 |
| Recent Articles |
IT From A Different Angle
Nick Carr's new book, The Big Switch, takes on IT from a different angle and rests upon a metaphor -- that IT will not matter because it will move to grid computing in the same way electricity moved to the grid. From the...
50 Ways To Optimize For Christmas
Jessica Hupp and her team at VirtualHosting.com have come up with over 50 ways that you can optimize your website for Christmas. Read the entire post here.
Halloween IT Horror Stories: Users
Ok, they can't help it, but IT users provide most of the fodder for the jokes that we tell around coffee, or with our incredulous friends. People can not be that weird, but the sad reality is that not only can users disrupt and...
Gmail Vs. An In-house Mail Server
I suppose I need a disclaimer here: I sell mail servers. Specifically I sell Kerio Mailserver and that represents a good chunk of income for me. Therefore, you...
GPL Lawsuit Filed
The SFLC Software Freedom Law Center has decided to step in and deal with the spat between BusyBox and Monsoon Media. Microsoft fanboys are going to be nodding their heads in understanding, then get...
IT - The Machine Has No Soul
The reason the human will always be required at some relevant level in the implementation and use of computing technologies is pretty simple - the computer can execute a codified series of events much faster...
|
| 01.29.08
How The Rise Of SaaS Relates To SOX, SAS 70 & Your Legal Contracts
 By Amanda Finch
The growing popularity of Software-as-a-Service (SaaS) is having a significant impact on data security and regulations compliance.
Most companies are concerned-and rightly so-about the legal and security issues raised when company data is located outside their firewall. This article will explain:
• What you must include in your legal contracts to protect your company against Sarbanes-Oxley (SOX) compliance violations
• What SAS 70 Audit Types I and II are, and how they help ensure that companies protect your data
• How to guard yourself against the "1,000 social security numbers on a lost laptop" problem
SaaS is Here to Stay
Software-as-a-Service is increasingly popular, and for good reason. Its advantages include a greatly reduced time-to-deployment, low upfront costs (for less approval-process drag), and much less need for scarce IT staff involvement. The result is lower business risk by eliminating "bet-the-company" deployment steamrollers, unpredictable cost spikes, and upgrade or maintenance nightmares. For these and other reasons, major industry analysts predict that 25% of business software will be delivered under the SaaS model by 2011.
The upside to SaaS is tremendous. But the business rewards that SaaS brings are not completely without risk. As companies think about bad things that can happen to their data, they often consider these: "phishing" or social engineering targeting the SaaS vendor; insufficient uptime and/or scalability of the solution; unplanned maintenance outages; theft of data by SaaS vendor employees; and external system attacks.
SaaS is not necessarily more risky than implementing your own in-house solutions. In fact, it is often much less so when you account for opportunity costs, reduced business agility, and ongoing maintenance. Nevertheless, it is reckless to ignore or overlook a SaaS vendor's operational and business risk potential. So what can you do to ensure that your company can reap the rewards of SaaS while tightly managing the risks?
First, realistically and systematically assess the risks. What kind of company data will be contained in this particular SaaS system? Then, match the level of risk management to the level of data sensitivity or importance.
SaaS and SOX
Publicly-traded companies have a particular concern about SaaS-namely, its impact on Sarbanes-Oxley (SOX) regulatory requirements. The SOX act holds signing officers responsible for the fairness and completeness of their company's financial statements. They are also held responsible for the state of the company's internal controls, and must report any deficiencies. An internal control is a process designed to reasonably assure that objectives can be met in the following categories: financial reporting reliability, operational effectiveness and efficiency, and compliance with applicable laws and regulations.
If SaaS solution data touch the company's financial statements, the company is responsible for the controls on that software service. This is a daunting prospect for IT executives and staff, whose jobs are on the line where IT controls are concerned. Evaluating and assuring your own controls is one thing-but how can you be sure about your SaaS vendor's controls?
Continue reading this article.
About the Author:
Amanda Finch is CEO of A.D.V Group; a company that helps executive and management teams to develop and execute partnership and alliance strategies. Drawing on her expertise in application development, program management and business development, she understands the need to minimize "organizational drag" while maximizing effectiveness. As CEO of A.D.V. Group, Finch also acts as director of strategic alliances for Journyx in a contractor role. Finch formulates alliance strategy that is aligned with Journyx corporate strategy and develops alliance programs to execute strategy and drive revenue. Ms. Finch is a Certified Project Manager with eighteen years professional experience and has managed projects for numerous industry and government clients. |
!
0 comments:
Post a Comment