Академический Документы
Профессиональный Документы
Культура Документы
SAS 70 Overview
Statement on Auditing Standards (SAS) No. 70, Service
Organizations, is an internationally recognized auditing standard
developed by the American Institute of Certified Public
Accountants (AICPA). A SAS 70 audit or service auditor's
examination is widely recognized, because it represents that a
service organization has been through an in-depth audit of their
control activities, which generally include controls over
information technology and related processes. In today's global
economy, service organizations or service providers must
demonstrate that they have adequate controls and safeguards when
they host or process data belonging to their customers. In addition,
the requirements of Section 404 of the Sarbanes-Oxley Act of 2002
make SAS 70 audit reports even more important to the process of
reporting on effective internal controls at service organizations.
ITIL
The Service Management section of ITIL is made up of eleven different disciplines, split
into two sections, Service Support and Service Delivery:
Service Support
Configuration Management
Change Management
Release Management
Incident Management
Problem Management
Service Desk
Service Delivery
The object of SLM is to maintain and gradually improve business aligned IT service quality,
through a constant cycle of agreeing, monitoring, reporting and reviewing IT service
achievements and through instigating actions to eradicate unacceptable levels of service.
SLM is responsible for ensuring that the service targets are documented and agreed in SLAs and
monitors and reviews the actual service levels achieved against their SLA targets. SLM should
also be trying to proactively improve all service levels within the imposed cost constraints. SLM is
the process that manages and improves agreed level of service between two parties, the provider
and the receiver of a service.
SLM is responsible for negotiating and agreeing service requirements and expected service
characteristics with the Customer, measuring and reporting of Service Levels actually being
achieved against target, resources required, cost of service provision. SLM is also responsible
for continuously improving service levels in line with business processes, with a SIP, co-ordinating
other Service Management and support functions, including third party suppliers, reviewing SLAs
to meet changed business needs or resolving major service issues and producing, reviewing and
maintaining the Service Catalogue.
The object of IT Service Continuity Management is to support the overall Business Continuity
Management process by ensuring that the required IT technical and services facilities can be
recovered within required and agreed business time-scales.
IT Service Continuity is responsible for ensuring that the available IT Service Continuity options
are understood and the most appropriate solution is chosen in support of the business
requirements. It is also responsible for identifying roles and responsibilities and making sure
these are endorsed and communicated from a senior level to ensure respect and commitment for
the process. Finally IT Service Continuity is responsible for guaranteeing that the IT recovery
plans and the Business Continuity Plans are aligned , and are regularly reviewed, revised and
tested.
COBIT
Planning and Organization, Acquisition and Implementation, Delivery and Support, and
Monitor.
HIGH LEVEL CONTROL OBJECTIVES
Planning and Organization
PO1 Define a Strategic IT Plan
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Organization and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage Human Resources
PO8 Ensure Compliance with External Requirements
PO9 Assess Risks
PO10 Manage Projects
PO11 Manage Quality
HIGH LEVEL CONTROL OBJECTIVES
Delivery and Support
DS1 Define and Manage Service Levels
DS2 Manage Third-Party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Assist and Advise Customers
DS9 Manage the Configuration
DS10 Manage Projects
DS11 Manage Data
DS12 Manage Facilities
DS13 Manage Operations
ISO 17799
ISO/IEC 17799:2005 contains best practices of control objectives and controls in the
following areas of information security management:
• security policy;
• organization of information security;
• asset management;
• human resources security;
• physical and environmental security;
• communications and operations management;
• access control;
• information systems acquisition, development and maintenance;
• information security incident management;
• business continuity management;
• compliance.
THE PROCESS
Sub-section 11.1.1 focuses upon the management process for developing and maintaining
continuity.
IMPACT ANALYSIS
Sub-section 11.1.2 states the requirement for impact analysis and risk assessment.
PLANNING
Sub-section 11.1.3 covers the development and implementation of the plan itself.
FRAMEWORK
Sub-section 11.1.4 describes the framework in which the plans exist.