Академический Документы
Профессиональный Документы
Культура Документы
An Introduction to SAS70-
Introduction to SAS70
TABLE OF CONTENTS
Purpose: -............................................................................................... 3
What is SAS70?........................................................................................3
What is an exception?...............................................................................3
What type of SAS70 does Company have?....................................................4
Why should I care about all of this?.............................................................4
What controls are tested in the companys SAS70?.........................................4
Dos and Donts:.......................................................................................4
What is meant by Physical Access?..............................................................5
What is Logical Access?.............................................................................5
Training:................................................................................................. 5
Appendix A:-........................................................................................... 6
Introduction to SAS70
Purpose of this document: This is to help Human Resource Department to prepare screen shots to aid in
employee induction programme .We have not dealt in detail considering that this
presentation is done on the first day with Company .All Employees have to contact
their
managers and be abreast with the processes which each department follows to
comply with SAS70.
What is SAS70?
SAS 70 is an auditing standard designed to enable an independent auditor to
evaluate and issue an opinion on a service organization's controls.
Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an
internationally recognized auditing standard developed by the American Institute of
Certified Public Accountants (AICPA).
User organizations should provide a Service Auditor's Report to their auditors. This
will greatly assist the user auditor in planning the audit of the user organization's
financial statements. Without a Service Auditor's Report, the user organization
would likely have to incur additional costs in sending their auditors to the service
organization to perform their procedures
TYPE II
Auditor expresses an opinion on:
whether the controls that were tested were operating with sufficient
effectiveness during the period specified.
What is an exception?
Controls Objectives are usually broken down into specific controls .Each control is
tested .If the test fails it is called an EXCEPTION.
Several exceptions can lead to overall material weaknesses of the control objective
What is Qualified Report? - It is BAD
Opinion states that there was material weaknesses found that impacted the overall
control objective(s).
Introduction to SAS70
Each and every employee to do their job with the SAS70 in mind. Each of us has a
responsibility to become familiar with the controls and be sure that they are being
followed.
Physical Security
Logical Security: Authentication and Access
Security Monitoring
Systems Implementation and Maintenance
Problem Management and Service Delivery
System Back-up and Environmental Controls.
Please contact your team lead. Please refer to documents available in eRoom, Please
follow up procedures as laid out relating to our in-house tools namely Oasis, iJump,
AppJump, iChange which addresses the controls.
Introduction to SAS70
Physical Access
Every employee is provided an electronic access badge and is required to wear them
at all times during their stay at the Office. Certain areas are critical and sensitive
and the access is dependent on the job description/role. Please do not lend your
access cards to anyone.
Ex-employees are not permitted inside the work area. Meet them in the reception
area.
Visitors, contractors are not allowed inside the work area. If any visitor or
contractors is to be allowed to repair or attend to any problem, they shall be
escorted at all times to the specific facility. Please identify the visitor and assist the
reception to issue a visitor badge. The visitor is required to wear the badge and shall
surrender the badge and sign out the register.
Logical Access
Access to networks, programs, and data is restricted depending on the job
description/role. Please do not share the access passwords with any one.
During the course of discharging your duties, and requires for any changes to system
software, hardware or any other specified application software, Please follow the
process. Any change is to be authorized, tested, approved and documented. This
has to be backed up with a case. Please do not attend any customers issue without
a case number or an authorization from the client.
The above is applicable to Prod. However do not make any changes in other
environments except in connection to resolve a customer problem and change it back
to the original state once testing is done.
Introduction to SAS70
Training:
All training undergone shall be brought to the notice of the training co-coordinator in
HR Department.
Period security updates are also sent out to all employees by the CSO.
Those of who are joining as Managers are required to have an expert knowledge on
our process since the process are built to help us to comply with SAS70/ISO
standards. Please ensure that you are aware of this before discharging your duties.
We have process for new hires, terminations, change controls, systems
implementation, maintenance, production move, application support, testing
procedures
Appendix A:List out the controls which the employees are required to pocess expert knowledge
as per their area of specialization/work allocation
1. Physical Security
a. Access Policies and Procedures
b. Access Control Systems
c. Employee Access Procedures
d. Visitor Procedures
e. Contractor Access
f. Building Security
g. Data Center Security
h. GEMC Security
2. Logical Security : Authentication and Access
a. Responsibilities and Policies
b. Security Configuration
c. Router/Switch Access
d. Operating System Access (Company Access)
e. Application Access (Company Access)
f. Logging
g. Application User Administration and Security
3. Security Monitoring
a. Network Intrusion Detection
b. Incident Response Procedures
c. System Vulnerability Assessment
d. Password Cracking
e. War Dialing
Introduction to SAS70
4. Systems Implementation and Maintenance
a. Design of the Global Service Platform
b. Operational Acceptance
c. Building of the Global Service Platform
d. Application Implementation
e. Change Management
f. Application Maintenance
g. Monitoring
5. Problem Management and Service Delivery
a. OS Monitoring
b. Problem Resolution
c. Reporting
d. Application Service Monitoring