Compliance

Service providers that host or process data belonging to their customers today need to demonstrate control. Especially if the customer is under SOX or other regulatory/internal compliance demands, service providers will be required to show how they operate and protect themselves. Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an auditing standard developed by the American Institute of Certified Public Accountants (www.aicpa.org), that has evolved into a well-accepted standard for best-practice among service providers.

The goal is often a marketing document to persuade current and potential customers, investors and others. Like ISO-standards, SAS-70 does not specify a checklist of items that eventually lead to a pass or/not passed audit. Service auditors are required to follow the AICPA's standards for fieldwork, quality control, and reporting, which are materialized in two kinds of reports and audits; Type I and Type II. Type I tells you about your organization's processes and control objectives at one specific point in time, while the Type II - report assesses the quality of internal control performance over time.

What can CFEngine do?

Thanks to CFEngine policy language, descriptions, execution and verification of control come easily. Service organizations use CFEngine to manage various checks. Information security, access control, user management and application-service management are areas in which control can be defined and managed by CFEngine.

The road to SAS-70 compliance includes engaging a Service Auditor to help your organization through the process. In the end, it is often the same Service Auditor that conducts the tests and issues the Service Auditor's Report. We assist you in automating checks that you and your auditor deem applicable.

If you want to learn more on how CFEngine can help automate parts of your SAS-70 requirements, please click here.