Softrim Corporation SAS 70

SAS 70

SAS 70 (Statement on Auditing Standard 70) is a standard by the American Institute of Certified Public Accountants (AICPA). The first step towards compliance with SAS 70 is to undergo a type 1 examination. This review is not based on absolutes, in other words there are no concrete IT governance standards that an auditor will certify to. In a Type I report, the service auditor expresses an opinion on (1) whether your description of the controls presents fairly, in all material respects, the relevant aspects of the actual controls that have been placed in operation as of the specific date of the examination, and (2) whether the controls were suitably designed to achieve specified control objectives. With respect to the latter, Softrim assists in the design of the architecture and attempts to ensure that degree of security, fault tolerance and redundancy meets our Client’s objectives.

The need for SAS 70 compliance begins with Section 404 of the Sarbanes-Oxley Act of 2002 (referred to as SOX 404). This states that in order for management to make its annual assessment on the effectiveness of its internal controls, management is required to document and evaluate all controls that are deemed significant to the financial reporting processes. If the organization uses a service provider to process transactions, host data, or other significant services, management may need to evaluate the design and test the operating effectiveness of the service organization's controls by obtaining a Type 2 SAS 70 service auditor's report from the service organization. Much of the guidance that is available for compliance with SOX 404, which in turns affects SAS70, is delivered by the IT Governance Institute (ITGI), a nonprofit, vendor-neutral organization. ITGI, in association with the Information Systems Audit and Control Association (ISACA) publishes a set of industry best practices called COBIT (Control Objectives for Information and related Technologies). COBIT are generally accepted measures, indicators, processes and best practices for developing appropriate IT governance and control objectives.

SAS 70 examinations are based on the COBIT framework of IT processes that are in place to achieve the business requirements of Halley Capital.

These processes are organized in 4 domains based on the concept that all companies Plan, Build, Run and Monitor IT networks. The Domains and what Softrim considers the salient processes are listed below.

Items in italics can be provided by Softrim, the other items are listed for reference only, and are completed by Clients.

Domain: Plan & Organize (PO):
    1. Alignment of IT and Business Strategy. a. Softrim description of server and network functions to facilitate Business objectives
    2. Ongoing assessment that the Client is achieving optimum use of its resources.
    3. Internal communication on IT objectives
    4. Management of IT risks
    5. Ongoing evaluation of IT systems to meet business needs

Domain: Acquire and Implement (AI)
    1. Assessment techniques of new projects to ensure they meet business needs
    2. New projects, how to ensure they are on time and within budget
    3. Testing new systems to ensure operation
    4. Affect of new projects on current business operations

Domain: Deliver and Support (DS) (Focused on existing IT operations)
    1. Availablity of IT network services
            a. Processes to ensure all services listed in PO-1a are available
            b. Processes to manage security
            c. Processes to manage continuity of service (incl. monitoring)
            d. Helpdesk and Support for Users
            e. Management of Data (back-up etc)
            f. Management of Operational facilities
    2. Confidentiality and Integrity of Data
            a. Firewall/Virtual Private Network (VPN)
            b. Intrusion Prevention
            c. Intrusion Detection (network and host-based)
            d. Encryption
            e. Authentication
            f. High Availability/Load Balancing
            g. Anti-virus & Anti-spam
            h. Content Filtering & Caching
            i. Application Security
            j. Secure Sockets Layer (SSL)
            k. Wireless Security
            l. Security Management
            m. Physical Security
    3. IT services supporting business priorities
    4. IT costs optimized
    5. User training

Domain: Monitor and Evaluate
    1. IT performance criteria by management
    2. Management reviews of internal controls
    3. Strategic Plan and It performance compliance
    4. Controls for Inforamtion Security
            a. Physical Access
            b. Data Backup Tapes security
            c. Password management
            d. User Permissions