Subject: | |
From: | |
Reply To: | |
Date: | Mon, 29 Nov 2010 15:53:22 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On Mon, 29 Nov 2010 , Angie Fares <[log in to unmask]> replied:
>If an SAS-70 Audit has not been performed, then we would look for an
>alternative certification that indicates informed independent third
>party review of control processes in the service provided. For example,
>if a shred provider did not have a SAS-70 Audit on file, then I would
>ask for NAID certification.
>
I think it would be critical to find out what NAID "certified against".
They have their own practice documents but they aren't 'standards', so is it
really a 'certification' or simply a review?
Does it relieve you as a service provider to a client of any obligations?
Would they (in this case, NAID) be willing to go to the mat for your client
if there was a problem?
SAS-70 is pretty strict in its criteria, so I don't know if you can really
accept "SAS-70 Lite" in lieu of the real deal.
Larry
[log in to unmask]
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]
|
|
|