Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The 10 Things You Need To Ask Your Isaca Dublin 05052010 No Notes


Published on

Presentation on managing the risk of outsourcing, saas, paas, ect..

  • Be the first to comment

  • Be the first to like this

The 10 Things You Need To Ask Your Isaca Dublin 05052010 No Notes

  1. 1. The 10 Things You Need to Ask Your Outsourcing Partner<br />Timothy Youngblood<br />Dell, Inc.<br />
  2. 2. This isn’t new<br />
  3. 3. Approaches to Delivery<br />SaaS<br />Cloud <br />PaaS<br />
  4. 4. New Tech Driving Change<br />
  5. 5. Reduced Sales Cycles<br />$$$<br />The Enterprise<br /> Example<br /><br />
  6. 6. Key Assumptions 1. & 2.<br />
  7. 7. Key Assumptions 3. & 4.<br />
  8. 8. Key Assumptions 5. & 6.<br />
  9. 9. Key Assumptions 7. & 8.<br />
  10. 10. Key Assumptions 9. & 10.<br />
  11. 11. Managing the Risk Option 1<br />SAS-70 Type 1 or Type 2 –<br />Report on the adequacy of the design and/or effectiveness of controls, performed for a service organization on behalf of its customers by an independent auditor<br />*SAS-70 scheduled to be superseded by ISAE 3402 as proposed by the International Auditing and Assurance Standards Board (IAASB); Reporting Periods ending after June 15,2011<br />
  12. 12. Managing the Risk Option 2<br />Trust Principles (SysTrust, WebTrust)–<br />Report on IT enabled systems including e-commerce systems. It is particularly relevant when providing services with respect to security, availability, processing integrity, online privacy, and confidentiality.<br />
  13. 13. Managing the Risk Option 3<br />Agreed Upon Procedures –<br />Customized report on managements assertion of controls. Can include standardized framework controls such as COSO, COBIT, ISO-27001.<br />
  14. 14.
  15. 15. Inclusive of a Team<br />Team Members<br />IT<br />Procurement<br />Legal<br />External / Internal Audit<br />Compliance<br />Privacy<br />Ethics<br />
  16. 16. Think Before You Drink!<br />Do you have external security scans/assessments?<br />Can you provide your last two table/top results plus DR plan?<br />Is there a escrow agreement?<br />How do you meet PCI, GLBA, HIPAA ect..?<br />Is there breach notification requirements in the T&Cs?<br />Do you have provisions for privacy requirements?<br />How does your attest offering cover my use of the service?<br />Can my internal/external audit teams access the facilities?<br />Will your Development/Engineering follow my standards?<br />Are there subcontractors and how do you manage them?<br />Outsourcing<br />
  17. 17. Thank You<br /><br />