White Papers provided by the SAS 70 Resource Guide

SAS 70 and its Impact on GLBA Safeguards Provision

The Safeguards Rule is the second in a series of three main parts contained within the GLBA privacy provisions, calling for financial institutions to have an adequate security plan in place for protecting the confidential information of consumers. The Federal Trade Commission, in seeking to actively promote the Safeguards Rule, has made, via their website, a comprehensive list of educational material and resources in the hopes of informing all mandatory and other interested parties. Key topics in the Education & Guidance section put forth by the FTC include a primer for businesses on protecting personal information, how to properly dispose of consumer report information, along with general guidelines for ensuring compliance with the privacy provisions within GLBA.

Additionally, on May 23, 2002 the FTC published the Standards for Safeguarding Customer Information, giving financial institutions and other interested parties detailed, specific information regarding compliance with the Safeguards Rule. Within this twelve page document, the Safeguards Rule calls for mandatory standards for administrative, technical, and physical information safeguards on behalf of financial institutions for ensuring the security and confidentiality of customer records and information, protecting against possible threats or hazards to these records, along with protecting against unauthorized access of customer records.

SAS 70 and the Safeguards Rule

Type I and Type II SAS 70 audits, used primarily as compliance audits for examining a service organization’s internal controls, can test and report on controls surrounding the adequate protection and safeguarding of consumer information. Here’s how it works. Many entities, such as financial services institutions, hold and process confidential information on behalf of their customers. As such, SAS 70 audits can test control mechanisms that ensure only authorized personnel are allowed system access to various applications, databases or other repositories of information stored for customers. Even more, this is not considered a specific request for the audit itself, rather, it can be included in the scope of a common general controls SAS 70 audit report. For example, a mortgage servicing company holding sensitive, non-public account information for customers can be tested under the mantra of SAS 70 audits for ensuring only authorized individuals can access this type of information. It’s not available to just anyone in the company, thus access should be restricted, thus a SAS 70 audit can test for this. Though a simple and straightforward example, it gives an understanding of the relevance of Statement on Auditing Standards No. 70.