SAS 70In A Post- Sarbanes-Oxley, SaaS World

Francine McKennaMcKenna Partners LLC,for SpearMC Consulting (Booth#308)

Agenda

What is SaaS? What is SAS 70? Today’s environment Security risks in a SaaS environment ITGC Q & A

Who is McKenna Partners LLC? McKenna Partners LLC is a specialized

boutique consulting firm, with expertisein Mexico and Latin America.

We focus on serving other professionalservices firms and industry in the areaof internal control, IT governance. andcompliance initiatives.

Francine McKenna, President, is alsothe author of the blog, re: The Auditors

Who is SpearMC?

SpearMC is a full-service consultingand technology services firm.

We focus on Oracle/PeopleSoft suite ofapplications.

The company was founded in 2001 byKPMG / BearingPoint alumni

In growing world of SaaS multi-tenancyand virtualized/shared computingresources, how are SAS 70 issues gettingresolved?

It’s a bit out of date to just get a traditionaldata center SAS 70 certification whenresources are being co-mingled acrosscustomers, and often hosted at a sub-contracted vendor...

Depending on SAS 70s for a real level ofassurance in a SaaS environment isshortsighted.Do your applications have the controlsneeded to insure the integrity of financialreporting as well as support complexbusiness needs?

Statement on AuditingStandards No. 70 (SAS 70)

• An international auditing standard thatenables businesses that provideservices to other organizations toprovide an independent, trustworthyaccount of their internal controlpractices.

Oracle and SaaS

• Leading vendors have adopted the Oracle SaaSPlatform for developing and delivering secure,scalable and easy to integrate Software as a Serviceofferings.

• The move to SaaS or On-Demand presents severaltechnical challenges for software vendors andhosting service providers.

• ISVs have to support multi-tenancy, integration andcustomization.

• Hosting service providers have to support scalability,performance, security, patching, service levelmanagement and billing.

SaaS vs. On-Demand

• SaaS architectures generally can beclassified as belonging to one of four"maturity levels," whose key attributesare configurability, multi-tenantefficiency, and scalability.

• SaaS means software.• On-Demand can mean anything -

(bandwidth, computing power, storage,etc.)

Pre-SaaS• Level 1 - Ad-Hoc/Custom: Each customer has its own

customized version of the hosted application and runs its owninstance of the application on the host's servers. Reducesoperating costs by consolidating server hardware andadministration. (ASP model)

• Level 2 - Configurable: Provides greater program flexibilitythrough configurable metadata, so that many customers can useseparate instances of the same application code. Vendor meetsdifferent needs of each customer through detailed configurationoptions, while simplifying maintenance and updating of acommon code base. (Modified ASP)

• Level 3 - Configurable, Multi-Tenant-Efficient: Adds multi-tenancy to the second level, so that a single program instanceserves all customers. This approach enables more efficient useof server resources without any apparent difference to the enduser, but ultimately is limited in its scalability. (StandardizedASP or Software On-Demand)

True SaaS• Level 4 - Scalable, Configurable, Multi-

Tenant-Efficient: At the fourth and final SaaSmaturity level, scalability is added through amulti-tier architecture supporting a load-balanced farm of identical applicationinstances, running on a variable number ofservers. The system's capacity can beincreased or decreased to match demand byadding or removing servers, without the needfor any further alteration of applicationsoftware architecture.

What is the implication for SAS70?• In an ASP, the vendor hosts your

application controls in their ITGCenvironment. Do they maintain your appcontrols and meet your standards onITGC?

• In a pure SaaS with standardizedinstance, you accept the vendor’sapplication and ITGC and controls. Dothey meet your standards?

Who performs a SAS 70 “audit”

• A SAS 70 audit is performed by anindependent auditor and results in aSAS 70 report, provided by serviceprovider to its customers and clients foruse when they themselves are audited.

Current uses and objectives ofSAS 70s

• SAS 70 is not a law, but an auditing anddisclosure standards in variousjurisdictions around the world such asSarbanes-Oxley in the United States.This means up-to-date SAS 70 reportsare a de facto requirement for anybusiness that provides IT services toother businesses.

Due diligence therefore requires that younot only request a SAS 70 report from aprospective SaaS provider, but that youexamine it thoroughly to determinewhether the provider will be able tocomply with your own internal standardsfor privacy, data security, and so on.

The earlier you start this conversation,the better.

What purpose does a SAS 70report serve?• All SaaS providers should be prepared to

provide SAS 70 reports.• Not a stamp of approval.• No minimum standards.• A SAS 70 report documents internal control

practices of an organization, without offeringany judgment as to whether they aresatisfactory. This is up to the userorganization.

Customers must tell providerswhich controls are important andwhat standards are expected.• Example: If local privacy laws require

your customers' personal financial databe stored in encrypted form at alltimes, a SAS 70 report will documentwhether the provider's own data-storage practices will enable thecustomer to be in compliance with thelaw.

SaaS providers should be prepared toanswer questions from potentialcustomers during demos/evaluations.They often point to controls to beexpected later and attested to by SaaSprovider’s auditor.

IT General Controls - TheAuditors Bottom Line• The COBIT framework may be used to assist with

SOX compliance, although COBIT is considerablywider in scope.

• 2007 SOX guidance from the PCAOB and SEC statethat IT controls should only be part of the SOX 404assessment to the extent that specific financial risksare addressed.

• Scoping decision part of entity's SOx top-down riskassessment. Statements on Auditing Standards 109(SAS109) discusses the IT risks and controlobjectives pertinent to a financial audit.

IT General Controls• Control Environment, or those controls designed to shape the

corporate culture or "tone at the top.”• Change management procedures - controls designed to ensure

changes meet business requirements and are authorized.• Source code/document version control procedures - controls

designed to protect the integrity of program code• Software development life cycle standards - controls designed

to ensure IT projects are effectively managed.• Security policies, standards and processes - controls designed

to secure access based on business need.

More IT General Controls• Incident management policies and procedures - controls

designed to address operational processing errors.• Technical support policies and procedures - policies to help

users perform more efficiently and report problems.• Hardware/software configuration, installation, testing,

management standards, policies and procedures.• Disaster recovery/backup and recovery procedures, to enable

continued processing despite adverse conditions.

Where’s my data?•Due to compliance and data privacylaws in many countries, knowing datalocality is critically important to meetingcompliance requirements.•With cloud computing and Saas, issue isa challenge. You often don’t know wheredata is being stored or where applicationis really being run.•“Don’t worry. Be happy.”

Separate but equal - datasegregation

• Multi-tenancy is a SaaS advantage, butmixing my data with my competitors isicky.

• Users must never see data they are notauthorized to see.

• My data should never be seen by othercustomers, especially competitors.

Right user, right time - Dataaccess• You know how to protect data from

unauthorized access within your organization.Roles, responsibilities, access, andauthorization policies and procedurescontrolled within most IT organizations.

• Saas providers must be able to reassureregarding access, authorization, activitymonitoring and segregation of duties.

Who is watching and how?

• Log management and security informationand event management solutions readilyavailable for internal IT.

• Access logs are critical to compliance,operations and security. SaaS providersshould provide logs as part of normal service.

Who are you? Why are youhere? Authentication andauthorization.•Many companies have designed IT infrastructure soall authentication, goes through single applicationsuch as Active Directory.•If user credentials stored in SaaS providerdatabases, controls must be in place forremoving/disabling/editing accounts.•Could insist on delegation of authentication processto your LDAP/AD server to maintain control ifprovider’s controls not up to internal standard.

Too much of a good thing? WebApplication Security•SaaS applications have to be used andmanaged over the web (in a browser.) Howsecure is your provider’s web application frombreaches such as hacking?•Verizon says 59% of breaches are due tohacking. Maybe SaaS providers should startconsidering providing something similar towhat PCI DSS has required of merchants.

The Enemy Within - Databreaches from insiders•Responsibility for segregation of duties andaccess authorization still falls on customers,not providers when data is on the cloud.•Take into consideration provider employees.They have access to even more info and asingle incident exposes info from manycustomers.•Example: Soc Gen - All IT controlsimplemented by IT management, but no onewas monitoring.

PCI DSS - Not Optional•SaaS providers must be compliantwith PCI DSS in order to hostmerchants that are required tocomply.•Similar non-negotiable requirementsfor other industries such as financialservices or health care.

Sources

• Tough Security Questions For SaaSProviders Part 1 and 2 at the Blog forLoglogic.com

• Wikipedia Information Technology Controlsentry (from COBit)

• Wikipedia entry on Software as a Service• ISACA - The Information Systems Audit and

Control Association

Questions

SpearMC Education Sessions:

Now that SOX is behind us. What about SAS70?– Session 52070 on Thursday 12/4/08– Utopia D from 8:30 – 9:30

Project Costing and Workflow at Transunion– Session 51850 on Thursday 12/4/08– Nirvana B from 1:30 – 2:30

Advanced PeopleSoft Financial Security Reporting– Session 52060 on Friday 12/5/08– Nirvana B from 8:30 – 9:30

Contact Information

Francine McKenna, President, McKenna PartnersLLC fmckenna@mckennapartners.com

Marcus Bode, Principal, SpearMCmbode@spearmc.com

David Pigman, Tech Specialist, SpearMCdpigman@spearmc.com

Millie Babicz, Financials Specialist, SpearMCmbabicz@spearmc.com