Offsite hosting of servers 1921

  • Hi
    I’m fairly new to the SOX arena (and these forums) and I have been given the responsibility of IT SOX compliance for our company.
    I’ve been able to obtain plenty of good advice off of these forums and I’m hoping that someone will be able to help with this question.
    We are currently looking to outsource our HR system to a third party vendor. This vendor then uses a hosting company for hosting the servers holding the HR application.
    The vendor is currently in the process of obtaining a SAS 70 Type II but I believe they have not considered the offsite hosting company with regards to controls.
    Should they be looking to the hosting company to have a SAS70 or should they just have controls in place to demonstrate that access to the servers is restricted (although they will be unaware of what goes on behind closed doors). Is this an issue that I should be concerned with?

  • Hi Mark – SAS 70 or other certifications are definitely beneficial. They help provide assurances that physical and network security controls are in place. Even though SAS 70 certifications can help in meeting SOX 404 requirements, SAS 70 isn’t a mandatory requirement for SOX compliancy. Some of the following ideas might help:

    1. Make sure you feel comfortable with the total package for outsourcing payroll from a security perspective (e.g., encrypted and secure network, secure on-line access for employees, safeguarding privacy, etc). Once that function has moved out of your shop, it would be difficult to re-host it again.
    2. Most likely firms doing payroll have to have proper security and controls on the process of interfacing. While you still need to perform ‘due diligence’ in checking, a payroll service company without proper controls would not stay in business very long.
    3. Check with internal audit, as well as the SOX external auditors to see if they have any concerns or special recommendations.

  • If they are able to obtain a reasonable assurance from the hosting company about the physical access to servers then I don’t think they need a full fledged SAS70 Type II (since its only one application). Some things which u can think of for reasonable assurance are:

    1. Access mechanisms are in place for accessing the company server physically like access list, identification/authentication mechanism, separate cage etc.
    2. Backups - Secure handling of backup tapes if its done on the hosting site.

  • Thanks for the advice. I’ll follow up with appropriate parties.

Log in to reply