December 2, 2008 1:52 PM
Posted by: SAS70ExPERT
CFO,
CIO,
SAS 70,
Security management
What would you pay for a eight gigabyte USB harddrive? Some would say billions; especially if it contained your company’s financial or critical data. Everyday you read about lost or stolen company data which may be your intellectual property, credit card, or other personal medical information of your CFO. They are also the fastest and surest way to give a CIO a security headache. What are you doing to protect these information assets?
If your company or your staff is saving company or customer data to a USB drive; you need to set standards in your security managment program to protect this information. A SAS 70 audit will require you to have standards that include:
1) Require that all data stored on USB drives be encrypted.
2) Require that only USB drives that are password protected be used.
3) Notify and train your employees on this policy and have a procedure in place which requires that an employee report lost or stolen USB drives immediately; otherwise, be prepared for “headlines” and a lawsuit.
Are you involved with securing your corporate data and if so, are you worried about the insecurity of USB disk drives? What measures do you have in place? Sas70expert@gmail.com
December 1, 2008 11:10 PM
Posted by: SAS70ExPERT
budget,
SAS 70
In order to meet budgetary guidelines, you may be wanted to ask for your handout from the US government. I know I would like to receive mine. My business is just getting started, but I could justify that if the economy would have held out, I would be substantially better off. Our newly elected president is going to have a struggle, but I hope that he will find a solution.
By accepting a portion of the stimulus package, US companies have basically outsourced/sold part of their business. Shouldn’t that mean that more regulation is required? With any loan more buy-back options, more oversight is required to make sure funds are managed appropriately, and that contractual agreements are met. Should that include SAS 70 audits? Basically, how can we prevent frivolous use of our funds. I think SAS 70 audits is an essential part of the regulation process. Sas70expert@gmail.com
November 30, 2008 8:39 PM
Posted by: SAS70ExPERT
Auditing,
Management,
SAS 70
As we begin a new election process, our President is currently in the process of deciding who will fill cabinet level positions. Some bring foreign prestige, such as Secretary of State, and others focus more on domestic issues, such as Secretary of Treasury. Any of these positions will require persons with decisions making ability and new imaginative ideas to manage our growing economy. If I were Director of Office and Management and Budget, I would want to quickly define requirements to manage any new economic stimulus packages. SAS 70 audits would be a requirement that would be enclosed in any new legislation.
If the Federal Government and Warren Buffett is going to own much of our economy, how can we be sure that the financial transactions are processed correctly and that our personal data is kept safe? Yes! SAS 70 audits can fulfill that role.
Currently, we are dishing out funds at record pace. Sometimes {sarcastically}, I wonder why don’t we give every American a printer, and tell them to print only what they need. As a taxpayer, I don’t have any idea what my return on this investment will be. When you purchase Coca-Cola stock, I know what their dividend will be? What is our return on our investment in Citigroup and AIG?
AS 70 audits must become a fundamental requirement for almost any service organization to conduct business with the Federal Government. Do you agree? Sas70expert@gmail.com
November 27, 2008 4:37 PM
Posted by: SAS70ExPERT
browsers,
Clickjacking,
firefox,
internet,
internet explorer,
Opera,
SaaS,
Safari,
SAS 70,
vendors
Clickjacking threatens all major internet browsers – internet explorer, Mozilla firefox, Safari and Opera. What is it? Clickjacking is not when your wife takes over the remote control. It is when a browser user puts his mouse on a sign button, but a tag is placed under the button that the user may not see. When the user clicks, he then sends information to an unauthorized source. This could destroy the legitimacy of your web application or you SaaS.
There are several possible solutions to this hacker attack, but only with updates by the browser vendors. Firefox has a stop-gap solution in place – “no-script.” It is a technical solution and not for everyone. If you process credit card information, your SAS 70 auditor will look to see what precautions you have taken. What measures do you have in place? Sas70expert@gmail.com
November 27, 2008 1:40 AM
Posted by: SAS70ExPERT
Disaster Recovery,
Monitoring,
SaaS,
SAS 70,
Third-party servicesAs more businesses outsource IT to third-party services, data privacy and integrity are paramount to the success of your operations. The SaaS small and medium businesses have a responsibility to ensure your data is processed correctly and that it is kept safe. SAS 70 audits are requirement.
Before outsourcing to save funds, make sure you have a defined plan. Without it, one small security breach of a politicians’ social security number can destroy your company reputation and your ability to generate new business. This plan should included:
1)definitions related to service levels. You will require your vendor to have uptime of at least 99%.
2) the ability to process your information quickly. Customers accesses your company website and purchasing items should occur relatively fast.
3) reporting functions which allow you monitoring capability and to capture your data and analyze.
4) a Disaster Recovery plan, a single hardware failure can result in the loss of business.
SAS70expert@gmail.com
November 26, 2008 2:17 AM
Posted by: SAS70ExPERT
ActiveDirectory,
DataCenter,
SAS 70When considering the scope of your SAS 70 audit, do you consider email an important company asset? Would it contain critical information on your customers? 9 out 10 times an email will contain customer financial data, executive contact information, and related gossip. Some SAS 70 audits fail to note the importance of maintaining security of company email systems.
Email systems must be protected from internal and external threats. Other employees gaining access to other’s email systems or hackers trying to break into your email servers could walk away with critical information. Executives would not be happy when receiving notice of a lawsuit by a customer because a hacker gained the schematics of their datacenter.
If you are using ActiveDirectory, perform periodic reviews users with access to email. In addition, limit administrators to as few as possible. Make sure your user access procedures are documented, approved, and implemented for your company. Terminated employees must be removed from email access immediately. Implementing these fundamental controls will assist you in completion of your SAS70 audit. SAS70expert@gmail.com
November 25, 2008 1:36 AM
Posted by: SAS70ExPERT
DataCenter,
SAS 70Even without the SAS70 requirement, capacity and utilization should be a major focus within your DataCenter environment. if you want your energy costs to controlled, simply turn off some of your servers and desktops. The turnoff approach can result in nearly 10% decrease in power consumption for every 100 servers says Nermetes Research. In addition, this will allow the servers in operation to have better processing performance.
Power management may be automated. Software applications will monitor power consumed and turn off equipment when the need decreases. The software will also power power and capacity usage reports that may be used to further customize your operations.
SAS 70 audits will require you to manage your operations not only to protect your customers data, but to verify that your service level agreements are met. SAS70expert@gmail.com
November 17, 2008 11:23 PM
Posted by: SAS70ExPERT
Access control,
Data center operations,
Management,
Network,
SaaS,
SAS 70As more outsourcing of applications takes place in this economy by using SaaS(software-as-a-service), is Management producing costs savings? and how many SAS70′s will you be required to collect? From the Data Center operations, the IT support vendor, and the application provider?
When you perform your cost-benefit analysis items to consider are
- Who will benefit from access control for your application
- From where will your visitors/employees/customers be connecting to your information, vpn network, cellphone or pda, or other web enabled device
- Obtain more control over your licensing costs
As you develop a strategic plan to use SaaS, build fundamental close relationships with your vendors and define them carefully in your contracts. Constantly update your contracts or service level agreements to match your needs and develop tools to monitor the success of your vendor meeting your requirements.
SAS70 must be performed on your SaaS vendor to provide you with the reliability, confidentiality and integrity of service to be provided to you and your customers. Control objectives may be similar or different, but careful examination of the audit report should be performed in order to determine that your data is secure. SAS70ExPERT.biz
October 25, 2008 1:43 AM
Posted by: SAS70ExPERT
Management,
Risk management,
SAS 70,
Security Program Management
Privacy as part of your Security Program Management program means adherence to trust and obligation within your company policy, standards, and procedures. SAS 70 auditors may assist you in implementing this risk management into your company standards by:
1. identifying the data or information that is personable,
2. examining the private information collected, disclosed and that should be destroyed
3. ensuring the accountability of the private data
4. assisting in developing policy and procedure for the risks associated with private data
Based on this standard, you should be able to comply with legal and compliance regulations. This would ensure that privacy standards are considered in all IT projects. SAS70ExPERT@gmail.com
