Dec 9 2008 1:16AM GMT
Posted by: sas70expert
Third-party services,
Management,
SAS 70
During a SAS 70 audit, an auditor may examine any relationships with third parties. Any third party agreements or service level agreements should contain:
1. procedures to protect all outsourced data, applications or hardware
2. a description of the services provided and the target level of services
3. the establishment of an escalation process should an incident occur
4. the right to audit and determine that they are adhering to your agreement
5. the respective liabilities of both parties should an incident occur.
During a SAS70 audit, you have a choice to exclude your outsourced services or include them in the examination. I would recommend you include them, especially if they are essential to the services you are providing to your customers. SAS70ExPERT@gmail.com
Dec 3 2008 4:52PM GMT
Posted by: sas70expert
Management,
SAS 70
Finally, international accounting standards are being implemented. Even though this will cause some upfront additional expense for companies to conform, in the long run, you will be better able to evaluate the financial stability of companies worldwide. Will this mean SAS 70 audit requirements will also be international?
In Canada currently they have similar SAS 70 audit legislation, but in Europe they do not. If America continues to outsource our financial, medical and application processing, don’t you think that European countries should have a SAS70 audit? If you bank at Citigroup, your help desk may reside in India. Without the SAS 70 audit standard being applied in India, will your financial data be safe? Someone could steal your identify and funds from a server in India; is there enough regulation to help you, especially when you need to purchase your Christmas gifts tomorrow?
As we continue to become a one-world economy, we must take fundamental steps to institute standards to protect our basic financial interests. This includes requiring a SAS 70 audit to be completed by all companies in any country that provides a service. Have you as a consumer requested to see your service providers SAS 70 audit today? Trackback URL
Nov 30 2008 8:39PM GMT
Posted by: sas70expert
Management,
Auditing,
SAS 70
As we begin a new election process, our President is currently in the process of deciding who will fill cabinet level positions. Some bring foreign prestige, such as Secretary of State, and others focus more on domestic issues, such as Secretary of Treasury. Any of these positions will require persons with decisions making ability and new imaginative ideas to manage our growing economy. If I were Director of Office and Management and Budget, I would want to quickly define requirements to manage any new economic stimulus packages. SAS 70 audits would be a requirement that would be enclosed in any new legislation.
If the Federal Government and Warren Buffett is going to own much of our economy, how can we be sure that the financial transactions are processed correctly and that our personal data is kept safe? Yes! SAS 70 audits can fulfill that role.
Currently, we are dishing out funds at record pace. Sometimes {sarcastically}, I wonder why don’t we give every American a printer, and tell them to print only what they need. As a taxpayer, I don’t have any idea what my return on this investment will be. When you purchase Coca-Cola stock, I know what their dividend will be? What is our return on our investment in Citigroup and AIG?
AS 70 audits must become a fundamental requirement for almost any service organization to conduct business with the Federal Government. Do you agree? Trackback URL
Nov 17 2008 11:23PM GMT
Posted by: sas70expert
Management,
Access control,
Data center operations,
Network,
SaaS,
SAS 70
As more outsourcing of applications takes place in this economy by using SaaS(software-as-a-service), is Management producing costs savings? and how many SAS70’s will you be required to collect? From the Data Center operations, the IT support vendor, and the application provider?
When you perform your cost-benefit analysis items to consider are
- Who will benefit from access control for your application
- From where will your visitors/employees/customers be connecting to your information, vpn network, cellphone or pda, or other web enabled device
- Obtain more control over your licensing costs
As you develop a strategic plan to use SaaS, build fundamental close relationships with your vendors and define them carefully in your contracts. Constantly update your contracts or service level agreements to match your needs and develop tools to monitor the success of your vendor meeting your requirements.
SAS70 must be performed on your SaaS vendor to provide you with the reliability, confidentiality and integrity of service to be provided to you and your customers. Control objectives may be similar or different, but careful examination of the audit report should be performed in order to determine that your data is secure. SAS70ExPERT.biz
Oct 25 2008 1:43AM GMT
Posted by: sas70expert
Management,
Security Program Management,
Risk management,
SAS 70
Privacy as part of your Security Program Management program means adherence to trust and obligation within your company policy, standards, and procedures. SAS 70 auditors may assist you in implementing this risk management into your company standards by:
1. identifying the data or information that is personable,
2. examining the private information collected, disclosed and that should be destroyed
3. ensuring the accountability of the private data
4. assisting in developing policy and procedure for the risks associated with private data
Based on this standard, you should be able to comply with legal and compliance regulations. This would ensure that privacy standards are considered in all IT projects. Trackback URL
Oct 22 2008 2:26AM GMT
Posted by: sas70expert
Third-party services,
Management,
Monitoring,
SAS 70
During a SAS70 audit, an auditor may examine any relationships with third parties. Any third party agreements or service level agreements should contain:
1. procedures to protect all outsourced data, applications or hardware
2. a description of the services provided and the target level of services
3. the establishment of an escalation process should an incident occur
4. the right to audit and determine that they are adhering to your agreement
5. the respective liabilities of both parties should an incident occur.
During a SAS70 audit, you have a choice to exclude your outsourced services or include them in the examination. I would recommend you include them, especially if they are essential to the services you are providing to your customers. SAS70ExPERT@gmail.com
Sep 25 2008 11:06AM GMT
Posted by: sas70expert
Third-party services,
Management,
Backup,
SAS 70
During the SAS70 audit, an examination will be performed on your data backup process. If you have outsourced this to a local vendor, you are still responsible for making sure that your data is kept safe, secure, and is backed up properly. Hosted or online backup processes are very attractive for small to medium size businesses. Why? They don’t have to maintain the expertise internally and the IT equipment is expensive.
How best do you manage your backup provider? Be sure to have a service level agreement in place. The service level agreement should provide you response times for when you need help. And you will! When you need to find that lost report that is due for your presentation today, you will want the file restored today – NOT in 24-36 hours. In addition, review your own internet connection as you will need a fast one to transfer your data. Does your outsourced vendor take care of your needs?
Outsourcing your data backup process – SAS70
During the SAS70 audit, an examination will be performed on your data backup process. If you have outsourced this to a local vendor, you are still responsible for making sure that your data is kept safe, secure, and is backed up properly. Hosted or online backup processes are very attractive for small to medium size businesses. Why? They don’t have to maintain the expertise internally and the IT equipment is expensive.
How best do you manage your backup provider? Be sure to have a service level agreement in place. The service level agreement should provide you response times for when you need help. And you will! When you need to find that lost report that is due for your presentation today, you will want the file restored today – NOT in 24-36 hours. In addition, review your own internet connection as you will need a fast one to transfer your data. Does your outsourced vendor take care of your needs?
Sep 22 2008 12:21PM GMT
Posted by: sas70expert
Incident response,
Management,
Risk management,
DataCenter,
cooling systems,
SAS 70
During a SAS 70 audit of your DataCenter, an auditor will examine the installation of generators, cooling systems, and UPS backup systems. Questions will arise not only about installation, but of continuing preventative maintenance and incident response. An integrated approach should be followed which has is a holistic plan that clearly identifies scheduling, execution, documentation, risk management, and continuing follow-up inspections.
When preventative maintenance occurs, four results can be expected:
· a potential issue is identified and immediate actions are taken to prevent a future failure.
· a potential issues is identified and a repair is scheduled
· the regular maintenance does not uncover any potential repair
· a defect is uncovered and unanticipated repair time occurs.
In order to optimize maintenance windows, Managers should maintain the age of equipment, history of operating and environmental experience (temperature, voltage, run-time, abnormal events), and operating characteristics such as noise, temperature and vibration. Where is your preventative maintenance plan and do you have service level agreements in place today to monitor your network services? Trackback URL
Sep 21 2008 9:22PM GMT
Posted by: sas70expert
Security management,
Third-party services,
Management,
Auditing,
Network,
SAS 70
Which new technologies are you adopting? With Web 2.0, social networking, wikis, and blogs – oh mY! With so many new avenues to penetrate your market, the decisions you make today can effect the success of your SAS 70 audit. When evaluating new technology, always first determine your company objectives as we previously discussed. In addition, you will need to remember to consider what new security features must be implemented in your computing environment to prevent downtime. It is essential early in the process that you identify the threats, the risks, and then create a plan.
In identifying threats, the assessment team must consider who or what could compromise a target system’s components such that the system’s security attributes would be jeopardized. You should focus on how the information assets and components differ from what you already have. In identifying the security risks, consider what will th total potential impact on the organization. When your system is compromised – and it will be – how would you handle the loss of critical data?
To address technology security risks, requires a documented plan and you must train your employees on how to enact the plan. The SAS70 audit will require you to have a plan in place and it will examine who are the participants in the plan. The plan should include not only IT, but operations and senior management. Where is your security plan? Trackback URL
