Software-as-a-Service and Regulatory Compliance
Here's a nightmare scenario: You run a medical practice that uses a Web-hosted customer relationship management (CRM) solution to handle its billing and other records. One day, you get a phone call from your contact at the CRM company, who has just discovered that a hacker got inside its firewall, and has had access to your data.
Mortified, you write a letter to all your patients, alerting them to the breach, and apologizing that it happened. You send the letter and brace yourself for possible lawsuits. But the next call you get is from the Feds. Whether you knew it or not, your company is responsible for the breach, and is now in violation of the Health Information Portability and Accountability Act (HIPAA).
A growing number of companies, both large and small, depend on hosted software for everything from payroll to package design. For small companies, part of the rationale is that hosted software (or 'software-as-a-service') providers usually have more robust data centers, better in-house expertise, and tighter security than their customers do. But when you hand your company's sensitive data to an outsourcer, you're still legally responsible for keeping it compliant with government regulations and legal agreements.
How can you make sure a provider will keep your data compliant? Just as important -- how can you prove to regulators you've done everything you can to make sure it will? Start by following these five steps:
1. Rank providers by risk. 'I've had people call me and say, ‘My regulator was here and said I need to get due diligence material from the people who deliver coffee!'' reports Tom DeSot, executive vice president and chief compliance officer at Digital Defense, Inc., which offers on-demand compliance and security solutions.
Asking for documentation from a guy with a coffee cart may seem completely unreasonable, he adds, but you can satisfy most regulators if they see you have a plan for addressing each of your vendors in descending order of risk. 'Develop a matrix of vendors, what they do for you, and what level of risk they expose you to,' he says. 'If a regulator says you need due diligence for each one, then you'll have to do each one, but they may not expect you to do them all at once.'
2. Review the vendor's SAS 70 audit. The Statement on Auditing Standards Number 70 from the Auditing Standards Board of the American Institute of Certified Public Accountants has become something of a standard for auditing software-as-a-service providers and other outsourcers. Customers routinely ask providers for copies of their SAS 70 audit reports, and this is a good idea for you to do, too.
'We just received an SAS 70 Type II audit,' reports Michele Hincks, vice president of marketing at Enviance, a provider of Web-hosted compliance solutions for health and environmental regulations. 'Our customers view us as an extension of their IT system, and the audit assures them protection of sensitive data. The auditors assessed our internal controls, technology, how often we upgrade our systems and our disaster recovery plans,' she says.
But it's not enough just to know a company's had a SAS 70 audit -- you should look at the report itself, and know what type it is, according to French Caldwell, vice president of research in governance, risk management, and compliance at Gartner. 'Is it a Type I or a Type II report?' he asks. 'In a Type I report, the vendor is attesting to its own controls, so Type II is preferable.' Even with a Type II report, you should review it carefully to see if the controls in question are the controls you need to make sure your data is safe.
3. Get info from auditors and regulators. How do you know which controls you need? The best way to find out is to ask the experts, including regulators and auditors working for your own organization. 'If your auditors get coy and say that answering your questions would compromise their objectivity, fire them and get new auditors,' Caldwell advises. 'Good auditors these days know they can give you this kind of assistance.'
He also suggests learning as much as you can about auditing standards. 'Go join the local chapter of Information Systems Audit and Control Association (ISACA),' he says. Go to some of their meetings and network with others who are facing the same issues. Better yet, have someone in your company get certification from them. That person will learn what auditors are looking for, and to understand their language.'
4. Go see for yourself. What if a vendor hasn't had a SAS 70 audit? This shouldn't necessarily be a deal-breaker, DeSot says. 'Not every company has a business practice that qualifies it for one. And, the controls in question may not be appropriate for that company. When this is the case, an operational audit can be just as useful.'
In the absence of a SAS 70 audit, DeSot and others recommend conducting a site visit at the vendor so you and your IT experts can see for yourselves how your data will be protected -- something Enviance used to let customers do before it had its SAS 70 audit. If the provider in question is hosting your data at a shared data center, it may not be able to get you in to see actual servers, but a visit to the company's offices can tell you a lot about its professionalism and longevity.
Also, DeSot advises, whenever a request for documentation or a visit is turned down, make sure to get that refusal in writing. 'Regulators recognize that not every vendor will give you all the info you ask for,' he says. 'But they want to see that you've done your due diligence.'
5. Repeat next year. Don't assume just because a vendor has good controls in place today that it will remain so forever. If a vendor is handling your company's information, you should go back and review its controls at least once a year, Caldwell says. 'And if the vendor is handling very sensitive info, you should do it more often than that.'