SAS 70

Dec 7 2008   1:24PM GMT

Importance of User access policy? SAS70

Keith Harrell Profile: SAS70ExPERT

Recently, I was on a plane flying home and started talking to a CIO about his SAS 70 audit. He seemed dismayed about a former trusted employee taking proprietary data from his company. He noted that they had a policy in place to remove the terminated employee from the company applications; however, this employee was able to walk away with the company’s list of customers.

 

Authorization of access to company applications and removal is a critical process that should be documented and followed by all employees, including executives. In our discussions, he noted that the CEO was a mover and shaker, but he did not always follow company procedures. This loss of data was a direct result of not following policy.

 

It is critical to a company and to the SAS 70 audit examination that employees and executives follow company policy to gain access and removals to company applications. Otherwise, why have a policy – Give everyone administrative access.

 

A good policy should require IT to only be the custodian of applications. They should only provide access when authorized by the business operations and initiated by human resources. Sas70expert@gmail.com

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: