11. Managing the Risk Option 1 SAS-70 Type 1 or Type 2 – Report on the adequacy of the design and/or effectiveness of controls, performed for a service organization on behalf of its customers by an independent auditor *SAS-70 scheduled to be superseded by ISAE 3402 as proposed by the International Auditing and Assurance Standards Board (IAASB); Reporting Periods ending after June 15,2011
12. Managing the Risk Option 2 Trust Principles (SysTrust, WebTrust)– Report on IT enabled systems including e-commerce systems. It is particularly relevant when providing services with respect to security, availability, processing integrity, online privacy, and confidentiality.
13. Managing the Risk Option 3 Agreed Upon Procedures – Customized report on managements assertion of controls. Can include standardized framework controls such as COSO, COBIT, ISO-27001.
14.
15. Inclusive of a Team Team Members IT Procurement Legal External / Internal Audit Compliance Privacy Ethics
16. Think Before You Drink! Do you have external security scans/assessments? Can you provide your last two table/top results plus DR plan? Is there a escrow agreement? How do you meet PCI, GLBA, HIPAA ect..? Is there breach notification requirements in the T&Cs? Do you have provisions for privacy requirements? How does your attest offering cover my use of the service? Can my internal/external audit teams access the facilities? Will your Development/Engineering follow my standards? Are there subcontractors and how do you manage them? Outsourcing
Thank you. Questions.What are the parts of a Systrust?How should DR be assessed with your outsourcing partner?Do external auditors determine if a SAS-70 is sufficient?What qualifies for a SAS-70?If a breach occur is the outsourcer held accountable or is it the end customer?