DataCenter

SAS 70 Audits for Data Centers | Why the Trend will Continue

SAS 70 audits have quickly become a high priority for data centers, co-location entities and managed service providers as of late. And there are plenty of reasons why this trend will continue go grow. The number of organizations that have buried the client server architecture is growing every day, resulting in a huge surge for data centers. In fact, most quality data centers in the United States are having little or no challenges in filling up their data center floor space. From traditional ping, power and pipe to fully managed services, data centers are becoming a necessity for most businesses today. As a result of this, their respective compliance requirements will continue to expand also. From SAS 70 to PCI DSS, just to name a few, data centers are being hit hard with the regulatory compliance bug.

Add to the fact that many data centers are now physically housing sensitive health care and financial information for many of their clients. As such, client requests for the security, confidentiality and integrity of this data are being validated via SAS 70 Type II audits. This “trend” if you want to call it that, will become a mandatory requirement for any data center seeking to grow and prosper in the coming years.

Visit the official SAS 70 Resource Guide to learn more about SAS 70 Type I and Type II audits.

HIPAA Compliance for Data Centers | The How and Why

HIPAA compliance for data centers is fast becoming a hot topic in regulatory compliance. It first started with Statement on Auditing Standards No. 70 (SAS 70), it is now moving onto the Payment Card Industry Data Security Standards (PCI DSS) provisions, and how the Health Information Portability and Accountability Act (HIPAA) mandates may very well be next on the horizon.

In short, it is a string of compliance requirements that has and will continue to be had for data centers, co-location, and managed service entities. And why? Because these types of businesses are at the forefront of virtualization, cloud computing, hybrid clouds, software as a service (SaaS) platforms

So, if a data center undertakes a HIPAA assessment or audit, are they HIPAA compliant, do they get a HIPAA certificate, etc? The best way to answer that is an accounting firm would undertake an Agreed Upon Procedure (AUP) audit an the audit itself would test the requirements as stated in the HIPAA provisions. You would then end up with a data center that is compliant with these very provisions.

In subsequent blogs, i’ll discuss the scope of a HIPAA assessment/audit for a data center.

SAS 70 Audit and Compliance Tips for Data Centers

Learn more about SAS 70 audits for data centers by reviewing the step by step SAS 70 audit process. From beginning to end, a number of steps, activities, and deliverables must be undertaken for ensuring the audit is successful. From the initial SAS70 readiness questionnaire assessments to the delivery of the final audit report, both the CPA firm conducting the audit and the data center employees will be working together in a collaborative manner for the audit.

Follow this step by step process if you are a data center or co-location facility that will be performing a SAS 70 audit in the near future:

First and foremost, identify the scope of the SAS 70 audit. Though it sounds quite straightforward, every CPA firm approaches scope in a slightly different manner. When identifying scope, there are a number of items to keep in mind, such as the following: Does the scope of the audit satisfy your client’s demands? Does the scope of the audit conform to industry accepted standards for SAS 70 audits on data centers?

Once the scope has been identified, it’s critical to begin the planning process with the auditors. A series of planning meetings should include a discussion on the following items:

1. SAS 70 readiness questionnaire assessment and when it will be done (if deemed necessary).

2. Discussion of type of sampling that is conducted for the audit (this is important as auditors have varying views on the numbers and amounts done on audit sampling).

3. Discussion that identifies key personnel involved in the audit from both sides.

4. Discussion on what data center physical security controls will be included in the scope of the audit.

These are just some general parameters to get you going in the right direction.

If you want to learn more about SAS 70 audits, then visit the official SAS 70 resource guide, where you can obtain SAS 70 sample reports for review.

SAS70 Audit Reports for Data Centers |Important Facts to Know

SAS70 audits have quickly become a mainstay in the world of data centers, managed services and co-location entities, and this will no doubt continue to grow. This is happening for a large number of reasons, but primarily data centers (and any variant thereof, such as managed services, co-location entities with “ping, power and pipe”) are hosting and residing an ever growing and enormous amount of information for many service providers. These service providers are commonly being asked to be SAS70 Type II compliant. As such, the data centers used by these very service organizations are commonly included within the scope of the SAS70 audit.

And what should data centers take from this? A good idea would be to become SAS70 compliant, and here’s why.

1. SAS70 compliance help mitigate and possibly eliminate many of these specialized requests your clients are asking for in helping them facilitate their own SAS70 compliance.

2. It greatly helps with business development and marketing for data centers.

3. It helps unearth any weaknesses or deficiencies you may have within your control environment.

To learn more about SAS70 audits and data centers and to receive a complimentary SAS70 Type II audit report, visit the official SAS70 Resource Guide.

SAS 70 Audits for Data Centers & Managed Services

If you are a data center or manged services provider and need a SAS 70 audit, then here are some helpful tips and strategies for finding the right firm, getting a fair and equitable fee, and for ensuring you have the proper scope for the audit.

Today’s data center are complex entities, providing customers with a broad array of services, thus it’s important your SAS 70 report meets and exceeds the objectives of the audit for you and your customers.

1. First and foremost, find a CPA firm that specializes in not only SAS 70 audits, but one that has a strong understanding of the services offered by your organization. From ping, power, and pipe to highly complex managed services, it’s important to remember to keep all critical services within the scope of the audit.

2. Get a fixed fee for your audit. With the rising cost of expenses, such as gas, travel and other ancillary services ,getting a “fixed fee” for your SAS 70 audit ensures that costs are contained, and you have an exact idea of what you will be paying for the audit. SAS 70 audits that do not include expenses will ending costing data centers approximately an additional 20% or more over the original agreed fee. Hourly rates for auditing data centers should be considered a thing of the past-work hard to get a fixed. fee.

3. Scope the audit correctly by making sure the CPA firm conducting the SAS 70 audit includes the following areas for examination and testing:

• Executive Tone
• Human Resources
• Customer Contract Process
• Customer Provisioning Process
• Incident Management
• Change Management
• Logical Security
• Network Security
• Physical Security
• Environmental Security
• Computer Operations

There also a number of Data Center best practices that should be in place for helping facilitate the overall success of the SAS 70 audit.

To learn more about SAS 70 audits or to receive a SAS 70 sample report, visit the official SAS 70 Resource Guide.

SAS70 Audit Guide | Section 3.0 | What’s in a SAS 70 Report?

A SAS70 report can be a daunting undertaking for many service organizations who have never gone through an audit of this type. Developed in 1992 by the American Institute of Certified Public Accountants (AICPA). SAS70 Type I and Type II audits are used for examining a service organization’s control environment.

Many companies often ask me what the end deliverable report looks like. Because of the loose flexibility of the auditing standard, I have to caution them that no two reports from different CPA firms for a SAS 70 audit will ever look alike. This is largely based on the fact that the presentation of the audit findings allows CPA firms to illustrate it in any number of ways. However, even with that said, there should be some fundamental topics and areas that need to be included in almost any SAS 70 Type II audit. A good reference would be to examine the SAS70 audit & overview presentation tutorial, which gives readers an excellent example of what is SAS70 and what’s in a report.

Additionally, visit the SAS70 resource guide where you can receive SAS70 sample reports for educational viewing.