News Details

Online Tech Shares 5 Tips Learned Through It’s SAS 70 Audit

(Ann Arbor, MI – May 19, 2009) Audits create natural apprehension. They take significant effort and often result in required updates to your infrastructure and policies. A SAS 70 audit is no different. The SAS 70 audit process includes an in-depth examination of the effectiveness of a data center’s security and internal control processes.

Online Tech, Michigan’s largest managed data center operator has successfully survived (and in fact thrived) through a number of SAS 70 audits. Online Tech recently completed an audit on all three of its data centers and has also assisted a number of its colocation and dedicated server clients survive their own SAS 70 audits. From both the auditee and the service provider’s perspective, Online Tech offers five key tips for not only surviving a SAS 70 audit, but thriving as a result of the audit. (See Online Tech’s e-Tips for a complete version)

Tip # 1 – You Need Executive Sponsorship to Survive

A successful SAS 70 audit begins with one or more executives committing the corporate-will to the cause. Often the SAS 70 audit is assigned to the security department or an IT staffer, but in reality, security is everyone’s job. Only an executive has the perspective and authority to make changes that affect everyone’s job. To successfully engrain security or reliability throughout an organization requires a company-wide, cross department perspective that is the purview of executive leadership.

Online Tech’s CEO and CFO worked closely with its auditors and the entire organization to engrain the proper attitudes. They began by articulating the motivation for the audit to the entire company, rallying the staff around the process and gaining their acceptance of the procedures and structures that SAS 70 requires. The result was positive as new procedures and practices were deployed on behalf of the audit. This would not have happened without executive sponsorship for SAS 70.

Tip #2 – The Scope Will Make or Break You

The SAS 70 audit covers the controls you claim to have. However, there are no standards for those controls. To control the scope of the audit you need to control the scope of your claim. Claim too little and the auditor’s opinion on your controls will be weak. Claim more than you can reliably deliver every time and you will fail the audit.

It can be helpful to craft the controls to address the core motivation for the audit. If the motivation is to assure superior service delivery then the list of controls should be complete enough to ensure that superior service. Online Tech’s core motivation was to deliver a reliable and repeatable set of secure data and network services for its colocation and dedicated server clients, so the company designed its controls to assure reliability, repeatability and security.

Tip # 3 – 1% Vision and 99% Process - The Process Really Counts

Encryption, firewalls, intrusion detection, anomaly prevention and a plethora of other technologies provide a robust suite of security tools for network protection. Unfortunately this entire security net can be undone by a few incidents of poor practice - intentional or not. Common culprits are weak and seldom changed passwords; typos during a configuration change to critical infrastructure; and out of date documentation. For this reason, a well designed set of controls must address policies and their adherence.

Change management is one of the most important policies. It describes how it is that the organization manages changes to critical components. Online Tech documented its change management procedure and they summarize into an acronym called PACT: Plan, Approve, Change, and Test. The details of the process are determined by the category of the change.
The company has four categories of change, determined by the severity and risk of the change itself, and a separate change category for emergency situations.

Tip #4 - Technology Can Amplify Your Success or Failure

The process controls are the toughest and some of the most important controls to have in place. The good news is that technology is great for automating the processes. If you automate the process properly, you can build in the change management, such as logging of all changes, with no additional overhead.

Automating work flow with a database and email integration can help you reduce operating costs and increase the quality of your controls. Online Tech took advantage of the audit to automate a number of business processes to assure repeatability and eliminate human error. The company automated the necessary logging and change management tools, and as a result, improved its infrastructure and reduced its operating costs.

Tip # 5 - Choose Your Partner Carefully and Be a Good Partner Back

SAS 70 audits are conducted by a CPA firm in conjunction with one or more data center experts. While many CPA firms are entering the SAS 70 audit market, many of the firms lack the technical competencies required to audit certain controls such as the physical data center and network. Understanding these controls requires someone with more than a CPA. It requires a technical understanding of the operating components of data centers and networks.

From Online Tech’s experience, it requires a well coordinated team of data center, network and process experts. Not many organizations have all these skills. Online Tech chose UHY LLP, a large CPA firm with a national data center auditing practice to benefit from their expertise and experience working with a broad set of data centers.

Conclusion – Survive or Thrive? It’s Your Choice

In the long run, the approach you take to the audit determines if you just survive, or if your data center operation thrives because of the SAS-70 Audit. The attitude spectrum ranges from “how little can we get away with?” to “let’s do this right - this is going to make us better”. Online Tech found that with the right attitude you can increase not only the commitment of the entire organization to a higher quality process, but also increase the rate and quality of information you can provide the auditors. With better, faster information, the auditors are more efficient and effective, leaving more time for suggesting improvements, and increasing the quality of services the company delivers to its Michigan colocation and dedicated server clients.

About Online Tech

Online Tech (www.onlinetech.com) is Michigan’s premier Managed Data Center Operator. Online Tech helps companies manage their growing demand for data and computing capacity through its SAS-70 secure and reliable multi-tenant data centers. With a full range of colocation, dedicated server hosting and managed service options, industry leaders trust Online Tech to insure their servers are always on, always online, and always safe.