SaaSplaza has implemented the following certification- and auditing principles:
- Vendor certifications, including Microsoft Gold Partnership; Cisco, Oracle and other product certifications, both for the organization as a whole as well as for the individual support engineers. This is to ensure that personnel is qualified to operate systems and software of these vendors; that SaaSplaza is entitled to receive vendor support, and to ensure that adequate knowledge of these vendors products, procedures and architecture is in place.
- The Trust Services control set; providing a control set targeted at maintaining adequate confidentiality, security and availability of systems and services in an online environment;
- SAS-70 type II auditing standard; which is used to verify that SaaSplaza information technology and related processes, as far as they have an impact on the services delivered by SaaSplaza to their customers, are tested against the Trust Services control set. The SAS-70 audit is executed by an independent and registered auditor who is qualified and entitled to use the SAS-70 seal.
These certification- and auditing standards are complementary: all three of them are necessary to ensure that the SLA claims can be met.
Vendor certifications ensure that the control “maintain adequate vendor and product knowledge is in place. Without vendor certification there is no objective way to prove that SaaSplaza operates its systems and software according to these Vendor requirements and recommendations.
Trust Services provides a control framework that, to the opinion of the American Institute of Certified Public Accountants (AICPA) en de Canadian Institute of Chartered Accountants (CICA), must be in place to maintain adequate availability and security of online systems; hence without such a control set is not clear how SaaSplaza can actually maintain security and availability of its IT systems.
SAS-70 is an auditing standard that is often used to support SOX compliancy. SAS-70 in itself does not constitute a certification, a SAS-70 audit results in a statement made by an auditor. A SAS-70 audit comes in two flavors: type I, and type II. Type 1 ensures that controls are in place (In place and implemented as of a specific date), type II ensures that these controls operate effectively during a certain period.
With a SAS-70 audit on their IT processes, public companies can demonstrate that they have taken measures to prevent adverse effects on their financial statements caused by flawed processes and IT systems. Conversely, without a SAS-70 statement there is no evidence that relevant management controls operate effectively.
