August, 2008

Successful traits of a CIO equal successful SAS70 audits (Part 3) – SAS 70

At 5pm, the CEO returned to his office with a cup of coffee and a very unpleasant frown. He barked out a few orders to his administrative assistant. I knew then that ….it was all going to roll down hill. Apparently, an IT Director signed a vendor contract with some very unfavorable terms. Luckily, the IT Director was no longer with the Company, therefore, the CIO, was the one who would be assigned the cleanup work.

In order to deal with this situation, the CIO would have to quickly understand the requirements of the CEO and the expectations of the vendor. If he failed at delivering for either of them, then the effects could have serious consequences on IT operations. These types of political maneuvers happen everyday and it takes a skillful politician as a CIO to produce favorable results.

A CIO can use her political skills to effectively deal with a SAS70 audit. When an auditor identifies an audit exception, the CIO may fully agree with the auditor; however, the description of the audit exception may need to be qualified in order to maintain a close relationship with the CEO. Sometimes, negotiations are even held over simple words, such as “sometimes” as they can make a big difference in the eyes of the Board of Directors or Audit Committee. What are some of the circumstances that you may have been involved in? Were you successful in avoiding pitfalls? What worked best for you?

Sas70expert@gmail.com

Successful traits of a CIO equal successful SAS70 audits (Part 2) – SAS 70

A very successful CIO told me once, “I can see the stars, but I can’t see the future.” At the time, I was very inexperienced and wasn’t really clear about this statement. Now, I think I understand, his experience, drive, education, and passion allowed him to be able to see opportunities for Company growth and advancement in unproven markets. To be a visionary is one of the most important characteristics of career stability and longevity.

This characteristic will also help you to guide your SAS 70 auditor to a successful audit. Because you know your operations better than anyone else, you should be able to quickly provide your auditor with the answers and solutions required to plan and conduct the audit. By staying on top of your day-to-day operations, and not focusing all your attention on the Boardroom, you will have the information necessary to deal with audit exceptions when they arise. Do you have systems/application or reporting mechanisms in place that provide you operating results on a timely basis? If so, what works best for you within your Company?  Trackback URL

Successful traits of a CIO equal successful SAS70 audits (Part 1) – SAS 70

If you have to conduct a SAS70 audit within your organization, are you ready? As a CIO, do you have the necessary leadership skills to make an audit a success?

A recent survey by TechRepublic lists the following criteria that an effective CIO or CSO must have in order to lead a 21^st century information technology (IT) team. These characteristics are, but not necessarily in order of priority:

Communication skills

Be a visionary

Able to deal with office politics effectively

Have an understanding of financials

Leverage key technologies

Ability to build a strong team

As a CIO, these characteristics are required to be an effective leader. In addition, these same characteristics will make you an effective CIO or CSO when a SAS70 audit is conducted. From the initial planning and scoping phases of the audit, you must take the initiative to develop a strong relationship with your auditor. Don’t be afraid to tell him all the bad and the good when discussing your IT operations. By developing an open rapport, and having frank discussions, you will be able to quickly develop a lasting bond with your auditor. Do you have this type of relationship with your auditor?   

Is pre-boot authentication required? SAS70

SAS 70 audits review the authentication procedures required to access computer equipment, including the pre-boot authentication (PBA) procedure.  If pre-boot authentication is not required, then the risks of gaining access to your Company data is very high.

What is PBA? Pre-boot authentication is a process that requires a user to authenticate to the operating system prior to loading of the application software. The user must enter his credentials - a username and password before the system load begins. Once authenticated, then Windows or Linux operating system is loaded. If the correct user name and password are not entered, the pre-boot authentication process will not load the operating system and the computer will lock down.

Pre-boot authentication prevents a criminal hacker from gaining access to your data by not loading the operating system. Since the bypass tools load after the operating system, then a hacker want get a chance to try to gain entry or use the Windows XP or Vista emergency disks.   SAS70ExPERT at gmail.com

What’s your standard? SAS70

ITIL provides you with a simple-to-understand IT standards and specific operational situations for your IT environment. ITIL best practices are prescriptive and descriptive. Are you using it for guidance? Many SAS70 audits will want you what guidance you are using as your IT roadmap – COBIT, ITIL, ISO standards.

COBIT will provide you with overall corporate governance. ISO and ITIL are much more operational and provide in-depth procedures. All of them require resources and funds to implement. Many organizations use a combination – they take a more holistic approach. What do you consider as the most effective for your organization? Sas70Expert@gmail.com

What is the difference between a Type I and a Type II SAS70 report? SAS70ExPERT

Your largest customer called and asked for your SAS70 audit report and which type of audit was completed? Do you perform a Type I or II? Don’t flip a coin; you must consider your objectives.

A SAS 70 Type I audit report provides an audit opinion of your Companies’ operating environment. A Type II report combines the elements of a Type I report but requires extensive testing over a defined period of time. Which is more appropriate for your organization? In accountant speak, it depends.

Consider these objectives: Determine what your customers require and where you’re operating an IT controls need improvement; are your policies and procedures well documented; and how much can you afford. In general, a Company would first perform a Type I, then a Type II SAS 70 audit. You may not have been reviewing firewall logs or monitoring user access to your exchange server over a six month period in order to perform a Type II audit. Therefore, a Type I would be more suitable.  In addition, performing a Type I audit first would allow you to quickly learn the areas of improvement with your IT framework. Which type SAS 70 audit are you pursuing and what are your objectives? Sas70expert@gmail.com

CIO and the SDLC success story – SAS70ExPERT

What’s your plan as a new CIO to make IT operations a success? Consider Jack Ben, newly appointed CIO. In his new role, he assumes the management and performance of the financial statement application and has to complete a SAS70 audit in six months.. This application has been in use for over 7 years, and much of the customization, reporting, and user access management is performed by a third party vendor. What roadblocks do you face to meeting strategic objectives and making your bonus plan?

Consider the following:

1)      If your vendor performs customization, then the specialized knowledge to maintain new software upgrades, enhancements and reports remain at the vendor. This could wrestle your CIO title to the ground, unless you require the vendor to supply you with instruction manuals, executive level briefing and/or detailed on-line help features.

2)      In addition, is the software code in escrow? In your vendor contract, you should have a requirement that your vendor maintain the source code in a safe and secure lockbox. Even if your vendor doesn’t survive the economy, your source code will! In addition, you could hire your vendor’s coders to work for you.

In a SAS70 audit, if your sole operating system application is managed by an outsourced vendor, the auditor will request that they have a SAS70 audit performed. In addition, they will require that controls that secure your control of the application. What steps have you put in place to manage your outsourced systems? Do you have a comprehensive SLA? Do you have a project leader that monitors your outsourced vendor and your application?  Trackback URL

Telecommuting as a SAS70 audit control? – SAS70ExPERT

As transportation costs continue to skyrocket over the summer, telework/telecommuting is becoming the new trend among office environments. Basically, we have been doing a form of telework by outsourcing all of our jobs overseas, so this premise is not really new, it’s just new for American workers. 92 percent of workers said their work could be performed from home according to a recent survey by advocacy group Telework Exchange. I agree that operating expenses could be reduced by:

1)      less office space per employee

2)      transportation costs are reduced from commuting to work

3)      reduction in computer hardware expenses

But what is the downside of a remote workforce and what effect will that have on company information assets? These information assets are now stored at a families home on First Avenue, in a 3 bedroom, 2 bath, instead of your 5 story office building. These telecommuting risks will need to examined by management and should be considered in a SAS70 audit.

Consider that most employee homes will not have extended physical or environmental security – only garage door locks and an air conditioner. Their computer office could be located next to their children’s bathroom – which is a likely water hazard, in an open space by a garden window. How easy would it be for a burgular to reach in and knock your coffee cup over, and grab your computer from your first floor home office?Really EASY, as I think many homes today still have yet to have a home alarm system on their windows.Critical company information now could be sold on the internet.

In addition, what network security are you assured that they have on their home computer? Do they have the latest virus preventing application? Is their firewall always up and running or might it be turned off to watch a movie?

Is your IT staff prepared to make housecalls? Your company information assets now resids at your employees home. It is now not on the second floor of your office, but could be 20-30 miles to First Avenue home. You now must manage users that are at locations that are spread miles apart? This may be okay if 15% of your workforce is remote, but what if it is 92%? Is your IT staff trained accordingly? If they have to make housecalls, do transportation costs truly decrease? Who is managing the network while your IT Administrator is stuck in traffic on his way to the Marketing Director’s home to fix his computer?

Any third party vendor must complete a SAS70 audit to assure it customer that their data is secure. Are you ready to expand your company floor space beyond the office perimeter? Telecommuting risks must be considered in the SAS70 audit process. What are some of the risks you have identified? Do you even have any policies in place at your company which specifically discuss the do’s and don’t’s of a telecommuter?  Trackback URL

Do Risk Assessments increase profits? SAS 70 (part two)

When performing your risk assessment as required for the SAS70 audit — dive in head first, but keep your eyes focused on the details. Meet with C-level executives and line-level managers and have direct and open discussions about the perils that your company faces. Don’t be afraid to ask questions or confront CIO’s with pointed questions. If they don’t know the answer or the risk, you are already in big trouble.

Three goals CIO’s should keep in mind during these uncertain economic times are to:

1)      reduce operating expenses

2)      increase capacity in the data center

3)      improve reliability of IT infrastructure

If you determine the risks to not meeting these three objectives, then you are well on your way to completing a reliable risk assessment. Sas70expert@gmail.com

Do Risk Assessments increase profits? SAS 70 (part one)

SAS70 audits are becoming a standard for any outsourced organization. As part of the audit process, a company must perform an internal risk assessment of the IT and business related risks. According to a recent survey of IT Executives, here are the top five areas of most concern:

1. Security
2. Systems management tools
3. Virtualization solutions
4. Product road map
5. Power consumption

While power consumption was number five, I think that it has taken on great significance today than ever before. If you are paying $4.50 at your local gas dealer, then you can expect to continue to pay higher prices for electricity for your data center. What steps are you taking to conserve energy? Are you a part of a “green revolution?” From the component level, the server and rack level and up all the way to the datacenter, I would expect everyone is finding ways to cut costs, and increase profit. I think a risk assessment which reviews the operating details of your Company will assist you in meeting corporate objectives.