Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is Splunk SAS70 compliant?

maverick
Splunk Employee
Splunk Employee
‎05-21-2010 04:18 PM

I would think that since Splunk can be configured to forward live events via SSL, that would qualify/meet SAS70 compliancy, but wanted to be sure and ask anyway.

0 Karma
Reply

ianathompson
Explorer
‎03-07-2012 09:44 PM

dwaddle's got it right.

Asking if Splunk is compliant for any of these compliancy standards is asking the wrong question. Splunk is a tool to ensure you are compliant. Now having that said, there are key components that Splunk has that ensure it does not break compliancy.

  • Granular Access Controls
  • Monitoring itself for changes (SoS)
  • Hashing privacy or personally identifiable information (i.e. Credit Card Numbers and SS#)
  • Changing the default password for Admin

All of above items, provide a stable base for ensuring compliancy. I am not a SAS 70 or PCI compliancy officer, but when asking or being asked (which was even the case for me originally) there is not Golden Seal of Approval. It would be nice to be able to qualm the fears people have when purchasing or implementing Splunk in a certified network. Unfortunately, it's not practical. It's about how you use Splunk and the way you set it up that ensures it maintains compliancy.

Hope that helps.

IT

Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-21-2010 11:13 PM

SAS 70 does not have "checkbox-style" compliance. In fact, auditors who do SAS 70 do not refer to you as being "compliant" or "non-compliant" at all. They will state that SAS 70 "renders an opinion as to the effectiveness of your business controls." These controls are usually specific to the business being discussed and the management structure of it.

Quoting from sas70.com:

SAS 70 is not a pre-determined set of standards that a service organization must meet to "pass".

Whether or not you can pass a SAS 70 style audit depends on the definition of your business controls and how well your operations actually adhere to them.

An example control would be a statement like "All new user accounts must be approved by the employee's manager." Your auditor would test this by looking at all user accounts created during the past 6 months (for example), and verifying that you have documentation that shows that each account was approved by the employee's manager.

Splunk can play an important role in making it possible for your organization's operations to adhere to the business controls defined. A good example of this would be a control stating "Firewall logs are reviewed daily for anomalous activity" -- this is right in Splunk's wheelhouse. But, you'd still need the documentation to support your assertion that someone was actually looking at all of the logs Splunk was indexing.

In my experience, SAS 70 auditors are often much more like financial / accounting auditors than I/T security experts. They like to have things that they can count and make sure that all of the numbers add up. This shouldn't be too much of a surprise given the people developing the SAS 70 standards is the American Institute of Certified Public Accountants.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...