SAS 70 process 928



  • Thanks kymike…that was really helpful.
    CH



  • We want to provide certification of privacy for our customers
    … my company sells hardware and utilities on the web that provides reporting needs for our customers. We want to protect the client data (server inventory and usage data, for instance) and wanted to assure our clients that controls are in place to address this…
    SAS 70 sounds like overkill to me for this requirement, you will incur significant costs and I am not sure that you would achieve your objective. You might be better off looking at an eCommerce certification such as CPA Webtrust or TRUSTe
    WebTrust is a wider and more robust certification (like SAS70 provided by CPA firms) - but if you are solely concerned about privacy then TRUSTe is enough.



  • _at_Calvin - I’m not sure that a SAS 70 is what you’re looking for either. If you are providing application support to a client then a SAS 70 cannot replace the client’s responsibility for maintaining a well controlled SDLC and managing their service providers woul dbe part of this.
    Ditto system support, again it is the client’s responsibility to ensure that they get what they need from you and control their won environment.



  • hi Dennis,
    Are u implying that the client shouldnt ask us for the SAS70 Type II. We are into application support and systems support primarily for some clients from where the talk of SAS 70 Type II is coming.
    I need an expert opinion over here. Can I say to the client that they can do without SAS 70 Type II from our side for their SOX compliance? what do they need to have to circumvent SAS 70 from our side.
    Pls clarify.
    Thanks for your time.
    CH



  • Each client will have to make their own determination as to whether or not the services that you provide for them are material to their controls over financial reporting. Once they have determined that your services are material to their financial reporting controls, then they will likely ask for a SAS 70. Absent a SAS 70 report, they will likely then ask to come document the controls in place related to the services that you are providing.
    I was suggesting earlier that, if you have several clients asking for the same types of controls support, you may want to consider having a SAS 70 report prepared versus facing the recurring inconvenience of having multiple clients interrupting your business in order to document similar controls.



  • I should have clarified that we provide services and customers do go onto our site to download entitlement, service contract, etc…
    I am not a technical person and am not sure how it works on the business side. I know we want to be compliant somehow with the protection of the client privacy, etc. Maybe this is not the correct forum to ask but again, I don’t know how else to reach out for some input…
    Some mentioned ISO17799 and Info. Assurance vendors and trust services…
    I think we will need our vendors to provide some kind of an assertion or certification as we work with different partners and vendors and vice versa…
    One interesting thing is, what if the vendor you want to us is NOT a PUBLIC company and you want to ensure security is in place and is addressed? Additionally, if that vendor is outsourcing some of the services to other companies, do you now also want that 3rd party to provide some kind of certification, too?
    Please continue to share your input. As you can see, alot of us can use this forum to brainstorm and it certainly is a great source due to all of your expertise.
    Thank you,
    SG



  • Certification of Privacy is IMHO’
    What is IMHO??



  • Thats ‘In My Humble Opinion’. 😄
    I regret any confusion created because of it.I was trying to say that SAS70 and Certification of privacy are not related.



  • thanks for clarifying that, Calvin.
    I understood the point, so thank you for sharing your input.
    So, if SAS70 and certification of privacy is not related, has anyone out there dealt with the privacy issue? I would imagine web services and banking industry have dealt with this long ago… Anyone has any suggestions where one would start?? (I’ve sent out some feelers with a few of my contacts from the banking industry)…



  • In case you didn’t see my earlier post.
    Start with TRUSTe (which is a privacy certification) and CPA WebTrust (which included privacy in its certification)


Log in to reply