Oct 22 2008 2:26AM GMT
Posted by: sas70expert
Third-party services,
Management,
Monitoring,
SAS 70
During a SAS70 audit, an auditor may examine any relationships with third parties. Any third party agreements or service level agreements should contain:
1. procedures to protect all outsourced data, applications or hardware
2. a description of the services provided and the target level of services
3. the establishment of an escalation process should an incident occur
4. the right to audit and determine that they are adhering to your agreement
5. the respective liabilities of both parties should an incident occur.
During a SAS70 audit, you have a choice to exclude your outsourced services or include them in the examination. I would recommend you include them, especially if they are essential to the services you are providing to your customers. SAS70ExPERT@gmail.com
Oct 21 2008 12:07AM GMT
Posted by: sas70expert
Third-party services,
Auditing,
Access,
Access control,
SAS 70
Access rights for current employees are essential for the completion of a successful audit. Your company should have a hiring and firing policy that is followed to the letter of the law. When an employee is hired or fired they should have an authorization process to add or delete from company systems or applications. It is essential that you educate your current employees, contractors, an third party users on this process on a continual basis.
Your company should company not only operating systems or applications, but physical access to company assets. Shared passwords or usernames should be immediately deactivated once an employee or third party leaves. When developing a policy for hiring or terminating consider:
1. whether the termination or change of employment will be initiated by your or a third party
2. the current responsibilities of the employee
3. the value of the company assets or data that the employee has access too.
Without a good termination policy or checklist, you will have exceptions within your SAS 70 audit.
Oct 6 2008 3:26PM GMT
Posted by: sas70expert
Access control,
SAS 70
Wachovia Bank has sent you an email stating that your account has been compromised and that you must click the link and enter your username and password. STOP!!! This is phishing. Phishing usually takes the form of illegimate email that looks real! But it is only pretending to be your authorized vendor requesting information. A SAS 70 auditor will require you to have an escalation policy in to assist in preventing unauthorized access to company information assets. Your companies escalation policy should include:
· Procedures which inform whom you should contact should such an event occur
· In addition, many companies will want you to report the link or forward the entire email to their corporate security administrator
Be sure your authentication policy for your approved users is strong. It should require username and passwords and other secondary authentication mechanisms which are not easily guessed or used frequently. Have you been phished lately? Trackback URL
Oct 1 2008 4:26AM GMT
Posted by: sas70expert
Network security,
Incident response,
Security,
Security Program Management,
Network,
CIO,
SAS 70
For any security program, you must start at the basics and begin with a information security plan. In a SAS 70 audit, an auditor will examine a CIO’s operations to determine that you have security program management, incident response, and that appropriate training is provided to your employees. Your security plan should include at least include:
· Procedures to protect and provide access to IT systems and applications
· Procedures to report incidents when they occur
· Investigation practices required to prevent future incidents
· The right to revoke any user access at anytime
Training should occur regularly for all employees and no employee should be granted access to your systems without taking your company’s network security training. Do you have a plan in place? If so, send me a generic sample and I will share it with our readers. Trackback URL
