>>P.S. regarding the other point made in a different comment and provide a geek >>comment... If a vendor says they are SAS 70 certified, I'd ask them what it >>got replaced with because SAS 70 is the old wording>>
The security PDF says they are transitioning from SAS 70 to SOC2. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Susan Bradley Sent: Wednesday, July 23, 2014 2:09 AM To: [email protected] Subject: Re: [NTSysADM] I'm sure you've heard already... You use the phrase "how I want to buy a service" which is what I'm struggling over. I don't have departments in my firm and thus don't consider employing someone to do a task as "buying" the service which is I think where the misunderstanding is starting out from. For some items, like utilities, where it doesn't have a confidentiality issue, I buy the service in the manner that it's given to me and think nothing of it. For others, like legal services, in my firm we hire the Attorney and his reputation and sign an engagement letter. I'm not always "buying a service" in my mind. I engage another human being that I trust. It's not a commodity, it's still a relationship. In my personal space "how you want to buy a service" isn't the question I start with (and apologies as I that's what I'm stumbling over). For some small businesses the question is how cheap they can get a service for. For others, like mine, it's more of this fuzzy "am I comfortable in hiring someone that I don't have direct control over". It's not necessarily 'how to buy' but 'do we hire'? Neither one of us is talking rubbish, we just are coming with different backgrounds (and hopefully providing useful links or food for thought along the way). http://www.csoonline.com/article/2126003/compliance/sas-70-replacement--ssae-16.html On 7/22/2014 10:21 PM, Ken Schaefer wrote: > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Susan Bradley > Sent: Wednesday, 23 July 2014 3:11 PM > To: [email protected] > Subject: Re: [NTSysADM] I'm sure you've heard already... > >> You have an RFP, a contract. I have a eula I click through. I still say >> you have more negotiating power. > None the less, we still have to ask the same question before buying. > You can't get anything after you sign a contract > >> We print tax returns with potential identity theft information as well >> as potential sensitive business documents. For my firm, Kinkos is not >> even an option and honestly wouldn't even be considered in the analysis. >> >> We have one wifi printer for clients, we don't do wifi enabled printers in >> the lan, so the wifi standard hasn't really come up. > I think you're missing the point - it's not about Kinkos or WiFi - that's was > just an "illustrative example". Surely you do not need me to give you > hundreds of examples until you find one that fits your personal > circumstances? Either you agree or disagree with the wider point. How about > having a discussion about that? If you think I'm talking rubbish, then just > say so, and why, and I will stop wasting my breath. > > > > > On 7/22/2014 10:01 PM, Ken Schaefer wrote: >> There's nothing you've written below that indicates that your space is any >> different to mine. We have to ask questions up-front as well - we don't get >> to change things once a contract's been signed either. >> >> How you want to buy a service is something you need to decide before you >> even go look at a EULA is my point. When you decide you need to produce some >> printed material, is the first thing you do "read a EULA"? Or is it decide >> whether to have a printer internally vs. using the local Kinkos/print house? >> I'd say that the latter question is far more important than worrying whether >> a printer supports your WiFi security standard. >> >> Cheers >> Ken >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Susan Bradley >> Sent: Wednesday, 23 July 2014 2:48 PM >> To: [email protected] >> Subject: Re: [NTSysADM] I'm sure you've heard already... >> >> In small business we click yes to a eula. We don't get the ability to set >> the requirements as the software vendors don't give us options so we must >> ask the questions from the get go because we don't get the right to change >> anything. We either buy or don't buy the software. >> >> It's just a different space is all. >> >> >> On 7/22/2014 8:07 PM, Ken Schaefer wrote: >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Susan Bradley >>> Sent: Wednesday, 23 July 2014 12:49 PM >>> To: [email protected] >>> Subject: Re: [NTSysADM] I'm sure you've heard already... >>> >>>> I just called up my cable company to reconfigure my ever increasing cable >>>> bill and renegotiated the costs. >>>> So the idea that cloud services has a defined cost structure I would >>>> debate on. >>> I didn't say you couldn't negotiate, or that they don't have different >>> service offerings. >>> >>> But you don't to work out what you're paying for their buildings, their >>> network, their labour, their taxes, their advertising, their monitoring and >>> so on, and so on. >>> >>> You pay $x/month, and you get a set of defined services (e.g. for a >>> telco it might be 500 minutes,500 text messages, voicemail and 5GB >>> of data - I don't really know what cable providers provide) >>> >>>> As the vendors themselves stop developing premises based software - >>>> (and this is the key movement I see in the SMB space) - because >>>> it's cheaper for them (less support for us pesky desktops with lord >>>> knows how many versions of OS), easier for them to build the >>>> infrastructure where they want it, and better for them as they can plan on >>>> the revenue subscription model. As Rod said, it's the app model taking >>>> over. >>> No, it's not the "app model" - it's "services". There is nothing >>> particularly special about most IT - it's just services. Has the whole IT >>> Service Management bandwagon passed this list by? >>> >>> Your company buys marketing services, legal services, property >>> management services, utility services (gas, electricity, water), >>> cleaning services, recruitment services and any other number of >>> "services" today. Most of IT, except a continually evolving core >>> that provides business differentiation, will also be bought as services. >>> [1] >>> >>> It could be provided internally by an internal service provider >>> (just like some companies have internal legal departments, and >>> internal marketing departments), or it could be provided by an >>> external service provider (outsourcer or cloud) >>> >>>> Ask the hard questions of the vendors ... Ask who has the >>>> encryption keys, etc etc >>> Who has the encryption keys is a details thing. First you need to know what >>> service you want and how much it's worth to you and how you want to buy it >>> - this is your service architecture. Implementation details are something >>> you can work out in your detailed requirements phase. >>> >>> Working out /how/ you want to buy a service is much harder question than >>> who has encryption keys. >>> >>> Cheers >>> Ken >>> >>> [1] the whole network/systems/security admin jobs are disappearing theme >>> that crops up here every so often is related to this, IMHO. Those types of >>> roles aren't particularly necessary for a lot of in-house environments any >>> more. Instead, they'll be provided as part of a service (again, by an >>> internal SP, or external SP). There may be a few environments (e.g. we have >>> some payments apps, that $1bn+/day pass through) which need dedicated >>> infrastructure BAU people. >>> >>> >>> >> >> >> >> > > > > >
