A company filled primarily with physical computers has to hire enough IT professionals to keep them up and running. As the company grows larger, the amount of money they have to spend hiring IT employees goes up as well. Virtual machines take what used to require a team of IT professionals to maintain and reduce it to a level where one or two people could get the job done. The person who installs your virtual machines must have done it in the past. Companies will benefit very little from virtual machines that are crashing on a regular basis. The same amount of protection attached to regular office computers should apply to virtual machines as well. It’s easy to reduce the amount of protection since it’s effortless to reset a virtual machine when it runs into trouble; however, some employees might forget to switch their files over to removable media or their office computer and lose what they spent hours working on. Since most projects have deadlines associated with them, it’s essential to ensure that the employees will have the chance to move their files before the virtual machine they used is wiped.

It’s a good practice to wipe your virtual machines on a regular basis. If they’re being used by several people, the amount of files weighing them down could slow them down to the point where they’re practically unusable. Most companies are able to let each employee have their own virtual machine, but that isn’t always the case. Storing a large amount of virtual machines puts a lot of strain on your server. Small companies won’t have servers as strong as large companies; therefore, the amount of virtual machines they will use will be much smaller as well. It’s possible for you to take the risk and work primarily on main office computers. You need to back up your data constantly and have good protection measures in place if you decide to go this way though. Your files will stick around if you know how to protect them and put them in the right place in case something terrible happens.

See Official SSAE16 Website

“Who’s issuing these certifications?” it asks. “And where’s the money coming from to pay the auditors checking off the list?” The answer is always: the vendors themselves. Which makes sense, right? Who else should pay a third party auditor to cross-examine a vendor’s internal processes but the vendor, as a courtesy, convenience, and assurance to its customers that they have their act together and can be trusted.

The point made in the Datamation article was that it was third party auditors who signed off all those shoddy sub-prime mortgages as AAA-rated assets, and they were paid by the schmoes needing the recommendation. Shady enough for you? It certainly doesn’t inspire the greatest confidence in organizations that likewise pay their auditors, and that’s not entirely fair.

Of course, there is always the option to hire your own auditor instead of relying on the group hired by the company you’re investigating, but not many of us can bear the expense. It ends up being an excellent PR move for vendors to stamp a “SAS 70 Certified” icon on their site with the message: “Your data is safe with us. We’ve been certified.”

Savvy consumers would request tangible proof, a report of some kind that they can hold in their hand, and requesting this report is the first step in doing your proper due diligence. As nice as it would be to take anyone’s word for it when they promise you the world, it’s a luxury that has probably never existed in any bygone era. The reality is you’ve got to do your research, and any company you do business with has to have the history and the list of satisfied clients to back them up and give a little weight to their claims.

In my personal opinion, it should be a good sign if the company you’re thinking of using as your cloud computing provider can say it’s SAS 70 certified and then prove it. Especially if it’s also gone through the trouble to become certifiably PCI Compliant. And then even more especially if it can give you a list of client referrals that can attest to their positive experience with that particular provider. Altogether it means that the company has its head on straight, is up-to-date on current industry standards, and is proactively on top of its game. It will go that extra mile to grant its customers the assurance they need to entrust their data to them, and that in itself is a valuable consideration to have when you’re comparing the top providers.

If you are a service provider, having a SAS 70 report ready can mean a shortcut for your company to help its customers with their auditing and compliance needs. It can help your company to maintain security and policy awareness, which will build your ability to perform in an ever more risk-adverse financial world. Likewise, such certifications are growing increasingly attractive to potential clients and can make or break a deal.

An SAS 70 audit can be a real walk in the park if you are confident that your policies are well documented, and properly followed by your employees. This is something you need to do anyway to ensure the viability of your company as a service provider. As long as you are already implementing policies and procedures and following them correctly, your audit should be a painless and interesting process which will help you get an outside person’s view into your daily workflow.

If you have service providers you do business with and need to make sure they are staying compliant with their own policies, an SAS 70 report can help your company to feel more secure about the providers you do business with. Additionally, if you need to comply with industry standardization requirements or policy requirements internally, you can save your company and your auditors’ time and money by having an SAS 70 report on hand from each of your major service providers.

Groups such as the Information Systems Audit and Control Association (ISACA) and The IT Governance Institute have published many frameworks and guides for information security and auditing. Other standards that companies may be required to adhere to (such as PCI-DSS etc.) may actually have more specific requirements that can easily be used to create policies and procedures that will allow a SAS 70 audit to be performed.

Yes, actually you can. When a service provider is audited, their report can be given an ‘unqualified opinion’ on whether they have policies and procedures as desired and whether they comply with them. An ‘unqualified opinion’ is essentially a ‘passing’ grade. If the service provider either cannot produce the policies and procedures as desired or they fail to demonstrate compliance with their policies and procedures, a ‘qualified opinion’ is given at the end of the report. Essentially, the report will include a ‘qualification’ for each deviation from policy/procedure. This is not exactly a failure, per se. It simply means that the report shows that the service provider is not in 100% compliance with their own desired policies and procedures. The report would have to be considered in more depth by a customer’s auditors to determine what that particular shortcoming means to that particular customer.

Essentially, even though any given service provider will determine their own policies and procedures that they need to comply with to have an unqualified SAS 70 report, it is not uncommon for a service provider to fail to enforce those policies and procedures or to find that employees are either not properly trained on procedures or not following them properly. That is why the auditing needs to be done on a recurring basis and a Type II report can be much more meaningful than a Type I report. If a service provider fails to comply with their own policies, they would need to correct whatever issue caused a qualification to be listed on the report and then repeat the audit process to have a new report generated.

Not really. The report targets auditing of either one point in time (Type I) or a specific time period (Type II) such as a 6 month period of auditing. Therefore a report is valid as long as it was correctly produced. Of course things change and companies procedures and policies and their ability to execute them will change over time as well, so realistically a report is of less and less value the older it is. Any given provider will probably want to–or be required by their customers–to have a new report generated on a yearly basis as it seems reasonable to ensure that policies are up-to-date and followed appropriately.

Well, if your company is already subject to industry standardization requirements such as PCI-DSS, Sarbanes-Oxley, or other standards, your auditors will probably make repeated requests to obtain information from your various service providers about their security procedures and policies. Having a Type I or Type II SAS 70 report on hand will allow the service provider to easily supply information to auditors in a familiar manner that should satisfy a lot of those requests which will save your auditors time and save you money.

If you are a service provider, the reverse applies to you. Having a Type I or Type II report ready to go means you can provide information to your customers that makes their lives easier and helps them get back to business.

Actually there are two types of SAS 70 audit reports, Type I and Type II. Type I is a ‘report on controls placed in operation’. Type II is a ‘report on controls placed in operation and tests of operating effectiveness’. The only difference is the additional testing of the effectiveness of established operations.

A Type I report states the auditor’s opinion on the service provider’s ‘controls’ or policies and procedures at a particular point in time (the time of the audit). Basically it gives a good idea of whether the controls are fairly presented, whether they are well designed to achieve the desired objectives, and whether they were in place at the time of the audit. The Type I report essentially provides a quick snapshot idea of a service provider’s policies and procedures as they are defined by the service provider in question.

A Type II report is similar to a Type I report but expands the scope from a single auditing instance to a longer period of time, such as 6 or 12 months to provide a more complete idea of whether the service provider is really complying with their own policies and procedures on a day to day basis. This kind of report can be much more revelatory to most groups because almost anyone can quickly fake up some compliance efforts for a day while the auditor is in the office.