Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is Splunk SAS70 compliant?

maverick
Splunk Employee
Splunk Employee
‎05-21-2010 04:18 PM

I would think that since Splunk can be configured to forward live events via SSL, that would qualify/meet SAS70 compliancy, but wanted to be sure and ask anyway.

0 Karma
Reply

ianathompson
Explorer
‎03-07-2012 09:44 PM

dwaddle's got it right.

Asking if Splunk is compliant for any of these compliancy standards is asking the wrong question. Splunk is a tool to ensure you are compliant. Now having that said, there are key components that Splunk has that ensure it does not break compliancy.

  • Granular Access Controls
  • Monitoring itself for changes (SoS)
  • Hashing privacy or personally identifiable information (i.e. Credit Card Numbers and SS#)
  • Changing the default password for Admin

All of above items, provide a stable base for ensuring compliancy. I am not a SAS 70 or PCI compliancy officer, but when asking or being asked (which was even the case for me originally) there is not Golden Seal of Approval. It would be nice to be able to qualm the fears people have when purchasing or implementing Splunk in a certified network. Unfortunately, it's not practical. It's about how you use Splunk and the way you set it up that ensures it maintains compliancy.

Hope that helps.

IT

Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-21-2010 11:13 PM

SAS 70 does not have "checkbox-style" compliance. In fact, auditors who do SAS 70 do not refer to you as being "compliant" or "non-compliant" at all. They will state that SAS 70 "renders an opinion as to the effectiveness of your business controls." These controls are usually specific to the business being discussed and the management structure of it.

Quoting from sas70.com:

SAS 70 is not a pre-determined set of standards that a service organization must meet to "pass".

Whether or not you can pass a SAS 70 style audit depends on the definition of your business controls and how well your operations actually adhere to them.

An example control would be a statement like "All new user accounts must be approved by the employee's manager." Your auditor would test this by looking at all user accounts created during the past 6 months (for example), and verifying that you have documentation that shows that each account was approved by the employee's manager.

Splunk can play an important role in making it possible for your organization's operations to adhere to the business controls defined. A good example of this would be a control stating "Firewall logs are reviewed daily for anomalous activity" -- this is right in Splunk's wheelhouse. But, you'd still need the documentation to support your assertion that someone was actually looking at all of the logs Splunk was indexing.

In my experience, SAS 70 auditors are often much more like financial / accounting auditors than I/T security experts. They like to have things that they can count and make sure that all of the numbers add up. This shouldn't be too much of a surprise given the people developing the SAS 70 standards is the American Institute of Certified Public Accountants.

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...