Companies are caretakers of valuable corporate assets, such as employees, facilities, equipment, trade secrets, confidential information and intellectual property. Some companies also process and store consumer or employee personal information, which is often subject to various laws regarding unauthorized disclosure, access and use. To adequately protect and mitigate risk to these assets, companies typically develop, implement and maintain a customized set of security standards that are consistent with, among other things, the value of the assets, the risk profile of the company, identified threats to the assets and applicable laws.
When a company outsources a function to a third-party service provider, the company should contractually require the service provider to maintain security standards that are at least as restrictive as the company's own security standards with respect to the outsourced function. This can be accomplished by requiring the service provider to either comply with: (i) the customer's security standards; or (ii) the service provider's security standards along with any additional safeguards to bridge the gap between the standards of the customer and the service provider.
Companies should also consider using the Statement on Auditing Standards No. 70, Type II, or SAS 70, the Payment Card Industry Data Security Standard and International Standards Organization 27001 standard as tools to evaluate the effectiveness of a service provider's security program. This article explores the purposes, benefits and limitations of each of these tools from a security perspective and how they can be used contractually.
SAS 70
SAS 70 is a standard developed by the American Institute of Certified Public Accountants to audit control objectives. Although the scope of the SAS 70 report is entirely determined by the service provider, the report is prepared by an independent, third-party auditor in a standardized format and contains the auditor's opinion on whether the control objectives were met over a defined testing period.
To Continue Reading: Click Here
----------------------------------------------
Source: law.com
By: W. Carter Santos
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment