Check out the new feature:

Products, Equipment
& Services Spotlight

Click on the ad to
visit their website!
Article Archives Using Security Standards for Outsourcing
 

Using Security Standards for Outsourcing

Using Security Standards for Outsourcing

By W. Carter Santos

 

   Companies are caretakers of valuable corporate assets, such as employees, facilities, equipment, trade secrets, confidential information and intellectual property.  Some companies also store and/or process consumer and/or employee personal information, which is often subject to various laws regarding unauthorized disclosure, access and/or use.  In order to adequately protect and mitigate risk to these assets, companies typically develop, implement and maintain a customized set of security standards that are consistent with, among other things, the value of the assets, the risk profile of the company, identified threats to the assets and applicable laws.

   When a company outsources a function to a third party service provider, the company should contractually require the service provider to maintain security standards that are at least as restrictive as the company’s own security standards with respect to the outsourced function.  This can be accomplished by requiring the service provider to either comply with (i) the customer’s security standards, or (ii) the service provider’s security standards along with any additional safeguards to bridge the gap between the standards of the customer and the service provider. 

   Companies should also consider using the SAS 70, PCI and ISO standards as tools for evaluating the effectiveness of a service provider’s security program.  This article explores the purposes, benefits and limitations of each of these tools from a security perspective and how they can be used contractually.   


 SAS 70 

   The Statement on Auditing Standards (SAS) No. 70, Type II (“SAS 70”) is a standard developed by the American Institute of Certified Public Accountants to audit control objectives.  Although the scope of the SAS 70 report is entirely determined by the service provider, the report is prepared by an independent third party auditor in a standardized format and contains the auditor’s opinion on whether the control objectives were met over a defined testing period.    

   Since the SAS 70 standard does not prescribe a set list of control objectives, the control objectives in the SAS 70 report will likely not completely align with the customer’s security standards.  For instance, the SAS 70 report may completely omit firewall standards as a control objective, yet this could be a key component of the customer’s security standards.  The service provider also selects the systems on which the controls are tested.  Since the SAS 70 standard is an accounting based standard, the focus is often on controls over financial reporting systems and may not include controls over the systems used by the service provider to provide the services to the customer. 

   If the SAS 70 report covers any of the security controls used by the customer on the same systems used to provide the services, the SAS 70 report is a useful tool for the customer to evaluate the security standards of the service provider as it pertains to the outsourced function.  The SAS 70 report will describe any deficiencies in those controls discovered by the auditor.  Additionally, the customer should review old SAS 70 reports to determine if any control objectives have been dropped from the current report, as this may indicate problems areas.


 PCI 
   The Payment Card Industry Security Standard (“PCI”) was created by the major credit card companies to protect credit card data from fraudulent use.  PCI has 12 mandatory requirements and over 200 controls, including those for firewall configuration, system passwords, encryption, anti-virus, facilities access, and system scanning.  The PCI standards are typically enforced contractually through a contract chain involving the credit card companies, acquiring banks, retailers and service providers and failure to comply with PCI standards can result in penalties. 

   PCI compliance demonstrates that the service provider has satisfied a prescriptive set of security requirements with respect to the storing, processing and transmitting of cardholder data (personally identifiable information of credit card holders).  However, if the service provider is not handling cardholder data for the customer, then PCI compliance does not apply to the outsourcing arrangement.  Similarly, if handling cardholder data is only a subset of the overall outsourcing arrangement, then PCI compliance only applies to that subset.                    

   To the extent the service provider is handling cardholder data for the customer, PCI compliance gives the customer some assurance that minimum security standards are in place at least for those services.  Furthermore, since the customer may be required by contract to be PCI compliant with respect to the outsourced services that are in-scope for PCI, PCI compliance by the service provider will support the customer’s third party contractual obligations.  However, since outsourcing deals typically do not fall completely within the PCI scope, PCI is usually not a useful tool for evaluating the security standards of the service provider for the entire scope of the deal.

ISO 27001 
   ISO 27001 is an information security management system standard published by the International Organization for Standardization (“ISO”).  ISO 27001 is an international standard, which is voluntary and applies to the entire in-scope business unit.  ISO 27001 contains a set of 11 risk domains and over 100 controls.  While the ISO risk domains and controls overlap substantially with the PCI requirements and controls, ISO 27001 is more of a holistic security standard framework, with more emphasis on management commitment, continuous improvement and the overall security program while PCI is more of a prescriptive list of requirements, with more emphasis on the technical aspects of securing cardholder data. 

   If the customer and service provider are both ISO 27001 compliant, then the security programs of both companies should use the same framework and should address the same risk domains required by ISO 27001.  Therefore, the gap between the security standards of the customer and the service provider should be limited to the customer safeguards that are outside the scope of ISO 27001.  The SAS 70 report and PCI compliance are not useful tools for gap analysis purposes because (a) the SAS 70 report is limited to the scope selected by the service provider (as to the controls and systems) and (b) PCI compliance by definition is limited to the processing, storing and transmitting of cardholder data.

   Unlike PCI, which is an accepted industry requirement for any organization handling credit card data, ISO 27001 is voluntary.  Accordingly, unless the service provider has adopted all or a portion of this standard, ISO 27001 will not be a useful tool for the customer.

Contractual Uses 

   At a minimum, the customer should contractually require the service provider to comply with security standards that are at least as restrictive as the customer’s standards with respect to the outsourced function and the customer should have the right to audit the service provider for compliance.  This will help ensure that the service provider is not the weak link in the customer’s security program. 

   Second, the customer should consider requiring the service provider to annually deliver a SAS 70 report and/or maintain and annually certify to PCI and/or ISO 27001 compliance and deliver any compliance reports related to the certifications.  Obtaining these reports and certifications annually will allow the customer to periodically evaluate the effectiveness of the service provider’s security program.  Service level credits and/or early termination rights can also be negotiated to incent the service provider to comply with these obligations.  Additionally, if the outsourced function involves handling credit card data, the customer should require this part of the services to be PCI compliant.  Whether or not the customer attempts to negotiate these standards into the outsourcing contract depends on the scope of the outsourced services, the applicability of these standards to the customer’s own security standards, the customer’s negotiating leverage, and/or the service provider’s adoption of these standards.  

   It should be noted that a customer that publishes its own SAS 70 and relies on the service provider for compliance with certain of the customer’s own control objectives may need the service provider to provide a customized SAS 70 against the customer’s own control objectives with respect to the specific outsourced services.  This topic is beyond the scope of this article.

Conclusion 

   The SAS 70, PCI and ISO standards are not proxies for ensuring that the service provider’s security standards are at least as restrictive as the customer’s own security standards.  However, they are tools that can be used by the customer to (i) evaluate the effectiveness of the service provider’s security program, (ii) assist in the gap analysis process (at least with respect to ISO), and/or (iii) provide some assurance that the service provider’s security program meets certain minimum standards.


   W. Carter Santos is an assistant vice president, outsourcing transaction counsel at Equifax Inc.  Special thanks to David Hannigan (vice president, global security compliance at Equifax Inc.) for his contributions to this article.  The views expressed in this article are those of the author and do not necessarily reflect the views of Equifax Inc.
 
 
2010 Security Shredding & Storage News. All Rights Reserved.
web design by Chachka Group