From Whatis.com: SAS 70 (the Statement on Auditing Standards No. 70) defines the standards an auditor must employ in order to assess the contracted internal controls of a service organization. Service organizations, such as hosted data centers, insurance claims processors, and credit processing companies, provide outsourcing services that affect the operation of the contracting enterprise.
Under SAS 70, auditor reports are classified as either Type I or Type II. In a Type I report, the auditor evaluates the efforts of a service organization to prevent accounting inconsistencies, errors, and misrepresentation. A Type II report includes the same information as that contained in a Type I report and, in addition, the auditor attempts to determine the extent to which agreed-on controls have been operating effectively between the time they were implemented and the present.
With the introduction of the Sarbanes-Oxley Act (SOX) in 2002, a type II SAS 70 report became the official third-party certification of SOX compliance for service organizations that deal with public companies.
Log management and compliance
So where do logs fit in? By reviewing the logs, data center managers can record specific kinds of activities to show auditors that controls are in place. For example, a company could show that it has disabled user logins when people are terminated.
Dana Gardner, principal analyst at Gilford, NH-based Interarbor Solutions provided other examples. For instance, a company can show how it is enforcing its policies. If a company doesn't want its workers sending emails to employees in a competing company, it can use log data on routers, hubs and email systems to block or record that activity.
"It can also be used for internal issues," Gardner said. "If you're a financial institution, your traders shouldn't be talking to your investment bankers. You can prove to the SEC that your traders aren't having communications with the investment bankers, at least not on your systems."
The other function of log data in compliance is to report on exceptions -- explicit log events that represent issues requiring investigation -- such as alerts on firewalls or failed password attempts.
Log data in action
Orinda, Calif.-based Intraware is one company using log management tools for compliance. The company provides software distribution and support for large IT vendors like EMC.
"We're a public company so we have concerns around SOX -- how we manage event information and review that information," Steve Loyd, vice president of operations at Intraware said. "Also, all of our customers are public companies themselves. They've outsourced a critical function to us and it's important for them that we're running as we should be."
Intraware runs Sun Solaris and Red Hat Linux -- two platforms on which Loyd said managing the log data was a challenge.
Now the company uses log search engine software from San Francisco-based Splunk to query logs manually and at programmed intervals. Splunk queries provide Intraware with all the exceptions found in the log data. Loyd also has set up event generation alarms with Splunk. When a log matching a certain string events occurs, it sets off an alert and Intraware reacts to that event.
"For the Unix admin it's a pretty friendly tool," Loyd said.
According to Splunk product manager Christina Noren, between 25-30% of its customers are using the tool for compliance purposes and 15% of its customers buy the tool primarily for compliance auditing. The Splunk log search engine tool isn't designed specifically for compliance auditing, but it is one of the more interesting uses to come out of the technology.
SAS 70 saves time for Intraware
According to Loyd, Intraware had a choice -- it could deal with all of its customers' inquiries into its data center operations individually or it could proactively pursue a SAS 70 audit, documenting its IT governance controls.
"One way or another you need to provide information to customers for SOX. If you are part of any process that has to do with financial statements of a public company, you have to certify the processes you use," Loyd said. "In most cases the SAS 70 handles all the questions and saves us a bunch of time."
Intraware has conducted two SAS 70 Type II reviews over the past two years. The first was in 2005 and it is just completing its 2006 report. The company plans to do them at six month intervals going forward.
Deloitte & Touche conducted Intraware's audits. "We liked the name and what they had to say, also the staffing they had available. It's worked out very well so far," Loyd said.
Log management the ultimate audit tool?
There are a number of tools available for log management, including search engine-style tools from Splunk, and log management software and appliances from San Jose, Calif.-based Log Logic and Boulder, Colo.-based LogRhythm Inc.
But are these tools fundamental to auditing IT operations?
According to Interarbor's Gardner, looking directly at what is happening in a system is the best paper trail you'll find in IT.
"Log data is the interception point between technology and activity. What the servers, routers and infrastructure are doing is a proof point -- more than receipts and software licenses. There's a lot of difference between what a company owns and pays for, and what it uses."
Russ Gates, auditing consultant with Naperville, Ill.-based Dupage Consulting LLC doesn't necessarily agree with the pure-evidence-is-better-evidence argument.
"Logs are better evidence than receipts? Maybe for some things, but not for others. Systems can only log what happens from a systems perspective," Gates said. "Systems can't deal with whether you included everything and a lot of audit issues are around what should have happened."
Gates said log data can be important, but it has to be fit into the broader business processes to make sure it's tied into something you can use. He also said if you are planning on using log data in your auditing, you had better consider these type of tools.
"I sat in on a Web-cast LogLogic did the other day and a lot of their points are valid," Gates said. "If somebody thinks logs are important and relevant you've got to have software to deal with it. In any big system you'd have hundreds of thousands of events being logged. Parsing out the ones that matter -- a database failure or security violation, getting those in front of somebody -- the key thing is tying those into a response you can do something with."
Let us know what you think about the article; e-mail: Matt Stansberry, Site Editor