Introduction to SAS70

An Introduction to SAS70-

Introduction to SAS70

TABLE OF CONTENTS
Purpose: -............................................................................................... 3
What is SAS70?........................................................................................3
What is an exception?...............................................................................3
What type of SAS70 does Company have?....................................................4
Why should I care about all of this?.............................................................4
What controls are tested in the companys SAS70?.........................................4
Dos and Donts:.......................................................................................4
What is meant by Physical Access?..............................................................5
What is Logical Access?.............................................................................5
Training:................................................................................................. 5
Appendix A:-........................................................................................... 6

Introduction to SAS70

Purpose of this document: This is to help Human Resource Department to prepare screen shots to aid in
employee induction programme .We have not dealt in detail considering that this
presentation is done on the first day with Company .All Employees have to contact
their

managers and be abreast with the processes which each department follows to
comply with SAS70.

What is SAS70?
SAS 70 is an auditing standard designed to enable an independent auditor to
evaluate and issue an opinion on a service organization's controls.
Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an
internationally recognized auditing standard developed by the American Institute of
Certified Public Accountants (AICPA).
User organizations should provide a Service Auditor's Report to their auditors. This
will greatly assist the user auditor in planning the audit of the user organization's
financial statements. Without a Service Auditor's Report, the user organization
would likely have to incur additional costs in sending their auditors to the service
organization to perform their procedures

Statement on Auditing Standards (SAS) No. 70

NOT a checklist
Controls are developed by organization
Controls are tested by an independent auditor

TYPE II
Auditor expresses an opinion on:
whether the controls that were tested were operating with sufficient
effectiveness during the period specified.

What is an exception?
Controls Objectives are usually broken down into specific controls .Each control is
tested .If the test fails it is called an EXCEPTION.
Several exceptions can lead to overall material weaknesses of the control objective
What is Qualified Report? - It is BAD
Opinion states that there was material weaknesses found that impacted the overall
control objective(s).

Introduction to SAS70

What type of SAS70 does Company have?

Currently Company has an Unqualified Type II SAS70.

Now Performed quarterly

Everyones Responsibility

Our customers depend on it!!

It should be integral to what you do everyday!!

Why should I care about all of this?

Several of Company's clients rely on this report to answer their own auditor's
questions and/or to comply with the Sarbanes Oxley Law (SOX), the Health
Insurance Portability and Accountability Act (HIPAA), their own SAS70 or other
certification... The outcome of having noted exceptions or a qualified opinion in the
report or could
be disastrous to Company's reputation. Some of the serious consequences are listed
as follows:
o
o
o
o

Wasted resources in responding to the exceptions within the report

Loss of clients
Loss of jobs due to loss of clients
Loss of job(s) due to employee(s) not adequately following control(s)

Each and every employee to do their job with the SAS70 in mind. Each of us has a
responsibility to become familiar with the controls and be sure that they are being
followed.

What controls are tested in Company's SAS70?

Company Controls are summarized as follows:
1.
2.
3.
4.
5.
6.

Physical Security
Logical Security: Authentication and Access
Security Monitoring
Systems Implementation and Maintenance
Problem Management and Service Delivery
System Back-up and Environmental Controls.

Please contact your team lead. Please refer to documents available in eRoom, Please
follow up procedures as laid out relating to our in-house tools namely Oasis, iJump,
AppJump, iChange which addresses the controls.

Introduction to SAS70

Dos and Donts:

Follow the Company Password Policy. It is available in common drive as well as in
eRoom.
SAS70 Report is not distributed, However a client is mailed a copy following SAS70
Distribution Rules.
Train yourselves on Company Oasis. It is a patented internally developed end-to-end
operational support system which enables us to proactively monitor, manage clients
servers, firewalls, and applications.
All employees are required to execute non-disclosure agreements. HR will answer
any questions. The employee handbook which has policies will be handed over to
you. Please acknowledge in writing having received it. The policies are updated
regularly and are stored in:\\Path. Please read it regularly.

Physical Access
Every employee is provided an electronic access badge and is required to wear them
at all times during their stay at the Office. Certain areas are critical and sensitive
and the access is dependent on the job description/role. Please do not lend your
access cards to anyone.
Ex-employees are not permitted inside the work area. Meet them in the reception
area.
Visitors, contractors are not allowed inside the work area. If any visitor or
contractors is to be allowed to repair or attend to any problem, they shall be
escorted at all times to the specific facility. Please identify the visitor and assist the
reception to issue a visitor badge. The visitor is required to wear the badge and shall
surrender the badge and sign out the register.

Logical Access
Access to networks, programs, and data is restricted depending on the job
description/role. Please do not share the access passwords with any one.
During the course of discharging your duties, and requires for any changes to system
software, hardware or any other specified application software, Please follow the
process. Any change is to be authorized, tested, approved and documented. This
has to be backed up with a case. Please do not attend any customers issue without
a case number or an authorization from the client.
The above is applicable to Prod. However do not make any changes in other
environments except in connection to resolve a customer problem and change it back
to the original state once testing is done.

Introduction to SAS70

Training:
All training undergone shall be brought to the notice of the training co-coordinator in
HR Department.
Period security updates are also sent out to all employees by the CSO.
Those of who are joining as Managers are required to have an expert knowledge on
our process since the process are built to help us to comply with SAS70/ISO
standards. Please ensure that you are aware of this before discharging your duties.
We have process for new hires, terminations, change controls, systems
implementation, maintenance, production move, application support, testing
procedures

Appendix A:List out the controls which the employees are required to pocess expert knowledge
as per their area of specialization/work allocation
1. Physical Security
a. Access Policies and Procedures
b. Access Control Systems
c. Employee Access Procedures
d. Visitor Procedures
e. Contractor Access
f. Building Security
g. Data Center Security
h. GEMC Security
2. Logical Security : Authentication and Access
a. Responsibilities and Policies
b. Security Configuration
c. Router/Switch Access
d. Operating System Access (Company Access)
e. Application Access (Company Access)
f. Logging
g. Application User Administration and Security
3. Security Monitoring
a. Network Intrusion Detection
b. Incident Response Procedures
c. System Vulnerability Assessment
d. Password Cracking
e. War Dialing

Introduction to SAS70
4. Systems Implementation and Maintenance
a. Design of the Global Service Platform
b. Operational Acceptance
c. Building of the Global Service Platform
d. Application Implementation
e. Change Management
f. Application Maintenance
g. Monitoring
5. Problem Management and Service Delivery
a. OS Monitoring
b. Problem Resolution
c. Reporting
d. Application Service Monitoring

6. System Back-up and Environmental Controls

a. Back-up Schedule, Tape Retention Intervals, and Storage
b. Data Recovery
c. System Redundancies
d. Environmental Controls and Backup Power Systems.