November, 2008

What cabinet position would you want to be elected too? SAS 70

As we begin a new election process, our President is currently in the process of deciding who will fill cabinet level positions. Some bring foreign prestige, such as Secretary of State, and others focus more on domestic issues, such as Secretary of Treasury. Any of these positions will require persons with decisions making ability and new imaginative ideas to manage our growing economy. If I were Director of Office and Management and Budget, I would want to quickly define requirements to manage any new economic stimulus packages. SAS 70 audits would be a requirement that would be enclosed in any new legislation.

If the Federal Government and Warren Buffett is going to own much of our economy, how can we be sure that the financial transactions are processed correctly and that our personal data is kept safe? Yes! SAS 70 audits can fulfill that role.

Currently, we are dishing out funds at record pace. Sometimes {sarcastically}, I wonder why don’t we give every American a printer, and tell them to print only what they need. As a taxpayer, I don’t have any idea what my return on this investment will be. When you purchase Coca-Cola stock, I know what their dividend will be? What is our return on our investment in Citigroup and AIG?

AS 70 audits must become a fundamental requirement for almost any service organization to conduct business with the Federal Government. Do you agree?  Trackback URL

Have you been Clickjacking lately? SAS70

 Clickjacking threatens all major internet browsers – internet explorer, Mozilla firefox, Safari and Opera. What is it? Clickjacking is not when your wife takes over the remote control. It is when a browser user puts his mouse on a sign button, but a tag is placed under the button that the user may not see. When the user clicks, he then sends information to an unauthorized source. This could destroy the legitimacy of your web application or you SaaS.

There are several possible solutions to this hacker attack, but only with updates by the browser vendors. Firefox has a stop-gap solution in place – “no-script.” It is a technical solution and not for everyone. If you process credit card information, your SAS 70 auditor will look to see what precautions you have taken. What measures do you have in place?  Trackback URL

Outsource with a Plan - SAS70

As more businesses outsource IT to third-party services, data privacy and integrity are paramount to the success of your operations. The SaaS small and medium businesses have a responsibility to ensure your data is processed correctly and that it is kept safe. SAS 70 audits are requirement.

Before outsourcing to save funds, make sure you have a defined plan. Without it, one small security breach of a politicians’ social security number can destroy your company reputation and your ability to generate new business. This plan should included:

1)definitions related to service levels. You will require your vendor to have uptime of at least 99%.

2) the ability to process your information quickly. Customers accesses your company website and purchasing items should occur relatively fast.

3) reporting functions which allow you monitoring capability and to  capture your data and analyze.

4) a Disaster Recovery plan, a single hardware failure can result in the loss of business.

 SAS70expert at gmail.com

Have you checked your email today? – SAS70

When considering the scope of your SAS 70 audit, do you consider email an important company asset? Would it contain critical information on your customers? 9 out 10 times an email will contain customer financial data, executive contact information, and related gossip. Some SAS 70 audits fail to note the importance of maintaining security of company email systems.

Email systems must be protected from internal and external threats. Other employees gaining access to other’s email systems or hackers trying to break into your email servers could walk away with critical information. Executives would not be happy when receiving notice of a lawsuit by a customer because a hacker gained the schematics of their datacenter.

If you are using ActiveDirectory, perform periodic reviews users with access to email. In addition, limit administrators to as few as possible. Make sure your user access procedures are documented, approved, and implemented for your company. Terminated employees must be removed from email access immediately. Implementing these fundamental controls will assist you in completion of your SAS70 audit. SAS70expert@gmail.com

Capacity and Utilization in No. 1 in 2008 - SAS70

Even without the SAS70 requirement, capacity and utilization should be a major focus within your DataCenter environment. if you want your energy costs to controlled, simply turn off some of your servers and desktops. The turnoff approach can result in nearly 10% decrease in power consumption for every 100 servers says Nermetes Research. In addition, this will allow the servers in operation to have better processing performance.

Power management may be automated. Software applications will monitor power consumed and turn off equipment when the need decreases.  The software will also power power and capacity usage reports that may be used to further customize your operations.

SAS 70 audits will require you to manage your operations not only to protect your customers data, but to verify that your service level agreements are met.  SAS70expert at gmail.com

SaaS and SAS70 – SAS70ExPERT

As more outsourcing of applications takes place in this economy by using SaaS(software-as-a-service), is Management producing costs savings? and how many SAS70’s will you be required to collect? From the Data Center operations, the IT support vendor, and the application provider?

When you perform your cost-benefit analysis items to consider are

• Who will benefit from access control for your application
• From where will your visitors/employees/customers be connecting to your information, vpn network, cellphone or pda, or other web enabled device
• Obtain more control over your licensing costs
  

As you develop a strategic plan to use SaaS, build fundamental close relationships with your vendors and define them carefully in your contracts. Constantly update your contracts or service level agreements to match your needs and develop tools to monitor the success of your vendor meeting your requirements.

SAS70 must be performed on your SaaS vendor to provide you with the reliability, confidentiality and integrity of service to be provided to you and your customers. Control objectives may be similar or different, but careful examination of the audit report should be performed in order to determine that your data is secure. SAS70ExPERT.biz