Managed Services providers are working hard to take their services to higher level.

Federal managers are pretty uncomfortable when their data resides outside their installation and outside of their firewall.

After all, in a Managed Services environment, data will be in motion and at rest outside of the firewall. It doesn’t matter if it is in a single vendor’s data center or in a secure segment of a public or private cloud.

Then, consider this. Much of your organization’s records are not electronic. They are paper.

“I challenge any federal agency that’s very concerned about who is managing their content, to go and look at what they are doing with their paper physical records,” declared Dan Carmel, CEO of SpringCM in a recent interview with 1105 Government Information Group Custom Media. SpringCM is a Content Management platform service provider.

Carmel said they are packing it up in boxes and shipping out to a third party vendor. “Maybe it’s somebody called Iron Mountain, maybe it’s somebody called Pitney Bowes. They are shipping it out to a third party vendor who is managing it in a physical warehouse side by side, co-mingled with the physical content of every other organization’s stuff. Plus there is no backup to the warehouse.”

Agencies have chosen to do this for years so “let’s get away from I’m uncomfortable with content residing outside my firewall,” said Carmel. “It is outside your firewall right now.”

Trusted Content Keepers
The key issue in considering Managed Services is not where the content resides, because your content already resides outside your firewall; really the question is, what is the standard?

Is it managed by staff or contractors who may not be well trained, who do not understand the value of the content and may not be effectively securing the content? Or is the content managed in a secure facility that’s like a bank data center where each employee considers themselves to be the steward of the content? Further, the content is backed up and managed rigorously. That’s the difference said Carmel.

“The issue is how is your content being managed? For that, most Managed Service providers and people who operate in the cloud like us can produce documents and certifications,” Carmel explained. “We spend a fair amount of money every year to have our operational procedures documented. It’s been developed with an auditing firm and it’s a written document the audit firm signs off on.”

Carmel explained his company undergoes a physical audit to ensure that it is complying with the operating procedures that they provide. The company’s operations manual is available to anyone who wants to look at it to measure or to compare with their own operating standards.

SAS 70
For managed services providers such as Carmel, the key standard – the “Good Housekeeping Seal of Approval” – is called SAS 70.

“SAS stands for Statement of Accounting Standards and SAS 70 is the regulation under which companies like ours submit themselves to a rigid documentation of operating procedures and parameters first,” explained Carmel.

SAS 70 Level 1 requires a manual to be produced which actually specifies here is the ‘how’ your content is being managed said Carmel.

“Everything from the facility, physical security, facility access to software upgrades, quality control; anything the organization deems important as a control variable is documented in this policy. So the ‘how’ is documented. That’s available for inspection and that is SAS 70 Level 1.”

Carmel said SpringCM is now in the midst of Level 2 audit, which is a physical audit of those operating procedures so that our public accounting service can say they have audited the company records and found them to be in compliance with the standard.

“That’s the one-two punch that solidifies that for anybody considering a Managed Service,” said Carmel. “I think that is important that organizations understand that and for lack of anything better is becoming the Good Housekeeping seal for software service offerings in a cloud.”