Can anyone of you explain me how a SAS70 audit is conducted for a software service organisation. How can we get prepared for this, I mean what are the documents that need to be in place to make this audit happen successfully?
Controls should provide reasonable assurance that a security program provides a framework for managing risk, developing security policies, and monitoring the information technology function.
Internal or external security assessments
Information technology strategy documents
Current organization charts
Current job descriptions / documented roles and responsibilities
Security training / awareness materials
Human resources policies and procedures
Controls should provide reasonable assurance that physical access to the facility and data center is granted to properly authorized individuals.
Policies and procedures for managing (i.e. granting, changing, and revoking) and monitoring physical access, including both employee and visitor (including vendor and custodial) access to sensitive areas
Listing of all personnel with access to data center, telecommunications rooms, and other sensitive areas
Results of most recent security system inspection
Maintenance agreements for security systems
Results of most recent physical access audits / reviews
Controls should provide reasonable assurance that logical access to the Company’s programs and data is granted to appropriately authorized individuals.
IT security policies and procedures
User Management (move/add/change) policies and procedures
Application and system monitoring policies and procedures
Evidence of recent user access audits / reviews
Listing of production program libraries and personnel with update access to such libraries.
Life should NOT be a trip to the grave with the intention of arriving safely in an cool and well preserved body, but rather to skid in, chocolate in one hand, beer in the other, body wrecked, totally worn out and screaming WOO HOO what a ride!