Concerned about vendors who touch your data?


The other day someone was telling me that he was not very concerned about privacy risks with his data center vendor.

“My vendor has a SAS 70,” he said proudly.  “It’s a Type II report – the one where they actually test compliance with the internal control policies and procedures.”

Sadly, I had to tell him that while it was great that his vendor had a SAS 70 and it was even better that he was concerned about unnecessary privacy risks, he wasn’t as protected as he imagined.

“You should still be concerned,”  I told him.  He looked at me like I had two heads…

I explained to him that a SAS 70 report is not proof that his vendor had effective privacy policies and controls.  Instead, that report is proof that the vendor has good internal controls related to very specific business processes, not related to privacy.

“Your auditor needs this report to assess  internal control risks to plan and execute your financial audit.  The SAS 70 assesses financial statement risk.  Not  privacy risk.”

He still looked at me like I had two heads.  But at least he asked: “So what should I do?” My advice to him was:

  • Ask your vendor for the results of their latest information security audit/review
  • Make sure that the scope of the audit included your privacy and information security concerns.

When we said goodbye  he mentioned that he wanted to make sure that he had the proper oversight and would follow-up with his vendor.

It’s great if your vendor has a SAS 70, but that’s for financial statement risk, not privacy risk.  Don’t think that a SAS 70 will provide assurance that you are protected and privacy risks minimized.  For these concerns, make sure you see your vendor’s latest information security review.  If they don’t have one, start worrying.

Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.

Leave a Reply

Your email address will not be published. Required fields are marked *

We respect your personal information. Please review our Privacy Policy for more details.