Embed Size (px)
Citation preview
Title
WHITE PAPER
Quality in SAS® Solutions OnDemandProviding Quality Analytic Cloud Solutions by Integrating High-Value Analytics,Optimized Infrastructure and the Right Expert at the Right Time
ii
The information contained in this document is considered confidential and covered under the terms of any SAS agreements as executed by customer and SAS Institute Inc.
ContentsOverview ................................................................................................................ 1Quality Management System ............................................................................ 1Management Controls ........................................................................................ 2
Communication ............................................................................................................3
Training .....................................................................................................................................3
Continuity of Business Controls ........................................................................ 4Information Security Controls ............................................................................ 4
Data Privacy Controls ...................................................................................................4
Logical Security Controls .............................................................................................5
Personnel Security Controls ........................................................................................6
Physical Security Controls ...........................................................................................7
Supplier Management Controls ....................................................................... 8Solution Delivery Controls ................................................................................. 8
Solutions Delivery Methodology (SDM) ..................................................................8
Software Configuration Management (SCM) .......................................................10
Data Quality .................................................................................................................10
Quality Management Methodology (QMM) ........................................................11
Software Quality Assurance (QA) ...........................................................................11
Document Controls ...........................................................................................15Change Controls ................................................................................................16Hosting Operations Controls ..........................................................................17
Remote Managed Software and Services (RMSS) ..............................................18
Installation ...................................................................................................................18
On-Call Support .........................................................................................................18
Monitoring ...................................................................................................................19
Service-Level Availability ..........................................................................................19
Patch Management ...................................................................................................19
Maintenance................................................................................................................20
Backup and Restore Procedures ............................................................................21
Media Secure Storage for SAS Data Centers ......................................................21
Media Handling by IaaS Providers .........................................................................22
Customer Care Controls ...................................................................................22Incident and Problem Management Controls .............................................23
Incident Management ..............................................................................................23
Problem Management .............................................................................................24
Awards, Certifications and Quality Notes .....................................................25Continual Service Improvement .............................................................................25
SOC 2/SOC 3 Type II Processes and Controls .....................................................26
TRUSTe Privacy Certification/US-EU and Swiss-US Privacy Shield Certifications .....................................................................................26
References ...........................................................................................................27
OverviewSAS Solutions OnDemand provides SAS Cloud Analytics delivered as software as a service (SaaS), results as a service (RaaS), remote managed software and services (RMSS), enterprise hosting, and other cloud analytics support and services for customers world-wide who want to deploy SAS solutions rapidly. The OnDemand team is an international, customer-focused division that integrates quality processes and controls into all areas of its organization. For more than 15 years, SAS Solutions OnDemand has established a successful track record of providing organizations with state-of-the-art outsourced appli-cations, as well as the subject-matter experts to manage them. Although policies, processes and procedures are always evolving, the SAS Solutions OnDemand commit-ment to quality is constant.
The SAS Cloud Analytics offerings are:
• Based on the industry’s leading business analytics.
• Rooted in industry best practices across a wide breadth of domains.
• Backed by a 99 percent uptime warranty for nearly around-the-clock availability for hosted solutions.
• Tailored to a customer’s specific requirements.
Quality Management SystemA quality management system encompasses the organizational structure, policies, processes, standards, procedures and resources needed to implement quality manage-ment. The SAS Solutions OnDemand quality management system (QMS) provides a framework for managing the activities that enable us to create solutions and provide services that consistently satisfy and exceed customer requirements. The QMS promotes a philosophy of continual improvement driven by quality objectives and customer feedback. The quality of SAS Solutions OnDemand products is maintained through systems of standardization and process control that are described in QMS documents. Activities affecting quality are documented in policies, processes, stan-dards and procedures. Detailed instructions contain appropriate criteria to determine whether tasks are successfully completed.
The QMS framework describes SAS Solutions OnDemand quality control checkpoints across the range of its business, including:
• Management controls.
• Continuity of business controls.
• Information security controls.
• Supplier management controls.
• Solution delivery controls.
• Document controls.
• Change controls.
• Hosting operations controls.
• Customer care controls.
• Incident and problem management controls.
1
2
Figure 1 illustrates how these quality control checkpoints operate within SAS Solutions OnDemand.
QMS documents are monitored to assess their effectiveness and to identify opportuni-ties for continual improvement. Monitoring includes assessments such as:
• Internal review of QMS methodologies, policies, standards and processes, often as a result of audit findings.
• Comparison of the QMS against industry best practices or regulatory requirements or both.
• Analysis of quality management metrics.
The results of these assessments are documented and discussed with the QMS board and other senior managers. Decisions are made to update the QMS based on findings and recommendations.
Management ControlsManagement communicates quality goals and objectives, reviews and revises the QMS, and provides the resources that are necessary to create and maintain the quality of SAS Solutions OnDemand. Members of SAS Solutions OnDemand senior management serve on the QMS board, along with representatives from SAS IT, SAS Global Information Security (GIS) and SAS Legal groups. QMS board members are responsible for discussing new QMS documents and approving changes, including retirement, to existing QMS documents. SAS Solutions OnDemand management is ultimately respon-sible for ensuring that the QMS is followed.
ChangeControls
SupplierManagement
Controls
Incident and ProblemManagement
Controls
Service Strategy
Customer Care
ControlsHostingOperations
Controls
ManagementControls
Continuity of Business
Controls
InformationSecurityControls
SolutionDeliveryControls
DocumentControls
Continual Service Improvement
Continual Service Improvement
Service Operations
Service Transition Servi
ce D
esig
n
Figure 1: QMS categories
3
CommunicationManagement is responsible for communicating all additions and changes to the QMS. Effective communication is an essential component of the SAS Solutions OnDemand comprehensive support model. To ensure that quality standards are met, processes and controls are in place that guide how information is shared and distributed, both internally and externally.
SAS Solutions OnDemand assigns a project owner to each customer project to manage communications. The project owner for SAS Solutions OnDemand may be identified as a project manager or technical account manager (TAM), depending on the status of the project. In addition, written communication is facilitated through documentation. All documentation deliverables undergo a comprehensive review process to ensure that they are complete, understandable and appropriate for the audience. (See the Document Controls section on Page 15 for more details.) Regularly scheduled meetings serve as the primary driver for communicating project activities, status and risks throughout the solutions delivery methodology. SAS Solutions OnDemand project teams also use online tools for issue tracking and document management to easily:
• Collaborate.
• Report issues.
• Manage change.
• Share knowledge.
• Deliver and maintain documentation.
TrainingSAS Solutions OnDemand requires that personnel have the necessary training, knowl-edge and skills to perform their jobs. To meet this requirement, management deter-mines the training courses that personnel who work with SAS Solutions OnDemand must complete. Education and training activities expand the skills and knowledge of individuals so they can effectively and efficiently perform their roles. In addition to corporate educational opportunities, internal training focuses on the SAS Solutions OnDemand policies, processes, standards and procedures. Regulatory, privacy and security training provide SAS Solutions OnDemand staff with an understanding of the laws, regulations, guidelines and industry requirements that apply to SAS Solutions OnDemand activities. Personnel are required to take all training as new hires. Each year, personnel update their training and attest that they are following policies and procedures.
All internal and external records of training, education and experience are documented and maintained within the corporate learning management system. Training is devel-oped and managed to be specific to SAS Solutions OnDemand activities. The SAS Solutions OnDemand Quality and Compliance teams audit these records annually to ensure conformity with processes. Audit reports are provided to managers who use this information to assist employees in determining their training needs in order to be successful team contributors.
4
Continuity of Business ControlsSAS maintains a Continuity of Business (COB) program aimed at protecting key SAS assets and continuing critical business functions upon the occurrence of a disruptive incident. The SAS COB Program Office provides a layer of program governance, formalizing roles and responsibilities and standardizing specific activities that include annual plan maintenance and testing, staff training and management reviews. For addi-tional information about the SAS COB program, refer to sas.com/content/dam/SAS/en_us/doc/other1/continuity-of-business.pdf.
SAS Solutions OnDemand, which is considered a critical function under SAS’ COB program, has a business resumption plan that provides a framework for managing the overall process for SAS Solutions OnDemand to return to normal, day- to-day opera-tions. The focal point of the SAS Solutions OnDemand Business Resumption (BR) plan is providing customer communications support to restore the services upon which customers depend. Key SAS Solutions OnDemand COB activities that are completed annually include:
• Business impact analysis (review and update).
• BR plan maintenance (review and update).
• Staff training.
• Multiple testing activities, including global call tree and scenario testing.
• Executive management review.
SAS Solutions OnDemand customers have the option to purchase enhanced Disaster Recovery Planning Services (DRPS) to define specific recovery requirements. For RMSS implementations, the COB program and policies are the responsibility of the customer. SAS Solutions OnDemand can cater to the customer’s design to supplement the avail-ability of the software once the prerequisite infrastructure is established.
Information Security ControlsData Privacy ControlsSAS Solutions OnDemand treats hosted customer content in accordance with the SAS Code of Ethics, SAS Solutions OnDemand Business Customer Privacy Policy, the SAS Solutions OnDemand Data Classification and Handling Policy (DCHP), the SAS Use and Disclosure of Confidential and Proprietary Information Policy and any relevant agree-ments between hosted customers and SAS Solutions OnDemand. Hosted content is treated as confidential and is made available only to authorized SAS personnel who require access to this information in the performance of their duties.
Hosted content and associated computer or information assets must be protected and are not to be used, disclosed or accessed by SAS or its third-party suppliers or subcon-tractor personnel other than as required to perform the hosting services in accordance with the following:
• Customer agreements.
• As otherwise authorized by SAS customers.
• As required to comply with legally mandated reporting, disclosure or other legal process requirements.
5
Confidential information that resides within the SAS Solutions OnDemand hosting instance (dedicated to one customer) is kept logically separate from hosting instances of other customers unless otherwise defined in applicable agreements or hosted solution requirements. The SAS Solutions OnDemand hosted environment controls access to confidential information by user ID and password and only grants access to authorized individuals.
For RMSS engagements, customers may also request that SAS and its personnel adhere to the customer’s own data privacy controls and policies, and/or undergo customer-sponsored training. The SAS Solutions OnDemand project manager or TAM is responsible for managing compliance with any such requests.
Logical Security ControlsSAS’ system administrators take the following measures to protect the SAS Solutions OnDemand hosting environment from all known threats such as malware, viruses and unauthorized access:
• SAS manages firewalls and software-defined firewall functionality according to industry standards to prevent unauthorized access, disclosure, loss, misuse or theft of company information. Firewalls within the SAS data centers are located at the ingress and egress points in the customer environment. These devices are installed in redundant pairs and have implicit “deny-all rules” at the end of rule sets. Customer-hosted solutions are segmented and use firewall rules to control access to and from other environments. Access is controlled using access control lists (ACLs) to prevent unauthorized hosts from connecting to these devices. For infrastructure as a service (IaaS) providers, such as Amazon Web Services (AWS), firewall function-ality is employed using industry standards to ensure secure, private networks within the public cloud. In AWS, a combination of security groups, subnets, VPCs and network ACLs are employed to provide equal, or better, security than physical firewalls.
• SAS IT hosting uses additional network security devices such as an intrusion detec-tion/prevention system (IDS/IPS) to complement the firewalls and provide additional security. The IPS provides the ability to monitor, detect and block malicious traffic based on signatures, security intelligence feeds, anomalies or geographic location. Within IaaS networks, additional security tools may be deployed as well, depending on the environment. These additional security tools provide further visibility into the environments and allow SAS to monitor, detect and block malicious traffic based on signatures, security intelligence feeds, anomalies or geographic location.
• SAS Solutions OnDemand offers multiple methods for reliable, secure electronic file transfer, including FTP over SSL (FTP/S), Secure File Transfer Protocol (SFTP) and Hypertext Transfer Protocol Secure (HTTPS). These methods ensure that files are encrypted in transit as they are moved from their source location to the destination customer environment, and they have the benefit of simple auditability.
• Systems are hardened to ensure that no unnecessary services are exposed, and default device settings are changed to establish baseline configurations. All systems with a Microsoft operating system are configured with anti-virus software.
• Patches are maintained and applied by supported tools designed to facilitate patch management and tracking, where applicable.
6
To prevent unauthorized access to the SAS Solutions OnDemand hosting environment, all access is approved in advance, logged and recorded. Access levels are reviewed periodically (quarterly for elevated privileges). Access must be made through secure connections to ensure that no passwords are sent unencrypted over unsecure networks.
To protect customer data from unauthorized download or loss, SAS Solutions OnDemand deploys data loss prevention (DLP) software in its US and certain other international offices on SAS end-client machines with access to hosting environments. The DLP software monitors data traffic and sends alerts when a potential violation of the Data Classification and Handling Policy is detected.
SAS Solutions OnDemand uses two-factor authentication for appropriate SAS staff and SAS subcontractor access to systems hosted at the primary SAS data center and IaaS environment if required by regulation or customer contract. Two-factor authentication may also be required for SAS staff and subcontractors to access hosted customer websites and other services in the same network, with the exception of access to internet-facing services. Two-factor authentication is not required for customer access to solutions.
On an annual basis, SAS engages a qualified, independent third party to perform a penetration test of its network. A letter of attestation regarding the results of the pene-tration test can be provided upon a customer’s request. SAS GIS performs or coordi-nates third-party firms for required penetration testing.
SAS GIS also evaluates individual application security vulnerabilities for risk, including likelihood and impact of exploitation, when providing guidance on vulnerability reme-diation after a penetration test is completed. The frequency of risk assessment, penetra-tion testing or both, for any given application is driven by regulatory, contractual and policy requirements.
In addition, SAS performs automated vulnerability scans of all internet-exposed assets on the SAS global perimeter every two weeks. Confirmed critical vulnerabilities detected during automated scans generate a record in the incident management system. Incident records are automatically assigned to SAS GIS, which then works with the appropriate teams to remediate the issue.
For all RMSS implementations, the customer implements all logical security controls and provides SAS with access to the environment based on these controls. No customer data or other content is stored at the SAS data center.
Personnel Security ControlsLogical access to a SAS Solutions OnDemand hosting instance and SAS Solutions OnDemand gateway servers for RMSS implementations is available to users after successful completion of a multistep approval process. Only then can a user access the hosting instance with the use of unique credentials. Each user is assigned a unique user ID and password that must be changed regularly. All initial passwords that are supplied by SAS require that the password be changed through a secure web interface at first use. All passwords must be at least eight characters long and meet three of four complexity rules. In addition, a history of 24 passwords is kept to prevent reuse of those passwords.
7
Security policies and standards are documented in SAS Solutions OnDemand & IT Hosting Policies and Processes, which is updated annually. SAS requires that personnel with access to the SAS Solutions OnDemand hosting environment and access to gateways supporting remote customer environments receive training on the policies and processes that apply to the hosting environment. Personnel are required to take this training as new hires, and annually thereafter, and are also required to attest that they understand and will follow these policies and processes.
Access, performance and relationship management for SAS Solutions OnDemand third-party suppliers are controlled by a formal SAS Solutions OnDemand Supplier Qualification and Management program. Refer to Supplier Management Controls on Page 8 for details.
For RMSS implementations, SAS Solutions OnDemand immediately communicates SAS personnel departure to the customer so that timely revocation of access can occur, as appropriate.
Physical Security ControlsSAS data centers are secured using industry-approved and accepted physical safe-guards. All data centers are housed in nondescript facilities. Physical access is controlled at the perimeter and at building ingress points by security staff using badge access, video surveillance intrusion detection systems and/or other electronic means that are appropriate to the data center location. All visitors are required to present iden-tification and are signed in and escorted by authorized staff.
Access to the SAS campus and the buildings that house the primary SAS data center at SAS world headquarters in Cary, NC, are controlled by SAS security personnel, badge readers and access control policies. Additional security authorization procedures limit physical access to the SAS data center and the SAS Solutions OnDemand hosting rooms.
Access to the SAS data center and SAS Solutions OnDemand hosting rooms is restricted to authorized employees and subcontractors that support maintenance agreements for hardware, software, escorted cleaning crews and business partners that support specific business operations. Data center management is responsible for authorizing physical access to the IT data centers following management approval. Records are maintained of who has a badge, and all spare badges are inventoried and secured. The SAS data center management group is responsible for authorizing and reviewing physical access on a monthly basis. Badge readers are located at each entry point to hosting rooms, and badges must be worn and visible at all times within the SAS data center. The SAS Solutions OnDemand environment requires additional badge readers and personal identification number (PIN) codes.
For RMSS implementations, physical security controls are typically the sole responsi-bility of the customer.
See the Hosting Operations Controls section on Page 17 for information on global data centers that are located outside SAS world headquarters.
8
Supplier Management ControlsSAS Solutions OnDemand maintains a Supplier Qualification and Management program that includes initial evaluation, approval, disapproval, continual improvement and management of the supplier base. All products and services purchased for SAS Solutions OnDemand are obtained from suppliers that maintain an acceptable risk rating. A supplier’s risk rating is a function of:
• On-time delivery.
• Acceptable quality of components and material at delivery.
• Responsiveness to corrective and preventive action requests.
• Supplier risk assessment.
• Supplier assessment questionnaire.
• On-site audit (as needed).
Suppliers are assessed on a regular, ongoing basis – at minimum every two years – based on risk, performance and ongoing need. Suppliers who fail to maintain accept-able risk ratings are consulted on the system elements necessary to maintain the status of “Approved Supplier.” Suppliers that consistently fail to maintain an acceptable quality rating are disapproved as suppliers to SAS Solutions OnDemand.
Solution Delivery ControlsThe software delivery life cycle for an enterprise-hosted solution, SaaS solution, RaaS solution or RMMS implementation is divided into distinct phases: definition, design, build, test, implementation and closeout/maintain. SAS Solutions OnDemand staff use the solution delivery controls described in this section to ensure quality within all deployed hosted solutions.
Solutions Delivery Methodology (SDM)The SAS Solutions OnDemand Solution Delivery Methodology (SDM) provides guidance for planning and managing SAS projects throughout the project life cycle. The SDM methodology enables all participants to contribute their skills to the solutions provided to customers. Rigorous, scalable processes help ensure effective planning and execution across all customer projects. Lessons learned continually update and improve this methodology. The SDM provides guidance for developing custom enter-prise-hosted, SaaS solutions and RaaS solutions by forming a common foundation to build new solutions and to support its drive toward repeatable engagements.
SAS Solutions OnDemand follows a patented, value-driven approach for analytic delivery (US Patent # US 8,887,128 B2) .
Collection, management and organization of data assets of an organization are key to successful decision-support system implementations. This approach is usually coupled with business analytics and includes, but is not limited to, analysis, querying, reporting and presentation needs. This method also includes tailored security controls that meet the needs of SAS Solutions OnDemand’s regulated customers.
9
Figure 2: Analytic Delivery Approach
Design Production Solution
(Prototype and Requirements Artifacts Used)
Prepare andConductKickoff
Deliver Data
DeliverDesign Document
Scope / DefineProject
Extract Data into Raw SAS Data Sets
Develop Collection Data Mart / Regenerate Prep Tables
Identify Customer Data Sources
to Analyze
Release Items for Iterative QA Testing
Development Resources Cycle Per Iteration
Develop Alert Generation andGUI Data Mart
Mutually Agree with Customer on Data Properties (transfer, format,
volume, etc.)
Run Standard Validation Routines and Ensure
Proper Transfer of Data
Analysts Notified of Completion
Extend and Productionalize Prototype / GUI (as necessary)
Agree on Logistics,
Timeline, etc.
Develop Any AdditionalFeatures
Perform Exploratory Data Analysis / Q&A with Customer
Iterative Design
Promote to Appropriate
Environment(s)
Provide System Documentation /
Knowledge Transfer
Conduct Handoff
Continue to Collect Technical / Security
Requirements (as necessary)
Conduct UAT
Production Design and Build
Ongoing Support
Legend
Project Initialization
Requirements and Discovery
Possible CyclesGoal: Minimize Cycles
Analysts Continue to Cycle Per Iteration
Install Software (Procure Hardware, if applicable)
Deliver ProjectScoping
Documentation
Analytic Delivery ApproachUS Patent #: US 8,887,128 B2
SAS Team SAS Administration and IT System Administrators
SAS Tech Developers Customer
SAS Analysts SAS ETL Resources SAS Technical Lead
Iteratively Review Results
with Customer
Update, Deliver, Redeliver
RequirementsMatrix /
Document
Develop Prototype and Iterate
Deliver Prototype, Prep Table(s)
Handoff,Validations,
Requirements
Gen
eral
Iter
atio
n Ti
mel
ine
10
The SDM incorporates processes for developing analytical models to understand and explain relationships that exist within large amounts of data. These models provide organizations with knowledge to help solve a wide range of business problems, such as reducing customer churn ratio, increasing direct marketing response rates, providing risk assessment accuracy, detecting fraud/waste/abuse, scoring credit card transactions and performing market basket analysis, among others.
Software Configuration Management (SCM)The Software Configuration Management (SCM) process for SAS Solutions OnDemand projects involves establishing a baseline, as well as tracking and controlling changes made to the software that is implemented for SAS Solutions OnDemand customers. SCM incorporates a set of activities that are designed to control changes by:
• Identifying configuration types, configuration items and baselines.
• Identifying the items that have planned changes or are likely to change.
• Establishing relationships among configuration types and items.
• Defining mechanisms for managing different versions of these items.
• Auditing and reporting on the changes made to configuration items.
This process applies to all software items delivered as a part of enterprise-hosted solu-tions, SaaS solutions, RaaS solutions or RMSS solutions (according to the contract), including each item used to build, maintain and report upon components.
SAS Solutions OnDemand source code is maintained in a source management system during the development, quality assurance (QA) and production phases of a project. For RMSS implementations, SAS Solutions OnDemand works with customers to select a mutually agreed-upon source control platform and promotion policy. Release manage-ment activities are conducted by a release manager as appropriate to:
• Control release of fixes, changes and features to testing or production environments.
• Communicate details of the release.
The quality lead for the project periodically conducts an audit to verify that the produc-tion versions of all items are consistent with approved requests for change through an audit process. Audits may involve a review of all items or a sampling of items in a partic-ular repository. As appropriate, the quality lead may perform periodic spot checks to verify that only authorized changes were made in the last 24-hour period.
Data QualityIf requested and within the scope of the project, automated data quality processes are built into hosted solutions. These provide a foundation for profiling data sources, identi-fying data issues and designing processes and programs that address those data issues. The “monitor” component of the data quality package provides the ability to extend data quality processes beyond traditional project-based application, and ensures the accuracy and reliability of information sources over time.
Monitoring may include simple data profiling trend analysis, or it may include specific, complex business rule analysis. By implementing rules that define acceptable data quality values, monitoring can be used to automatically identify records that violate quality standards and alert users of the violations.
11
Monitoring allows the team to take action well before the data anomaly affects business decisions, processes or projects, and thus improves data quality over time.
Project Management Methodology (PMM)
The SAS Solutions OnDemand Project Management Methodology uses the following five basic processes to support effective project management:
• Initiating. These processes authorize the project or phase.
• Planning. These processes define and refine objectives, and select the best alterna-tive course of action to attain the project objectives.
• Executing. These processes coordinate people and other resources to carry out the plan.
• Controlling. These processes ensure that the project objectives are met by moni-toring and measuring progress regularly to identify variances from plan so that corrective action can be taken when necessary.
• Transitioning. These processes are needed for projects that require ongoing opera-tional support or are being closed out:
• Projects requiring managed services during the operational phase (post-implmentation) are transitioned to the SAS Solutions OnDemand Managed Services team and/or SAS Technical Support. Managed services include the day-to-day management of the SAS solution to ensure stable and efficient business continuity.
• Projects that have reached the end of a significant phase or have completed implementation go through a formalized acceptance process of the project or phase to conclude in an orderly manner.
Quality Management Methodology (QMM)Quality management activities are part of every stage of software development. They include preparation of test plans and test cases, adherence to standards through reviews or inspections, procedures for error reporting and tracking, and proper management of documentation.
These activities provide many benefits including, but not limited to:
• Program management guidelines and processes govern project implementations so that they are disciplined, well managed and consistent.
• Formal quality control reviews throughout the development process assist in problem prevention.
• Testing activities during every stage of development aid in problem detection.
• Development of standards and a solutions delivery methodology contribute to quality and consistency.
• Documented procedures ensure compliance with standards.
Software Quality Assurance (QA)All hosted solutions that include custom software components undergo a rigorous quality assurance process throughout the solutions delivery methodology as illustrated in Figure 3. The quality assurance process follows the Quality Management Methodology as discussed in SAS Solutions OnDemand’s Quality Management Methodology (QMM) documentation. QMM activities include the following steps:
12
• Develop a quality plan that defines the quality tasks to be performed.
• Develop a test plan that provides additional detail about testing activities, which include:
• Describing the type of testing that is chosen.
• Specifying the testing environment and test data.
• Defining the features to be tested.
• Providing traceability to customer requirements.
• Identifying business or technical risks or both.
• Describing defect tracking.
• Execute multiple software testing activities, including:
• Installation testing. Installation testing is performed by SAS administrators as part of their standard process to verify that “out of the box” SAS software is installed properly.
• Deployment testing. Deployment testing is performed by SAS QA prior to releasing a new customer environment. The testing is conducted in the same environment that is to be released to the customer. This testing takes place before the creation of any additional software created by SAS for customized data load or analysis or both.
• Unit testing. This is the first testing event that occurs during project development. This testing begins after a single program module has been developed and continues while the program is under modification.
• Integration testing (as appropriate). This testing focuses on the relationship between pairs of components and groups of components within the system that is under test.
• Data load testing. Maintaining the integrity and accuracy of a data warehouse requires specific processes whose primary purpose is to verify at key points in the extract, transform and load process that data is complete and in balance. Separate test scripts and cases are needed to ensure these processes function correctly. These tests are typically part of integration and system test plans, but might be documented as a separate test plan, if needed.
• Performance (load) testing. Some projects might require separate test plans for the performance features of their system, if the performance requirements are lengthy or complex. This type of testing could involve recording certain measures of performance under various conditions of data volume, concurrent users or transaction types. Special software or system resources may be required to test performance adequately. SAS or the customer conducts any needed perfor-mance testing to verify performance requirements are met.
• Peer reviews. Reviews are completed by a peer or colleague developer following completion of program coding. SAS uses peer reviews to verify the correctness and completeness of SAS software before any actual testing takes place.
• Security testing. In situations where security measures are required, special tests of only the security components may be performed to verify that requirements have been met. Security testing focuses on the preservation of information, where:
13
• Confidentiality ensures accessibility only to those authorized to have access.
• Integrity safeguards the accuracy and completeness of information and processing methods.
• Availability ensures access for authorized users to information and associated assets when required.
Note: Information on SAS security assurance is available at: www.sas.com/en_us/company-information/security. html.
• System verification. System testing represents the final set of tests performed before SAS delivers a system, to assure that the application opens with all basic functionality intact before being released to the customer. A system test ensures that all components are tested together.
• User acceptance testing (UAT). This testing verifies that the system meets all stated business requirements and design specifications, as defined by the customer and agreed to by SAS. The customer defines, manages and conducts all UAT activities, including the documentation of UAT plans and results, unless otherwise specified in the contract. UAT is performed in a customer location (environment) that is agreed upon by SAS and the customer. During UAT, the customer records identified problems. The customer works with SAS to deter-mine issue priorities and timing for resolution.
Figure 3: Quality control inspection points.
Systems Requirement
ReviewDesignReview
QA DataQuality
SoftwareTestingReview
CodeWalkthrough
ChangeControls
UnitTesting
DataModel
CodeReview
SystemDesign
Quality Plan
Code
Test CaseSpeci�cation(Unit Testing)
Unit Test Integration Test System Test
IntegrationTest Plan
Test CaseSpeci�cation
System Test Plan
Test CaseSpeci�cation
CodeWalkthrough
Code Review
WhoWhen
Why
QA/PM/Tech LeadSolution Def. Phase
Identity Testing Objectives and
Inspection Points
DeveloperProgram Completion
Validate Program Logic
Developer/Peer DeveloperAfter Coding/Unit Test
Determine Code Defects/Optimize Code/Tune
QA/PM/Tech Lead/DeveloperCompletion of Modules/Subsystem
Verify Integration of Program Modules
QA/PM/Tech Lead/DeveloperCompletion of All Modules/Subsystem
Ensure System Is Stable and Ready for Customer Use
WhoWhen
Why
Quality Control Inspection PointsUser
AcceptanceTest Plan
Test CaseSpeci�cation
Project Manager/Tech LeadDevelopment of All Modules/Subsystems CompletedValidate Requirements and Ensure System Satisfies
Critical Success Factors
IntegrationTesting UAT
Requirements Phase Design Phase Build Phase Testing Phase Data Quality
SystemTesting
User Acceptance Test
14
SAS provides support to customers during UAT by performing the following tasks:
• Providing the customer with the SAS Solutions OnDemand Quality Assurance docu-mentation (quality and test plans, test scripts, logs, output, workbooks and more).
• Providing the customer with SAS Quality Assurance templates for test plans, work-books and more.
• Training the customer on using the SAS Solutions OnDemand tracking system to monitor issues and create UAT reports.
• Investigating problems that are identified during UAT and fixing them, as appropriate.
• Testing fixes for problems that are identified during UAT.
When SAS resolves the problems identified by the customer during the testing period, and the customer has verified the fixes are satisfactory, then UAT is concluded.
• Conduct quality control inspections to validate that project deliverables and review cycles have been completed. These inspections are described below:
• Code walkthroughs and reviews monitor compliance with development method-ologies and standards.
• A system requirements review involves an evaluation of the system requirements specification provided by the customer.
• A system design review involves an evaluation of a series of design documents that collectively define the complete solution for meeting customer requirements.
• A test results review is conducted at the conclusion of each type of testing. This review evaluates the results to ensure that all testing was completed as planned.
• Implement automated monitoring and scheduled QA checks after a project moves to production to ensure the following:
• Service-level agreement (SLA) obligations are met.
• The system is functioning as expected.
• Data loads are completed as expected.
Problem reporting during testing ensures all testing-related issues and defects are managed in a consistent and effective manner. This includes the recording, tracking and disposition of system issues and defects. SAS Solutions OnDemand maintains a change management process that provides the following capabilities:
• Records defect information.
• Establishes severity and priority.
• Assigns responsibility for resolution.
• Records expected completion date for resolution.
• Tracks ongoing status.
• Provides notification on defect status.
• Documents the resolution.
Defects are recorded as soon as practicable after discovery. Technical leads assign defects to application developers for resolution. Quality assurance and development resources meet on a regular basis to review and assign priority and severity for each
15
new defect, review the status of each unresolved defect and determine additional testing needed after a defect is corrected. Quality assurance resources also work with developers to help identify the root causes.
A final disposition of reported defects is made before the system under test is certified for release to production. SAS and the customer project and program management teams review test results and defect disposition and provide final approval for release to production. QA metric reports are available that provide graphical representation of defects and test cases over time, as well as summary listings that provide one row per defect with a textual summary of the defect.
The QMM lists several strategies for writing test cases with the highest probability of detecting the most errors, including, but not limited to:
• Black-box testing and white-box testing.
• Performance testing.
• Security testing.
• Data load testing.
Document ControlsIn order to ensure consistency and efficiency in documentation, SAS Solutions OnDemand has established, defined and controlled:
• Methodologies.
• Policies.
• Standards.
• Processes.
• Procedures.
• Guidelines.
• Plans.
• Templates.
Document controls exist to ensure consistency in document templates, documentation structure and content, naming conventions and version control. All documents follow an iterative document development cycle, which includes:
1. Document setup and initial development.
2. Document internal review.
3. Document delivery.
4. Document revision.
5. Document finalization and acceptance.
6. Document archive and removal.
16
Change ControlsThe change management process identifies, measures and controls the addition, modi-fication or removal of hardware, software, processes and other IT services. Controlling the life cycle of all changes minimizes the risk of disruption to IT services. The objectives of change management include:
• Responding to customers’ changing business requirements while maximizing value and reducing incidents, disruption and rework.
• Responding to the business and IT requests for change that align the services with the business needs.
• Ensuring that changes are recorded and evaluated, and that authorized changes are prioritized, planned, tested, implemented, documented and reviewed in a controlled manner.
• Ensuring that all changes to configuration items (CIs) are recorded in a configuration management database (CMDB) as applicable. RMSS engagements typically require the use of the customer’s change management system.
Customers or SAS can request changes based on required functionality or mainte-nance of the hosted environment for the following categories, as applicable:
• Application.
• Database.
• Operating system.
• Hardware.
• Infrastructure.
• Software-defined infrastructure.
The change requestor initiates the change management process in the appropriate system. The change requestor’s responsibilities include the following, when appropriate:
• Identify the business, service or technical need for change.
• Propose the change solution in business or technical terms, when appropriate.
• Propose a date by which the change will be implemented.
• Identify the affected, known parties that need to be notified.
• Submit change request tickets for approvals.
Changes are typically classified according to risk and impact, as described below:
• Standard changes are low-risk, occur on a frequent basis, are adequately docu-mented and are typically pre-approved (e.g., a password reset or reboot of servers during the scheduled monthly maintenance activities). New requests for designating a standard change are submitted through the appropriate ticketing system.
17
• An emergency change is usually executed during an incident to:
• Ensure SLA requirements are met.
• Resolve issues negatively affecting the use of the system not resulting in SLA violations.
• Ensure appropriate security of the hosted solution.
Emergency changes are completed during non-peak hours, if possible. Advanced approval is not required for emergency changes. Instead, approvals are captured retroactively, as appropriate, within a prompt timeframe.
• A normal change has defined risk that requires documentation and advanced approval.
When appropriate, SAS Solutions OnDemand project owners perform the following change management activities:
• Inform customers of changes that might affect hosting instances and their associ-ated risks.
• Evaluate change requests on a per-customer contract basis with project and customer personnel.
• Ensure that changes are tracked and documented with required information.
After the change is reviewed for completeness and approved, the change implementer executes the change based on the information in the change request. SAS IT or SAS Solutions OnDemand personnel test/verify that the change is successful, as appro-priate, and ensure it is properly documented in the CMDB, change management or ticketing system(s). RMSS engagements typically require the use of the customer’s change management processes and system.
Hosting Operations ControlsIn addition to the primary SAS data center located at SAS world headquarters in Cary, NC, SAS uses other data centers that are strategically located around the world to support SAS Solutions OnDemand customers. Those data centers are operated in part-nership with established third parties. These providers are qualified through SAS’ Supplier Management Program and maintain relevant certifications (e.g., ISO 27001 or SOC 2/3), as appropriate. Global data centers maintain certifications, policies and stan-dards that vary by location.
To ensure the integrity of the hosted solutions, hosting controls are in place for software installation, on-call support, monitoring, service-level availability, patch management, maintenance, media secure storage, and data backup and restore procedures. SAS security and compliance resources review and assess hosting controls to ensure effec-tiveness. From the customer contracting process through the implementation and maintenance of the hosted or RMSS solution, these groups provide guidance regarding the policies, standards and practices implemented by SAS Solutions OnDemand. In addition to the day-to-day operations, these resources facilitate continual improvement through programs such as supplier audits, risk assessment documentation reviews and hosting customer audits.
18
Remote Managed Software and Services (RMSS)For RMSS implementations, customers provide all necessary infrastructure to operate and maintain the system in the customer’s data center, including, but not limited to:
• Servers.
• Operating system.
• Storage.
• Required third-party software, including databases, tape drives, off-site storage, power, uninterruptible power systems (UPS) protection, physical and firewall security, environmental considerations (AC) and fire suppression.
In addition, customers are responsible for:
• Providing all support and ongoing maintenance of hardware and associated oper-ating system software.
• Allowing the installation and ongoing operation of SAS application monitoring software on the customer’s hardware.
• Providing regularly scheduled backups.
• Enabling network connectivity and configuration between the customer and SAS.
InstallationFor each hosted application instance or RMSS implementation, standardized installa-tion procedures are performed according to a documented plan to install and verify that the SAS Solutions OnDemand system is:
• Delivered for the intended purpose.
• Fully operational.
After the installation and verification procedures are completed, the system is declared ready for production. Following formal approval, the new customer instance is promoted to production. Monitoring begins to:
• Ensure compliance with the SLA.
• Provide alerts to SAS Solutions OnDemand on-call staff.
At this point, formal event, incident, problem and change management processes are followed. These processes align with industry best practices for production systems.
On-Call SupportAll new hosting instances require a support model, which defines appropriate support teams and on-call rotation groups according to the customer, contractual requirements and the RMSS connectivity method. These teams monitor and provide support after SAS Hosting Operations places the new instance into production status. The desig-nated on-call group is then responsible for the primary support of the environment. SAS production monitoring ensures that automated notifications are sent to the appro-priate staff member during an event.
19
MonitoringSAS teams, as appropriate, maintain systems that detect anomalies or malicious, unau-thorized activities within network device and server systems using active and passive network monitoring devices. These devices assist with detecting potential network-based logical intrusions.
SAS uses these applications that run on the servers to monitor server health. The moni-tored components can include metrics of server and solution availability, such as:
• Server uptime in days.
• Disk usage per file system.
• Database operational/listener status.
• Recent list of user IDs that last logged onto server.
• List of user IDs that are currently logged onto the server.
• Network interface status.
• List of processes currently running.
• Total disk usage.
• Completion of successful backups.
• CPU specifications.
• Memory utilization.
Monitoring alerts are sent to SAS’ CMDB to be forwarded to the appropriate on-call group for triage and resolution.
SAS Solutions OnDemand also performs enhanced monitoring, as appropriate, to confirm the effective operation of hosted applications. Checks, which must be nonintru-sive, involve navigation and key functionality according to role for each applicable environment.
Service-Level AvailabilitySAS Solutions OnDemand measures monthly service-level availability as the amount of time (excluding scheduled maintenance) that hosting services are available as defined in the applicable customer agreement. SAS Solutions OnDemand contracts typically provide 99 percent SLA, unless otherwise negotiated in the customer contract.
SAS Solutions OnDemand uses standard templates that define the alerts and the rules related to the hosted infrastructure entities. SAS Solutions OnDemand works with indi-vidual service owners to configure SAS Solutions OnDemand hosting systems and forward all monitoring alerts to the SAS IT Service Management system.
Patch ManagementSAS Solutions OnDemand patches servers as quickly as possible for critical vulnerabili-ties based on a risk assessment. The timing of the application of the patches depends on the security vulnerability, the assessed business and technical risk, and how quickly an outage can be scheduled, if required. The need to implement a patch is formally communicated to the customer by the SAS Solutions OnDemand project manager or TAM. Implementation of the patch is also tracked, including the specification of which customer-hosted servers and services are affected, as well as the scheduling of any required outages.
20
SAS GIS assesses the criticality of client and server operating system patches with the relevant IT and SAS Solutions OnDemand teams. The risk assessment results are deliv-ered to all SAS system administrators. Patches are tested before they are released to production, as appropriate. Patches are maintained and applied by supported tools designed to facilitate patch management and tracking, where applicable.
SAS application hot fixes or patches, including those implemented as part of an RMSS engagement, are applied based on customer need and impact, and according to SAS R&D release schedules.
Note: For RMSS implementations, SAS only patches the SAS application. The customer is responsible for the operating system and third-party components.
Patches for critical security issues identified by SAS GIS, SAS R&D or SAS Solutions OnDemand management may be implemented during nonstandard maintenance windows, depending on the severity of the issue.
Patch schedules may differ for infrastructure and other systems hosted at global data center locations.
MaintenanceSAS Solutions OnDemand schedules periodic outages to make nonemergency changes, such as maintenance on operating environments of servers, networks and web connectivity devices. System maintenance enables SAS Solutions OnDemand to:
• Maintain a robust environment in accordance with manufacturer specifications and organizational requirements.
• Meet contractual SLA requirements.
• Perform maintenance with minimal impact to customers.
• Provide adequate notification to customers.
For system maintenance activities in which the system is unavailable to the customer (e.g., during applicable third-weekend maintenance activities), SAS Solutions OnDemand project owners typically provide customers with advance notices (e.g., three days) prior to the system maintenance, unless the customer requires earlier scheduling to comply with contract requirements. Examples of system maintenance activities that may require advance notification include the following:
• Installation of client software.
• Installation of server patches.
• Replacement of hot-swappable components.
• Storage expansions or allocations.
• Required server reboots.
• Hardware changes.
• Maintenance of data center environmental equipment per preventive maintenance schedules.
• Change/addition of IP address values.
Note: Maintenance schedules may differ for infrastructure and other systems hosted at global data center locations.
21
For RMSS implementations, SAS Solutions OnDemand coordinates any SAS application maintenance schedules with customer personnel to ensure appropriate hot fixes are applied to reduce impact for users.
Backup and Restore ProceduresFor enterprise-hosted or SaaS solutions, SAS Solutions OnDemand uses industry best practices to back up its operational storage, which protects customer data and systems information.
SAS performs regular backups of data as specified in the contract, including customer materials and work products stored within the system. Backups are stored securely for specified periods and are restored by SAS in the event of system failure, corruption, or accidental removal or deletion caused by SAS. Restoration of backups for reasons other than system failure or corruption or the actions of SAS may be performed at the customer’s request, but are considered additional services. SAS provides information regarding SAS’ backup and restore procedures upon customer’s request. Backup recovery schedules typically include daily, weekly, monthly, and/or semiannual backups, as described below:
• Daily. Daily backups are incremental and include customer data that has changed or is new since the last incremental backup.
• Weekly. Weekly backups include all customer data and the operating system config-uration. The customer’s entire file system, minus the excluded file list, is copied on backup media (e.g., copying data to a tape or disk).
• Monthly. Monthly backups include all customer data and the operating system configuration. The customer’s entire file system, minus the excluded file list, is copied on backup media (e.g., copying data to a tape or disk).
• Legal. Legal backups, which may be required by regulation or specific customer agreement, have a retention period of seven (7) years.
• Litigation holds or regulatory requirements. Backups that are required by court orders must be retained until the pending legal cases are resolved.
Specific customer environment recovery is based on the agreed- upon schedule, or may be defined in the customer’s hosting service agreement. Backups in the IaaS envi-ronments may include one or more of the above intervals, depending on the customers’ requirements and the availability of cloud-based archival storage. At a minimum, daily snapshots are performed on all customer environments to ensure that no more than 24 hours of data is lost in the event of a failure requiring recovery from backup images. Less than 24-hour data loss SLAs are available upon request.
Media Secure Storage for SAS Data CentersIn SAS data centers, the tape media used to store customer data contains only the data for that customer as applicable to the solution (e.g., enterprise-hosted SaaS) unless otherwise noted in the agreement between SAS and the customer. Customer data is stored on divided media, or as defined by contract, using Advanced Encryption Standards.
22
External media is clearly labeled, so that only assigned personnel can make a correla-tion to a specific customer. The tape media is placed in locked containers for transfer to an off-site vendor for a set period of time, at which point they return and are securely stored for the applicable retention period.
Media Handling by IaaS ProvidersBackups for AWS servers are accomplished by taking daily snapshots of attached block storage. Snapshots are retained based on contractual data retention policies. Media that is used for cloud storage is, essentially, the delivery and consumption of virtualized storage on demand. The primary goal of media handling by IaaS providers is to protect the fundamental data that powers information systems and applications. Extra layers of data assurance and security for media handling include:
• Rapid elasticity.
• Multitenancy.
• Resource pooling.
• Logical architectures.
• Application platform interphase.
• Abstracted controls.
Media handling in the cloud by IaaS providers may include:
• Databases.
• Object/file storage.
• Content/file storage.
• Volume storage.
The multiple types of cloud storage offerings are applied appropriately and are contract-specific.
Customer Care ControlsSAS Solutions OnDemand provides customer support for the hosted and RMSS solu-tions (when applicable) throughout its life cycle from the initial implementation to coor-dination with SAS Technical Support as solutions go into production. During project implementation, SAS Solutions OnDemand serves as the first level of support for all customer issues using a well-defined support model, escalation procedures and robust online issue tracking and documentation tools. As stated in the Communication section on Page 3, a project manager acts as the single point of contact for each customer engagement to ensure that all requests and issues are addressed and resolved in a timely manner. Global resources enable SAS Solutions OnDemand to provide around- the-clock support.
During the final stages of implementation, the SAS Solutions OnDemand project manager begins transitioning first-level support to SAS Technical Support. This involves a rigorous knowledge transfer process to ensure that SAS Technical Support has all information that is needed to provide quality support to the customer. The customer is then trained in how to use this new support model. SAS Solutions OnDemand continues to partner with SAS Technical Support throughout the hosting period to guarantee customer satisfaction.
23
After implementation activities are complete and the solution transitions into opera-tions, SAS Solutions OnDemand provides managed services. Based on the contract and the complexity of the solution, a TAM may be assigned to the account. SAS Solutions OnDemand TAMs are specialized managed services professionals who work with customers to ensure that the SAS solutions meet and evolve with the customers’ business needs.
SAS Solutions OnDemand TAMs have knowledge of the unique technical environ-ments, industry best practices, and current and future SAS solutions. This valuable part-nership optimizes collaboration with the extended SAS network of professionals to help realize premier customer service. Technical account management services include:
• Transition the customer from project implementation services to managed services.
• Conduct regular operational status meetings with the customer.
• Serve as primary point of contact for hosting-related questions and lead incident management, change management and problem management including:
• Diagnostics, replication of issues and retrieval of logs.
• Testing.
• Deployment of hot fixes and configurations.
• Root-cause analysis and preventive activities.
• Provide immediate attention and escalation for urgent operational incidents.
• Provide direct assistance with preventative health checks and remediation services.
• Conduct reviews of infrastructure for opportunities to reduce risk and optimize support.
Note: SAS Solutions OnDemand offers different tiers of technical account management services based on the customer’s requirements.
Incident and Problem Management ControlsIncident ManagementAn incident is an unplanned interruption to a customer solution or IT service or a reduc-tion in the quality of a customer solution or IT service. Incidents can include failures or degradation of services reported by users, technical staff, third-party suppliers and partners, or automatically from monitoring tools. In association, a problem is an under-lying cause of one of more incidents. The cause is usually not known when the problem record is created. The SAS Solutions OnDemand Incident Management Process provides the following, when applicable and appropriate:
• Initial assessment of the extent, severity and impact of an incident or event.
• Coordination of resources.
• Communication of status, and reporting to external stakeholders.
• Information gathering and fact finding, including, but not limited to, defect recording, hot fix determination and identification of service improvement initiatives.
• Prioritization of actions needed to recover from the incident or event.
• Post-incident documentation and communication.
24
Upon discovery of an incident through a monitoring system alert, customer interaction or SAS resource communications, the following steps are performed:
1. Identify and prioritize the incident. A SAS Solutions OnDemand or SAS IT resource, customer or an automated tool can open an incident record, documenting known information. The priority of an incident is based on impact (does it affect the entire environment, part of the environment, or one or more users?) and urgency (how long the incident has a significant impact on the customer’s environment). The priority determines response and recovery planning, as well as any required escalation.
2. Begin tracking the incident. A member of the incident management team opens a ticket documenting known details of the incident.
3. Assemble the incident management team. The incident management team is assigned based on role and skill set. This team may include, but is not limited to, resources from SAS Solutions OnDemand, SAS IT or SAS GIS.
4. Analyze the incident. Details are assessed regarding how the incident was identi-fied, as well as any available evidence and circumstances related to the incident. Following the assessment, the best course of action is determined to resolve the incident.
5. Implement corrective actions. Corrective actions may involve a workaround or a change to address factors that contributed to or resulted from the incident.
6. Document incident resolution. A member of the SAS incident management team documents incident resolution, as applicable, in the IT service management system.
Note: For RMSS implementations, incident management is limited to SAS applications and their components because the customer typically owns and manages the hardware and related infrastructure.
Problem ManagementAs defined in the ITIL framework: “Problem Management is the process responsible for managing the life cycle of all problems, where problems are defined as the cause of one or more incidents.” The SAS Solutions OnDemand Problem Management Process provides the following, when applicable and appropriate:
• Post-incident documentation and communication.
• Continual service improvement to prevent recurring incidents, as appropriate.
• Problem identification and resolution, including, but not limited to, root-cause analysis, lessons learned and continual service improvement.
The following steps are performed related to problem management:
1. Identify the problem. A SAS Solutions OnDemand resource or subcontractor, a SAS IT resource or other project resource can initiate problem management. Note: All incidents that invoke the SAS Solutions OnDemand Major Incident Management Process go through the SAS Solutions OnDemand Problem Management Process.
2. Assign and discover. The problem owner reviews the request for problem management.
25
3. Categorize and prioritize. Priority and categorization is assessed according to business and customer impact, complexity, availability of resources and problem goal, as appropriate.
4. Investigate and document. Investigation and documentation of root-cause analysis is performed.
5. Close the problem. All tasks required from the problem owner are identified, docu-mented, completed and communicated to the affected parties, which may include external customers. This step also involves debriefing and documenting lessons learned, as appropriate.
Note: For RMSS implementations, problem management is limited to SAS applications and their components because the customer typically owns and manages the hardware and related infrastructure.
Awards, Certifications and Quality NotesBecause customers entrust their most important business functions to SAS as their hosting provider, SAS Solutions OnDemand must provide a robust, scalable and secure computing environment. As a result, the SAS Solutions OnDemand proven approach has received validation from external auditors and industry experts.
Continual Service ImprovementSAS Solutions OnDemand regularly engages third-party consultants to assess its meth-odologies, with the goal of aligning to best practices and standards, as well as opti-mizing service delivery and providing continual improvement.
SAS monitors external standards, best practices and industry and regulatory require-ments that may be applicable to its customers and may benchmark its policies and standards against relevant third-party or government frameworks. Third-party and regulatory frameworks and standards that SAS may consider for a given customer implementation include the following:
• National Institute of Standards and Technology (NIST: SP 800-53 NIST SP 800-171).
• International Organization for Standardization (ISO: 27001l ISO 20000).
• Internal Revenue Code (6103(p) (4) (A) and associated IRS Publication 1075).
• Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act.
• Information Technology Infrastructure Library (ITIL).
• Food and Drug Administration Title 21 Code of Federal Regulations (CFR) Part 11.
• Family Educational Rights and Privacy Act (FERPA [20 USC. § 1232g; 34 CFR Part 99]).
• International Society for Pharmaceutical Engineering the Good Automated Manufacturing Practice Guide for Validation of Automated Systems in Pharmaceutical Manufacture.
26
SOC 2/SOC 3 Type II Processes and ControlsService Organization Control (SOC) reports are designed to help service organizations. Service organizations:
• Operate information systems and provide information system services to other entities.
• Build trust and confidence in their service delivery processes and controls through a report by an independent certified public accountant.
SOC 2 reports are intended to meet the needs of a broad range of users who need information and assurance about the controls at a service organization. These controls affect the security, availability and processing integrity of the systems the service organi-zation uses to:
• Process the users’ data.
• Provide the confidentiality and privacy of the information processed by these systems.
These reports can play an important role in:
• Oversight of the organization.
• Vendor management programs.
• Internal corporate governance and risk management processes.
• Regulatory oversight.
There are two types of SOC 2 reports. SAS delivers a Type 2 report, which offers a description of SAS’ hosting system and the suitability of the design and operating effec-tiveness of controls.
SOC 3 reports provide only the auditor’s summary on whether the system achieved the trust services criteria, which include security, availability, processing integrity, confidenti-ality and privacy. SAS also offers an SOC 3 report.
These reports, which can be provided to customers subject to the execution of an appropriate nondisclosure agreement, confirm that SAS Solutions OnDemand has effective procedures and controls in place to deliver reliable, safe and secure services.
TRUSTe Privacy Certification/US-EU and Swiss-US Privacy Shield CertificationsSAS Solutions OnDemand is audited annually by TRUSTe for compliance with the EU-US and Swiss-US Privacy Shield principles of notice, choice, onward transfer, security, data integrity, access and enforcement with respect to the collection, use and retention of personal data from European Union member countries and Switzerland. SAS Solutions OnDemand annually self-certifies to the EU-US and Swiss-US Privacy Shield framework programs operated by the US Department of Commerce. These programs are designed to provide a streamlined means for US organizations to comply
27
with the requirements of the European Commission’s Directive on Data Protection regarding the transfer of personal data to non-European Union countries and its Swiss equivalents. TRUSTe’s privacy certification of SAS Solutions OnDemand includes ongoing platform monitoring and multilingual privacy dispute resolution services for consumers.
For more information about Privacy Shield or to access our certification statement, please review the US Department of Commerce’s Privacy Shield website at privacyshield.gov.
ReferencesAmerican Institute of CPAs. Service Organization Controls (SOC) Reports for Service Organizations. www.aicpa.org/interestareas/ frc/assuranceadvisoryservices/pages/ serviceorganization’smanagement.aspx. Accessed Sept. 19, 2017.
Privacy Shield certification statement. https://www.privacyshield.gov/participant?id=a2zt0000000GnvOAAS&status=Active. Accessed Sept. 19, 2017.
SAS white paper, 2015. Continuity of Business. www.sas.com/content/dam/SAS/en_us/doc/other1/ continuity-of-business.pdf. Accessed Sept. 19, 2017.
SAS white paper, 2017. The Quality Imperative: SAS Institute’s Commitment to Quality. www.sas.com/software/quality-paper.html. Accessed Sept. 19, 2017.
SAS Solutions OnDemand Business Customer Privacy Policy, 2017. www.sas.com/en_us/legal/on-demand-privacy.html. Accessed Oct. 12, 2017.
SAS white paper, 2017. Hosted Managed Services for SAS Technology. www.sas.com/content/dam/SAS/en_us/doc/whitepaper1/hosted-managed-services-for-sas-tech-nology-108638.pdf. Accessed Sept. 19, 2017.
SAS white paper, 2017. Delivering SAS Expertise to Your Door: The Power of SAS Remote Managed Software and Services. www.sas.com/content/dam/SAS/en_us/doc/whitepaper1/delivering-sas-expertise-to-your-door-108653.pdf. Accessed Sept. 19, 2017.
SAS white paper, 2017. SAS Results Delivers Value. www.sas.com/content/dam/SAS/en_us/doc/whitepaper1/sas-results-delivers-value-108618.pdf.
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies. Copyright © 2018, SAS Institute Inc. All rights reserved. 107370_G71369.0118
To contact your local SAS office, please visit: sas.com/offices
![An American History1].pdf · T he history of the United States Postal Service is an ongoing story of enormous depth and breadth, rooted in a single, great principle: that every](https://img.dokumen.tips/doc/110x75/5fb11c90c760867e291f4cea/an-american-history-1pdf-t-he-history-of-the-united-states-postal-service-is.jpg)
