Posts Tagged 'Sas70'

July 14, 2011

Skinson 1634AR15 Compliance

Skinson's 1634AR15 Competency Controlled Certification of Compliance
New Compliance structure makes a compliance officer's life much easier.

Dallas -- In a world where auditor to auditor reports are out of control and we have a mountain of complex compliances to worry about, one competent compliancy controlled certification of compliance finally comes forth (and not a minute too soon).

"This new groundbreaking idea will change the lives of many competing auditing firms, law firms, accounting firms and so on," says Steve Kinman. "I spend countless hours reading controls for one report and different controls for another report, and the only difference is the verbiage and format."

The new Skinson 1634AR15 Certification combines your SAS70, SSAE16, ROC, VOC, SOC, NIST, SARBOX, PCI, OMB, ACART, CFDA, HIPAA and SAFE HARBOR compliance into a single report using a set framework that automorphs based upon which auditor is touching the report or viewing it in the state of the art Skinson Portal.

"The Skinson portal is mind-blowing," says Val Stinson. "The automorph feature is something straight out of the movies. It knows who is reading and can change the wording on the fly. This keeps auditors from scratching their heads when the words in the report don't match the words their instruction book."

The introductory price for full Skinson 1634AR15 Compliance Certification is $1,000,000 USD. This is all-inclusive and will sufficiently cover all of your compliance needs.

Contact:
Steve Kinman
skinman@softlayer.com

About Skinson
Headquartered in Dallas, Texas, Skinson is a fictional company that likes to poke fun at the difficult job of compliance in the world. While we find that it can be overwhelming at times, we understand that compliance is a necessary evil. We would like to note that something like we dream about above would be very nice and would save the world a ton of work and cut down on our carbon footprint considerably. If you are in a position of control and can make the above happen please help us!!

On a side note, SoftLayer will do everything we can to help you with any compliance you need. Just ask your local sales team for help, and they will find the right person and get you in contact.

-@skinman454

P.S. The actual reason for this blog post is that we just announced that the control procedures and compliance for our 11 data centers have been verified in a Service Organization Control Report (SOC 1) prepared under the terms of the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) by independent auditing firm Weaver.

January 26, 2011

Time for an Oil Change?

<Fade In>
Man driving into Jiffy Lube, car sputtering and smoking.
Attendant: "Looks like you need an oil change buddy."
Buddy: "Yep, I think so. I was here last week and I think they used the wrong oil!"
Attendant: "Nah, we wouldn't do that. In fact we only have one kind of oil here and that's SAS 70."
Buddy: "Well, that's odd; I am told that I need SSAE 16 for mine to work right."
<Mass Confusion>

Welcome to my world! We have SAS 70 today, but soon we will have the new synthetic, non abrasive, engine-cleaning SSAE 16. Sounds fun right? I sure hope so.

Why the change? Good question. When SAS 70 first appeared in the early 90s, the world's economies weren't quite as intertwined as they are today. It was much harder to do business globally than it is now. (I think the "fad" called the internet has a little something to do with that but I could be wrong!) Now that the oceans have shrunk to a more manageable size, there is a need for the standards that companies use worldwide to match more closely. The goal of the U.S. Statement on Standards for Attestation Engagements 16 (SSAE 16) is to meet a more uniform reporting standard.

What's the difference? It's an "attestation" not an "audit." Google and thefreedictionary.com define attestation as "To affirm to be correct, true, or genuine," and audit as "an inspection, correction, and verification of business accounts." Though they are closely related, they mean different things.

What stay's the same? The focus will still be on controls at service organizations when the controls are relevant to their user entities' internal control over financial reporting. (For some reason, servers tend to have quite a bit to do with that!) There will still be a Type 1 and Type 2 with similar scopes in format. The reports will look very similar but they should be a bit more descriptive. The report will still be used in the same methods and by the same type of user.

What Changes? SSAE 16 is now an attestation and not really an audit. The service auditor will still provide an opinion but it will align itself more closely with existing international attestation standards.

  • Written Management Assertion - Management will be required to provide an assertion, to be included in the report, stating the system is fairly represented, suitably designed and implemented and the related controls were suitably designed to achieve the stated control objectives, and that the controls operated effectively throughout the period. The report will reference that management is responsible for preparing the system description, providing the stated services, specifying the control objectives, identifying the risks, selecting the criteria and designing, implementing and documenting controls that are suitably designed and operating effectively. The auditor's opinion remains in the role of providing assurance, not as the entity responsible for the communication.
  • System Description - The more inclusive description must detail the services covered, classes of transactions, events other than transactions, report preparation processes, control objectives and related controls, complementary user controls and other relevant aspects of the organization's control environment, risk assessment process, information and communication systems, control activities and monitoring controls. (I think an accountant came up with all of that!)

There are quite a few other differences but I think these are the big headliners. SoftLayer is committed to making this change and having it available for our customers that require it. Our normal SAS 70 schedule is Nov. 1 – Oct. 31 but we will be accelerating the process to have the SSAE 16 in place as soon as possible.

We are continuously looking at other compliance, reporting, audits and certifications. If you have any that would help you and your business, let us know.

-Skinman

Categories: 
May 24, 2008

SASafras

Filth flarn foul filth! You all know by now that my brother and I both work at SoftLayer. We are both smart enough to know that it is THE place to work. Ok, well I work and he just sits in his office dreaming of money (He has done that most of his life). I am pretty sure he still has the penny he took from me (forcibly) when I was still his “little” brother. Anyway, I have since outgrown him and he no longer wants to wrestle or play fight. Go figure, I think he got scared. As I have said before he can’t even beat me in racquetball anymore. So what does he do to pay me back? He gets a SAS-70 Type II review (Statements on Auditing Standards) underway and then somehow strategically gets it dumped right in the middle of my desk.

Now let’s review, Customer Service = Accounting, NO. Customer Service = Compliance, NO! :-) Somehow, somewhere I forgot to either skip that meeting or hide accordingly. I think maybe a sick day was in order. I should have been invisible, something, anything. But alas, here I sit reading, writing, editing, and screaming at new better cooler policies and procedures that will make auditors understand that we know what we are doing and we do it well. Now he could have simply selected SAS-70 type I and then we could just “say” we do all this extra stuff and we do it well and whala! SAS-70. But NO! He had to over achieve and pick Type II which says that we have to let someone else inside to make sure we do what we say we do. Not a problem really except that part about it landing in my lap! I’ll get him back, no worries.

In all seriousness (as serious as I can be anyway), this SAS-70 review is a great thing. It is making us look pretty closely at ourselves as a company and as individuals and making us make sure we are the best at what we say we do and making us do it. It will also allow larger enterprise companies to use us as their outsourced IT solution. I keep talking about why companies should outsource and this is one more reason. We are under review currently and should have a decision by the end of the year. Once we get it then you can have the best servers, the best portal, the best network solution, and the best support and have it all outsourced to a “hopefully” SAS-70 certified datacenter.

I am sure my blog-hogging brother will have a rebuttal for this one, and probably Mike Jones as well for using his coined word of blog-hogging again. Blog on!

-Skinman

Categories: 
March 5, 2008

Outsource IT: Part III

Third in a series of three! In other words you won't have to read this stuff anymore after this one. I will get back to the fun ones. I might try to make this one fun along the way. So I left off on the last one discussing some of the financial reasons and technical reasons to outsource your servers. This blog will be geared towards some ideas floating around in my head on what would be some good examples of outsourcing.

You have to step back and look at it from a different angle. If you aren't ready to outsource the whole farm just yet, then you can go about it in a couple of different ways. One, you can outsource your sandbox, development, and/or test environment. We all know that with SAS 70 and SOX you have to have all of these (or most of them anyway). And outsourcing might be a good way of getting them in place. The cool thing about outsourcing any or all of those are you have a pristine environment and if it does get polluted somehow you can just reload the OS quickly and painlessly and try to tear it up again. Outsourced servers are great for this type of scenario. You can even get a few servers and carve them up virtually and have even more toys to play with. Now, you can just go buy new servers and have this in house but when they break or they are obsolete then you get to buy more. With an outsource model you can buy 1 or 100 and have them for 1 month or 2 years, it's up to you, your needs, and your budget. You can add hardware, memory, change the OS daily, and only buy the License for a month instead of having to buy it outright when you buy your own servers. I personally believe this is a really good way to get acclimated to outsourcing and test the waters both with yourself and your boss. You always have to make sure they are ok with the way you are doing things. Well, sometimes anyway.

Another option with outsourcing is outsourcing production. Some bosses out in the world aren't ready for this yet, but they will be. They like keeping their data close by and having multiple copies and instances and USB keys with copies on it, etc. That's just the nature of data. Now we all know that you can have the same if not more redundancy in the outsourced model too, it is just hard to explain to them sometimes. I have to give them credit. Think about all the data in the world and how much of it we need to use every day. If folks like them didn't demand that we techies keep it safe the world might have a bad day, I know I would. I use tons of data everyday (might be a fun blog).

If you decide to outsource dev/test or production you have the ability to scale quickly and accordingly when dealing with technology. Not having to be bogged down by worrying about hardware lead times, dealing with accounts payable, the receiving dock, and all the other worries you have when buying hardware is a liberating feeling. I know what you are thinking; I have been over this side of it a few times so I will just leave it at that but the numbers and today's technology make it all come together and make good business sense.

Outsource IT!

-Skinman

Subscribe to sas70