Some Cfengine Users
Service providers that host or process data belonging to their customers
today need to demonstrate control. Especially if the customer is under SOX or
other regulatory/internal compliance demands, service providers will be required to
show how they operate and protect themselves. Statement on Auditing Standards (SAS) No. 70,
Service Organizations, is an auditing standard developed by the American Institute of
Certified Public Accountants (www.aicpa.org),
that has evolved into a well-accepted standard for best-practice among service providers.
The goal is often a marketing document to persuade current and potential customers, investors
and others. Like ISO-standards, SAS-70 does not specify a checklist of items that eventually
lead to a pass or/not passed audit. Service auditors are required to follow the AICPA's
standards for fieldwork, quality control, and reporting, which are materialized in two kinds
of reports and audits; Type I and Type II. Type I tells you about your organization's processes
and control objectives at one specific point in time, while the Type II - report assesses the
quality of internal control performance over time.
What can Cfengine do?
Thanks to Cfengine policy language, descriptions, execution and verification of control
come easily. Service organizations use Cfengine to manage various checks. Information
security, access control, user management and application-service management are areas
in which control can be defined and managed by Cfengine.
The road to SAS-70 compliance includes engaging a Service Auditor to help your organization
through the process. In the end, it is often the same Service Auditor that conducts the tests
and issues the Service Auditor's Report. We assist
you in automating checks that you and your auditor deem applicable.
If you want to learn more on how Cfengine can help automate parts of your SAS-70 requirements,
please click here.
