O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

The 10 Things You Need To Ask Your Isaca Dublin 05052010 No Notes

508 visualizações

Publicada em

Presentation on managing the risk of outsourcing, saas, paas, ect..

  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

The 10 Things You Need To Ask Your Isaca Dublin 05052010 No Notes

  1. 1. The 10 Things You Need to Ask Your Outsourcing Partner<br />Timothy Youngblood<br />Dell, Inc.<br />
  2. 2. This isn’t new<br />
  3. 3. Approaches to Delivery<br />SaaS<br />Cloud <br />PaaS<br />
  4. 4. New Tech Driving Change<br />
  5. 5. Reduced Sales Cycles<br />$$$<br />The Enterprise<br />SalesForce.com Example<br />http://www.youtube.com/watch?v=ae_DKNwK_ms&feature=related<br />
  6. 6. Key Assumptions 1. & 2.<br />
  7. 7. Key Assumptions 3. & 4.<br />
  8. 8. Key Assumptions 5. & 6.<br />
  9. 9. Key Assumptions 7. & 8.<br />
  10. 10. Key Assumptions 9. & 10.<br />
  11. 11. Managing the Risk Option 1<br />SAS-70 Type 1 or Type 2 –<br />Report on the adequacy of the design and/or effectiveness of controls, performed for a service organization on behalf of its customers by an independent auditor<br />*SAS-70 scheduled to be superseded by ISAE 3402 as proposed by the International Auditing and Assurance Standards Board (IAASB); Reporting Periods ending after June 15,2011<br />
  12. 12. Managing the Risk Option 2<br />Trust Principles (SysTrust, WebTrust)–<br />Report on IT enabled systems including e-commerce systems. It is particularly relevant when providing services with respect to security, availability, processing integrity, online privacy, and confidentiality.<br />
  13. 13. Managing the Risk Option 3<br />Agreed Upon Procedures –<br />Customized report on managements assertion of controls. Can include standardized framework controls such as COSO, COBIT, ISO-27001.<br />
  14. 14.
  15. 15. Inclusive of a Team<br />Team Members<br />IT<br />Procurement<br />Legal<br />External / Internal Audit<br />Compliance<br />Privacy<br />Ethics<br />
  16. 16. Think Before You Drink!<br />Do you have external security scans/assessments?<br />Can you provide your last two table/top results plus DR plan?<br />Is there a escrow agreement?<br />How do you meet PCI, GLBA, HIPAA ect..?<br />Is there breach notification requirements in the T&Cs?<br />Do you have provisions for privacy requirements?<br />How does your attest offering cover my use of the service?<br />Can my internal/external audit teams access the facilities?<br />Will your Development/Engineering follow my standards?<br />Are there subcontractors and how do you manage them?<br />Outsourcing<br />
  17. 17. Thank You<br />Timothy_Youngblood@dell.com<br />