Global
| SecureWorks - On the Radar Newsletter - FEBRuary 2009 | |
|---|---|
 |
|
Introducing Compliance Central: New Service for Third-Party Risk Management
On February 9, SecureWorks launched Compliance Central, a new service aimed at simplifying and automating risk management across vendors, service providers, suppliers, partners, merchants and other affiliates. Providing a centralized, web-based platform for self-assessment, risk analysis and compliance validation, Compliance Central enables ongoing risk management and oversight of third-party relationships.
This service has been discontinued and is no longer available.
SecureWorks Upgrades Managed Log Retention Service:
Launches new LogVault applianceTM
On February 2, SecureWorks upgraded our Managed Log Retention service with the launch of our new, proprietary log management appliance: LogVault. Providing high-performance log collection, storage and reporting, LogVault delivers cost-effective and scalable retention of raw log data for security, compliance and IT troubleshooting.
Learn more about LogVault and our upgraded Managed Log Retention Service.
Security 101: SAS 70
What is SAS 70?
SAS 70 stands for Statement on Auditing Standards No. 70, Service Organizations. A widely-used auditing standard for organizations that provide services, a SAS 70 audit assesses an organization's internal controls and their suitability towards achieving stated control objectives. For example, if a stated control objective is to limit connections to and from the network, the SAS 70 auditor will review if suitable controls (i.e. firewalls) are in place to accomplish that.
How is a SAS 70 report used?
SAS 70 reports commonly serve to provide customers or clients of a service organization with information about the organization's internal controls. A SAS 70 report includes the auditor's opinion on the controls, which can provide a level of assurance to customers. Service providers (such as SecureWorks) may provide SAS 70 reports to customers to satisfy due diligence requirements for vendor management.
For clients and their auditors, an important component of the report is the section that outlines the client's responsibilities. Often titled "Client Control Considerations", the section describes those controls that are internal to the user organization that management should consider to achieve the control objectives identified in the SAS 70 report.
What's the difference between SAS 70 Type I and Type II audits?
A SAS 70 Type I audit provides the auditor's opinion on controls that are in place on a specific date in regards to the fairness of control presentation, control design and their suitability for meeting the control objectives defined by the service organization.
A SAS 70 Type II audit is conducted over a period of time (minimum six months). Like a SAS 70 Type I, in a SAS 70 Type II audit the auditor evaluates control presentation, design and suitability. However, a SAS 70 Type II goes a step further and includes the auditor's opinion on the operational effectiveness of the controls over the audit period. Because of this, SAS 70 Type II audits provide a greater level of assurance and are generally preferred over SAS 70 Type I audits.
SecureFacts:
"Breaches by third-party organizations such as outsourcers, contractors, consultants, and business partners were reported by 44 percent of respondents, up from 40 percent in 2007, up from 29 percent in 2006 and 21 percent in 2005. Per-victim cost for third-party flubs is $52 higher (e.g. $231 vs. $179) than if the breach is internally caused"
Source: Ponemon Institute, 2008 Annual Study: Cost of a Data Breach
