Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

SAS 70 Certification Expand / Collapse
Author
Message
Posted Friday, March 17, 2006 10:02 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Wednesday, March 24, 2010 1:57 PM
Points: 182, Visits: 65

All

Has anyone gone thru a SAS 70 audit and certification.

I am assuming that it is very similar to a SOX audit, but the devil is in the details.

Thanks in advance

Eric

Post #266649
Posted Monday, March 20, 2006 8:00 AM
SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Friday, May 18, 2007 3:36 PM
Points: 10,039, Visits: 1
No one has responded to this topic yet. Even if you don't have a complete answer, the original poster will appreciate any thoughts you have!
Post #266953
Posted Monday, March 20, 2006 2:09 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Monday, August 20, 2012 1:14 PM
Points: 6, Visits: 6
cant say i have gone through a sas 70 attestation, however, i have reviewed them.

sounds like you are a 3rd party service provider, so you probably house some company's financial application(s) or are a datacenter or something along those lines.

a sas 70 is basically an audit, but not as tough (best way i could put it). auditors will come in, evaluate your controls around security, software development, etc. and then make a decision on how well your evironment is controlled. this info is then relayed onto whoever you provide data services for.

here is a scenario of how a normal audit and sas 70 attestation could go:
normal audit - the company does not review users with access to their in-scope applications/systems, deficiency noted, that deficiency then needs to be remediated
sas 70 - no review of users with access to in-scope apps, that is noted on the report, but, its up to the company if they want to remediate it. its my guess the company you provide service for will want you to remediate it , so they can put greater reliance on your report.

hope that helps, let me know if you have any other questions.
Post #267069
Posted Monday, April 10, 2006 10:11 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
Gone through both as well as a couple of Systrust categories. SAS70, in general, was not as strict as SOX. Ours did a review of access, as indicated by kc, but remediation was left up to our organization. This is unlike SOX where the review was done and specific remediation steps were proposed.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #272288
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse