Security and confidentiality has been considered a must of business today as more and more information is becoming available and transmitted between business partners. Controls that are not just put on paper but are policies which are monitored and made part of your company’s culture, is what makes a compliance program successful. When you ask a potential business partner if they have completed a SAS 70 it is important to ask some additional questions:
1. Do you have a Type 1 or Type 2 sas70 report? IF you have type 1 report that means you have identified the controls that you want in place, whereas type 2 report demonstrates that you can proof that you are doing them.
2. How often do you perform your Audit of the controls and is the firm one that is known and well respected. Is the service auditor’s unqualified, i.e. a clean opinion?
3. Do the controls include extensive policies around data classification so sensitive data is identified and secured upfront?
4. How long have you been obtaining SAS 70 reports?
5. Did the report identify any exceptions?
6. Does the report’s scope, as presented in control objectives, address the risks that the service provider impose?
SAS70 was recently replaced by SOC and AT 101 reports which will involve additional stringent controls and more of an investment to maintain. I will talk about these in future blogs. If you are thinking of doing business with a company that will be handling your data it is important to consider one that has obtained a Type II SAS 70, SOC, or AT 101 report.