On Sun, 8 Apr 2012, Ryan Frantz wrote:
----- Original Message -----
From: "Keith Weitz" <[email protected]>
As a new director for a hosting/managed service provider, I've been
tasked with documenting process/procedure and looking into getting
ssae 16 certified if possible. Can anyone recommend any books on
writing IT processes and procedures? I've found some materials on the
ssae 16 website, but I'm looking for some best practices on how to
document IT operations. I've seen a number of different methodologies
as well and am wonderiing which methods have worked and why.
Any help or suggestions are appreciated.
In general, I found the process to be somewhat loose with respect to the
content of the review but the review itself was strict with respect to
ensuring the the attestation would be satisfactory. And this is where
the SSAE16 process, for me, seemed a bit of kabuki theater. The goal is
to achieve a positive attestation. There are occasions where the
auditor might recommend modifying a process document such that it
doesn't claim you do something if you, in fact, do not do that thing.
That, in and of itself, is not problematic. If you claim to do
something, but don't, that must be reflected in the attestation.
However, that doesn't help you maintain your IT operations. As I said
earlier, the attestation simply states that a 3rd party has confirmed
you do what you say you do, not that you're doing that thing
(correctly|efficiently|by following standards).
It's important to realize what these cerifications do and don't check
in short, they don't care what you are actually doing, all they care about
is that if you claim to be doing something, you are actually doing it.
certification wise, you are better off saying that you do trivial stuff
and then being able to document that you are doing it, rather than saying
that you are trying to do something much better, but then not doing it
100% of the time (even if you are still doing the simple thing properly.
David Lang
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
