----- Original Message ----- > From: "Keith Weitz" <[email protected]> > To: [email protected] > Sent: Saturday, April 7, 2012 6:01:29 PM > Subject: [lopsa-discuss] Process documentation and ssae 16 > As a new director for a hosting/managed service provider, I've been > tasked with documenting process/procedure and looking into getting > ssae 16 certified if possible. Can anyone recommend any books on > writing IT processes and procedures? I've found some materials on the > ssae 16 website, but I'm looking for some best practices on how to > document IT operations. I've seen a number of different methodologies > as well and am wonderiing which methods have worked and why. > > Any help or suggestions are appreciated.
My recommendation would be to simply start defining and writing down every IT process you perform. Then, add as much detail as you think is useful to an employee that would need to review the documentation and execute the process with little to no instruction. Then, if you want something more formal, research ITIL and/or ISO 20000 (I think). I'm not familiar with any formal sources that may be useful for this, but having participated in 2 SSAE16 (formally SAS70) reviews, I can tell you that much of what was required in terms of documentation was defined by the auditing firm that performed our review. There are no checklists to follow nor any standards to adhere to (i.e. it's not a certification). The result of the review is a document from a 3rd party (the auditors) attesting that you do (or don't) do what you say you do, with respect to IT operations (i.e. routine data backups). They typically make recommendations for improvement if they find anything noteworthy and that is usually based on their past experiences with companies in industries similar to yours. In general, I found the process to be somewhat loose with respect to the content of the review but the review itself was strict with respect to ensuring the the attestation would be satisfactory. And this is where the SSAE16 process, for me, seemed a bit of kabuki theater. The goal is to achieve a positive attestation. There are occasions where the auditor might recommend modifying a process document such that it doesn't claim you do something if you, in fact, do not do that thing. That, in and of itself, is not problematic. If you claim to do something, but don't, that must be reflected in the attestation. However, that doesn't help you maintain your IT operations. As I said earlier, the attestation simply states that a 3rd party has confirmed you do what you say you do, not that you're doing that thing (correctly|efficiently|by following standards). Ryan _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
