Thank you. Questions.What are the parts of a Systrust?How should DR be assessed with your outsourcing partner?Do external auditors determine if a SAS-70 is sufficient?What qualifies for a SAS-70?If a breach occur is the outsourcer held accountable or is it the end customer?
The 10 Things You Need To Ask Your Isaca Dublin 05052010 No Notes
The 10 Things You Need to Ask Your Outsourcing Partner<br />Timothy Youngblood<br />Dell, Inc.<br />
Managing the Risk Option 1<br />SAS-70 Type 1 or Type 2 –<br />Report on the adequacy of the design and/or effectiveness of controls, performed for a service organization on behalf of its customers by an independent auditor<br />*SAS-70 scheduled to be superseded by ISAE 3402 as proposed by the International Auditing and Assurance Standards Board (IAASB); Reporting Periods ending after June 15,2011<br />
Managing the Risk Option 2<br />Trust Principles (SysTrust, WebTrust)–<br />Report on IT enabled systems including e-commerce systems. It is particularly relevant when providing services with respect to security, availability, processing integrity, online privacy, and confidentiality.<br />
Managing the Risk Option 3<br />Agreed Upon Procedures –<br />Customized report on managements assertion of controls. Can include standardized framework controls such as COSO, COBIT, ISO-27001.<br />
Inclusive of a Team<br />Team Members<br />IT<br />Procurement<br />Legal<br />External / Internal Audit<br />Compliance<br />Privacy<br />Ethics<br />
Think Before You Drink!<br />Do you have external security scans/assessments?<br />Can you provide your last two table/top results plus DR plan?<br />Is there a escrow agreement?<br />How do you meet PCI, GLBA, HIPAA ect..?<br />Is there breach notification requirements in the T&Cs?<br />Do you have provisions for privacy requirements?<br />How does your attest offering cover my use of the service?<br />Can my internal/external audit teams access the facilities?<br />Will your Development/Engineering follow my standards?<br />Are there subcontractors and how do you manage them?<br />Outsourcing<br />