Online Tech, Michigan’s largest managed data center operator has successfully survived (and in fact thrived) through a number of SAS 70 audits. Online Tech recently completed an audit on all three of its data centers and has also assisted a number of its colocation and dedicated server clients survive their own SAS 70 audits. From both the auditee and the service provider’s perspective, Online Tech offers five key tips for not only surviving a SAS 70 audit, but thriving as a result of the audit. (See Online Tech’s e-Tips for a complete version)
Tip # 1 – You Need Executive Sponsorship to Survive
A successful SAS 70 audit begins with one or more executives committing the corporate-will to the cause. Often the SAS 70 audit is assigned to the security department or an IT staffer, but in reality, security is everyone’s job. Only an executive has the perspective and authority to make changes that affect everyone’s job. To successfully engrain security or reliability throughout an organization requires a company-wide, cross department perspective that is the purview of executive leadership.
Online Tech’s CEO and CFO worked closely with its auditors and the entire organization to engrain the proper attitudes. They began by articulating the motivation for the audit to the entire company, rallying the staff around the process and gaining their acceptance of the procedures and structures that SAS 70 requires. The result was positive as new procedures and practices were deployed on behalf of the audit. This would not have happened without executive sponsorship for SAS 70.
Tip #2 – The Scope Will Make or Break You
The SAS 70 audit covers the controls you claim to have. However, there are no standards for those controls. To control the scope of the audit you need to control the scope of your claim. Claim too little and the auditor’s opinion on your controls will be weak. Claim more than you can reliably deliver every time and you will fail the audit.
It can be helpful to craft the controls to address the core motivation for the audit. If the motivation is to assure superior service delivery then the list of controls should be complete enough to ensure that superior service. Online Tech’s core motivation was to deliver a reliable and repeatable set of secure data and network services for its colocation and dedicated server clients, so the company designed its controls to assure reliability, repeatability and security.
Tip # 3 – 1% Vision and 99% Process - The Process Really Counts
Encryption, firewalls, intrusion detection, anomaly prevention and a plethora of other technologies provide a robust suite of security tools for network protection. Unfortunately this entire security net can be undone by a few incidents of poor practice - intentional or not. Common culprits are weak and seldom changed passwords; typos during a configuration change to critical infrastructure; and out of date documentation. For this reason, a well designed set of controls must address policies and their adherence.
Change management is one of the most important policies. It describes how it is that the organization manages changes to critical components. Online Tech documented its change management procedure and they summarize into an acronym called PACT: Plan, Approve, Change, and Test. The details of the process are determined by the category of the change.
The company has four categories of change, determined by the severity and risk of the change itself, and a separate change category for emergency situations.
Tip #4 - Technology Can Amplify Your Success or Failure
The process controls are the toughest and some of the most important controls to have in place. The good news is that technology is great for automating the processes. If you automate the process properly, you can build in the change management, such as logging of all changes, with no additional overhead.
Automating work flow with a database and email integration can help you reduce operating costs and increase the quality of your controls. Online Tech took advantage of the audit to automate a number of business processes to assure repeatability and eliminate human error. The company automated the necessary logging and change management tools, and as a result, improved its infrastructure and reduced its operating costs.
Tip # 5 - Choose Your Partner Carefully and Be a Good Partner Back
SAS 70 audits are conducted by a CPA firm in conjunction with one or more data center experts. While many CPA firms are entering the SAS 70 audit market, many of the firms lack the technical competencies required to audit certain controls such as the physical data center and network. Understanding these controls requires someone with more than a CPA. It requires a technical understanding of the operating components of data centers and networks.
From Online Tech’s experience, it requires a well coordinated team of data center, network and process experts. Not many organizations have all these skills. Online Tech chose UHY LLP, a large CPA firm with a national data center auditing practice to benefit from their expertise and experience working with a broad set of data centers.
Conclusion – Survive or Thrive? It’s Your Choice
In the long run, the approach you take to the audit determines if you just survive, or if your data center operation thrives because of the SAS-70 Audit. The attitude spectrum ranges from “how little can we get away with?” to “let’s do this right - this is going to make us better.” Online Tech found that with the right attitude you can increase not only the commitment of the entire organization to a higher quality process, but also increase the rate and quality of information you can provide the auditors. With better, faster information, the auditors are more efficient and effective, leaving more time for suggesting improvements, and increasing the quality of services the company delivers to its Michigan colocation and dedicated server clients.
About Online Tech
Online Tech (www.OnlineTech.com) is the leader in secure and compliant hosting services including private cloud hosting, managed cloud hosting, hybrid cloud hosting, managed dedicated servers, disaster recovery and offsite backup services, and Michigan colocation. Online Tech’s legacy of independent HIPAA, PCI, SAS 70 Type II, SSAE 16 Type II (SOC 1), SOC 2, and SOC 3 audits and reports ensures the security, privacy, and availability expected of a trusted service organization. For more information, call (877) 740-5028 or email This e-mail address is being protected from spambots. You need JavaScript enabled to view it. .
