contract provisions Demonstrate leadership and market differentiation
Information Security With SAS-70 Enhance business performance through value added recommendations Advantages for Using SAS 70 Reports from the User Organization Perspective: • • • • •
Provides information to assess the overall control environment for their (user) auditors Satisfies client regulatory requirements May control some audit costs Provides time efficiencies to user auditors by already having information available/prepared Provides a level of comfort over control consciousness of the service organization and its services
SAS 70 Certified Organisation In a Type I report, the service auditor will express an opinion on whether the service organization's description of its controls presents fairly, in all material respects, the relevant aspects of the service organization's controls that had been placed in operation as of a specific date, and whether the controls were suitably designed to achieve specified control objectives. In a Type II report, the service auditor will express an opinion on the same items noted above in a Type I report, and whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified.
A Proactive Approach Strongly Recommended On the surface, certain outsourced services may not appear to have an impact on financial statements, but SAS 70 has a broad reach. The reports are especially relevant for organizations that provide services in support of electronic commerce, such as web hosting, and other entities such as insurance companies, businesses that outsource information technology and other services, healthcare billing companies, trust departments, and mortgage providers. An organization should assess whether it may be requested by its customer to provide a SAS 70. Accordingly, it may be a good idea to take a proactive approach to SAS 70 and have the examination conducted in advance of a request. Not only will it be readily available All information copyright © 2009 STEELWEDGE SOFTWARE, Inc.
when you need it, organizations that have them conducted in advance have the opportunity to make improvements, if necessary, to internal controls.
Our Process Based on our experience preparing many SAS 70 examinations, we have developed an approach that is customized for each client’s needs. Steelwedge begins a SAS 70 examination by gaining an understanding of the service organization’s high-level COSO components, general controls, and application controls. We do this by reviewing management’s description of controls, consulting with management, observing operations, and performing walkthroughs of representative transactions in a SAS 70 Type I and Type II. The resulting SAS 70 report will include the service auditor’s opinion letter as well as the service organization’s description of controls and related control objectives. A SAS 70 Type II also includes a report on the service auditor’s tests of operating effectiveness. Our experience indicates that certain organizations benefit from a readiness review, which includes the same phases of our process as described above can also assist service organizations undergoing a first-time SAS 70 by conducting a readiness review for a Type II examination, which helps an organization prepare for a SAS 70 examination.
SAS 70 Audits that is Cost Effective for our Organization Strategies for Assisting Service Organizations In an ever increasing regulatory landscape, audits, be it financial, operational or technology driven SAS 70 audits, can result in excessive fees and wasteful man-hours for our organization, but it doesn’t have to be that way. Take note, as there are a number of proactive measures our organization can do in helping reduce fees, create efficiencies of scale, ultimately, gaining value out of the audit process.
Service organizations demonstrates commitment to internal controls
Information Security With SAS-70 conduct a Statement on Auditing Standards No. 70 (SAS 70) review. SAS 70 audits are required only of vendors who want to do business with publicly owned companies, but privately held companies also gain peace of mind by working with certified vendors. Service organizations of all sizes can demonstrate their commitment to internal controls by proactively obtaining a Service Auditor’s Report. In the past, SAS 70 audits were only performed for the largest service providers. But today, a Service Auditor’s Report is crucial for service organizations of all sizes wanting to remain competitive in an increasingly crowded marketplace. One of the key benefits of a SAS 70 report is it provides a single source of information in a standardized format that can be relied on when evaluating a service organization’s controls. Additionally, a SAS 70 report can also be used as a marketing tool, demonstrating to potential customers that our management has been proactive in obtaining the opinion of a reputable third-party as to the soundness of our organization’s controls.
Solutions with high standards SAS 70 is a very important standard for plan sponsors, with respect to their compliance activities and their confidence in their service providers. Steelwedge has received an unqualified, Type II SAS 70 report, demonstrating our commitment to meeting our clients’ needs. The selection of a stock plan service provider should be based on unparalleled service and the potential to improve your organization’s bottom line.
Contact Us Address 3825 Hopyard Rd. Suite 155 Pleasanton, CA 94588 Telephone 925.460.1700 main 925.460.1701 fax Email: email@example.com
In an effort to show clients that airtight internal controls are in place, many companies are asking accountants to
All information copyright © 2009 STEELWEDGE SOFTWARE, Inc.