In selecting a vendor, and in evaluating what services and data you can entrust to the vendor, you need both criteria and a methodology. In general, information technology is evaluated by reference to two applicable standards, SAS 70 and ISO 27001. SAS 70, especially has become the measure of cloud security. We consider ISO 27001 first.
ISO 27001 is an Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 – Information technology -- Security techniques -- Information security management systems -- Requirements but it is commonly known as “ISO 27001”.
Compliance with ISO 27001 requires that management:
SAS 70 (Statement on Auditing Standards No.70): Service Organizations
The Statement on Auditing Standards No. 70, commonly known as SAS 70, is an auditing statement put forth by the Auditing Standards Board as designated by the American Institute of Certified Public Accountants (AICPA). Over the years, more than 110 “SAS” have been issued, ranging on a number of critical subjects for auditing matters.
SAS 70 is part of the AU Section 324 Codification of Auditing Standards, which is used to report on controls placed in operation and the testing of the operating effectiveness of those controls. Put simply, it’s a widely used compliance audit for assessing the internal control framework on service organizations that provide critical outsourcing activities for other entities. Introduced in 1992, SAS 70 audits were used in the early and mid-1990s. They still are used for very traditional standards, such as evaluating a service organization’s services if those services are part of the user organization’s information system:
For example, if the ABC company used the XYZ company, which is a service organization, to perform and conduct transactions and procedures that are considered significant to the ABC company’s “information system” or business environment, then the XYZ service organization would need to be SAS 70 compliant.
Think of it as an audit that examines and tests the characteristics of internal controls for service organizations. Service organizations are the entities that undergo the SAS 70 audit. Who requires the audit to be done and why? Generally speaking, compliance legislation in recent years has revolved around corporate governance and the ability to have a strong mechanism of internal controls within organizations. Laws such as The Sarbanes-Oxley Act of 2002 (SOX), the Health Insurance Accountability and Portability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA), have emphasized themes such as governance, privacy, security, confidentiality, and segregation of duties.
ANAB Accreditation for ISO/IEC 27001 Information Security Management Systems.
Type I and Type II Audits
Initially, service organizations undergo a SAS 70 Type I audit, gradually migrating towards Type II compliance in subsequent years. The main difference between the two “types” (I vs. II) is that a Type II requires a “testing period”, that is, a generally accepted allotted time frame (usually no less than six months) for conducting testing on a service organization’s control environment. A Type I, on the other hand, is just for a specified date, with no testing period whatsoever.
At the end of the audit, the service auditor issues an important report called the Service Auditor’s Report:
Type II reports are more th[o]rough, because the auditors gives an opinion on how effective the controls operated under the defined period of the review. Type I only lists the controls, but Type II tests the efficacy of these controls to reasonably assure that they are working correctly. Because Type II reports require a much more thorough audit they are usually much more expensive.
Cloud Computing Related Interview Questions
|Adv Java Interview Questions||UNIX/XENIX Interview Questions|
|Red Hat Linux System Administration Interview Questions||Microsoft Azure Interview Questions|
|Amazon Web Services (AWS) Interview Questions||Unix/Linux Interview Questions|
|KVM Interview Questions||Linux Virtualization Interview Questions|
|Aws Cloud Architect Interview Questions||Salesforce Crm Interview Questions|
|Azure Cosmos DB Interview Questions|
Cloud Computing Related Practice Tests
|Adv Java Practice Tests||UNIX/XENIX Practice Tests|
|Red Hat Linux System Administration Practice Tests||Microsoft Azure Practice Tests|
|Amazon Web Services (AWS) Practice Tests|
Cloud Computing Tutorial
Cloud Computing Is A True Paradigm Shift
From Do It Yourself To Public Cloud—a Continuum
Cloud Computing: Is It Old Mainframe Bess In A New Dress?
Moving Into And Around The Clouds And Efforts At Standardization
Cloud Economics And Capacity Management
Demystifying The Cloud: A Case Study Using Amazon’s Cloud Services (aws)
Virtualization: Open Source And Vmware
Securing The Cloud: Reliability, Availability, And Security
Scale And Reuse: Standing On The Shoulders Of Giants
Google In The Cloud
Enterprise Cloud Vendors
Cloud Service Providers
Practice Fusion Case Study
All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd
Wisdomjobs.com is one of the best job search sites in India.