In today’s environment, companies want transparency in everything they purchase, application and software developers are being requested for more information on compliance. This can be seen by your clients increasing requests to document and prove you have reliable controls over your software development life cycle before they will utilize your software. Your clients and their auditors are testing an assortment of internal controls in software development. These include controls over segregation of duties, change management functions, as well as separation of the development, testing, and production environments. The SAS 70 / SSAE 16 / SOC 2 audit is a great way to complete one examination and show all your current and prospective clients how secure your software and system is.
Your products offer clients great efficiency and allow them to focus on growing their business. In many cases, your clients want assurance that the services provided by your software and applications are conducted in a manner which ensures the information being processed by the software is performed accurately and consistently. Should a problem arise with the software, your clients need the ability to create service tickets and know the tickets will be assigned, tracked, escalated (as appropriate), and completed as quickly as possible to keep the software running. If you offer Software as a Service (SaaS), the services you provide or manage must be available during agreed upon times.
In addition to the application itself, your clients want assurances that your entire system, which produces the application, is secure. Your system encompasses all areas of your company used to create the application, including:
- Infrastructure - The physical and hardware components of a system (facilities, equipment, and networks)
- Software – The programs and operating software of a system (systems, applications, and utilities)
- People – The personnel involved in the operation and use of a system (developers, operators, users, and managers)
- Procedures – The automated and manual procedures involved in the operation of a system
- Data – The information used and supported by a system (transactions streams, files, databases, and tables)
All of these components of your system allow you to create and manage the entire development and troubleshooting process. These components ensure that the following principles are met completely, accurately, and securely:
- Security - The software (and entire system) is protected against unauthorized access (both physical and logical)
- Availability – The software is available for operation and use as committed or agreed upon
- Processing Integrity – Software processing is complete, accurate, timely, and authorized
- Confidentiality – Information designated as confidential is protected as committed or agreed upon
- Privacy – Personal information is collected, used, retained, disclosed, and destroyed in conformity with applicable client needs, laws, and/or regulations.
In most software companies, NOT ALL of the principles above will be relevant. Assure Professional will assist you in determining which principles are within the scope of the audit.
We want to be your partner. For additional information please Contact Us