SAS 70


October 22, 2008  2:26 AM

Third party agreements and SAS70 audit – SAS 70



Posted by: SAS70ExPERT
Management, Monitoring, SAS 70, Third-party services

 

During a SAS70 audit, an auditor may examine any relationships with third parties.  Any third party agreements or service level agreements should contain:

 

1.       procedures to protect all outsourced data, applications or hardware

2.       a description of the services provided and the target level of services

3.       the establishment of an escalation process should an incident occur

4.       the right to audit and determine that they are adhering to your agreement

5.       the respective liabilities of both parties should an incident occur.

 

During a SAS70 audit, you have a choice to exclude your outsourced services or include them in the examination. I would recommend you include them, especially if they are essential to the services you are providing to your customers. SAS70ExPERT@gmail.com

 

 

October 21, 2008  12:07 AM

Access Rights and SAS70 audit



Posted by: SAS70ExPERT
Access, Access control, Auditing, SAS 70, Third-party services

Access rights for current employees are essential for the completion of a successful audit. Your company should have a hiring and firing policy that is followed to the letter of the law. When an employee is hired or fired they should have an authorization process to add or delete from company systems or applications. It is essential that you educate your current employees, contractors, an third party users on this process on a continual basis.

 

Your company should company not only operating systems or applications, but physical access to company assets. Shared passwords or usernames should be immediately deactivated once an employee or third party leaves. When developing a policy for hiring or terminating consider:

 

1.       whether the termination or change of employment will be initiated by your or a third party

2.       the current responsibilities of the employee

3.       the value of the company assets or data that the employee has access too.

 

Without a good termination policy or checklist, you will have exceptions within your SAS 70 audit. SAS70ExPERT@gmail.com

 


October 6, 2008  3:26 PM

Escalate, Escalate, ESCALATE! if you have been phishing! – SAS70



Posted by: SAS70ExPERT
Access control, SAS 70

Wachovia Bank has sent you an email stating that your account has been compromised and that you must click the link and enter your username and password. STOP!!! This is phishing. Phishing usually takes the form of illegimate email that looks real! But it is only pretending to be your authorized vendor requesting information. A SAS 70 auditor will require you to have an escalation policy in to assist in preventing unauthorized access to company information assets. Your companies escalation policy should include:

·          Procedures which inform whom you should contact should such an event occur

·          In addition, many companies will want you to report the link or forward the entire email to their corporate security administrator

 

Be sure your authentication policy for your approved users is strong. It should require username and passwords and other secondary authentication mechanisms which are not easily guessed or used frequently. Have you been phished lately? Sas70expert@gmail.com


October 1, 2008  4:26 AM

Back to basics – Security awareness and education – SAS70



Posted by: SAS70ExPERT
CIO, Incident response, Network, Network security, SAS 70, Security, Security Program Management

For any security program, you must start at the basics and begin with a information security plan. In a SAS 70 audit, an auditor will examine a CIO’s operations to determine that you have security program management, incident response, and that appropriate training is provided to your employees. Your security plan should include at least include:

·          Procedures to protect and provide access to IT systems and applications

·          Procedures to report incidents when they occur

·          Investigation practices required to prevent future incidents

·          The right to revoke any user access at anytime

 

Training should occur regularly for all employees and no employee should be granted access to your systems without taking your company’s network security training. Do you have a plan in place? If so, send me a generic sample and I will share it with our readers. Sas70expert@gmail.com


September 25, 2008  11:06 AM

Outsourcing your data backup process – SAS70



Posted by: SAS70ExPERT
Backup, Management, SAS 70, Third-party services

During the SAS70 audit, an examination will be performed on your data backup process. If you have outsourced this to a local vendor, you are still responsible for making sure that your data is kept safe, secure, and is backed up properly. Hosted or online backup processes are very attractive for small to medium size businesses. Why? They don’t have to maintain the expertise internally and the IT equipment is expensive.

 

How best do you manage your backup provider? Be sure to have a service level agreement in place. The service level agreement should provide you response times for when you need help. And you will! When you need to find that lost report that is due for your presentation today, you will want the file restored today – NOT in 24-36 hours. In addition, review your own internet connection as you will need a fast one to transfer your data. Does your outsourced vendor take care of your needs? SAS70ExPERT@gmail.com

 

Outsourcing your data backup process – SAS70

 

During the SAS70 audit, an examination will be performed on your data backup process. If you have outsourced this to a local vendor, you are still responsible for making sure that your data is kept safe, secure, and is backed up properly. Hosted or online backup processes are very attractive for small to medium size businesses. Why? They don’t have to maintain the expertise internally and the IT equipment is expensive.

 

How best do you manage your backup provider? Be sure to have a service level agreement in place. The service level agreement should provide you response times for when you need help. And you will! When you need to find that lost report that is due for your presentation today, you will want the file restored today – NOT in 24-36 hours. In addition, review your own internet connection as you will need a fast one to transfer your data. Does your outsourced vendor take care of your needs? SAS70ExPERT@gmail.com

 


September 22, 2008  12:21 PM

SAS70 audits require preventative maintenance too!



Posted by: SAS70ExPERT
cooling systems, DataCenter, Incident response, Management, Risk management, SAS 70

During a SAS 70 audit of your DataCenter, an auditor will examine the installation of generators, cooling systems, and UPS backup systems. Questions will arise not only about installation, but of continuing preventative maintenance and incident response. An integrated approach should be followed which has is a holistic plan that clearly identifies scheduling, execution, documentation, risk management, and continuing follow-up inspections.

 When preventative maintenance occurs, four results can be expected:

·         a potential issue is identified and immediate actions are taken to prevent a future failure.

·         a potential issues is identified and a repair is scheduled

·         the regular maintenance does not uncover any potential repair

·         a defect is uncovered and unanticipated repair time occurs.

 In order to optimize maintenance windows, Managers should maintain the age of equipment, history of operating and environmental experience (temperature, voltage, run-time, abnormal events), and operating characteristics such as noise, temperature and vibration. Where is your preventative maintenance plan and do you have service level agreements in place today to monitor your network services? SAS70ExPERT@gmail.com


September 21, 2008  9:22 PM

Security is essential for all new technology investments? SAS70



Posted by: SAS70ExPERT
Auditing, Management, Network, SAS 70, Security management, Third-party services

Which new technologies are you adopting? With Web 2.0, social networking, wikis, and blogs – oh mY! With so many new avenues to penetrate your market, the decisions you make today can effect the success of your SAS 70 audit. When evaluating new technology, always first determine your company objectives as we previously discussed. In addition, you will need to remember to consider what new security features must be implemented in your computing environment to prevent downtime. It is essential early in the process that you identify the threats, the risks, and then create a plan.

 

 In identifying threats, the assessment team must consider who or what could compromise a target system’s components such that the system’s security attributes would be jeopardized. You should focus on how the information assets and components differ from what you already have. In identifying the security risks, consider what will th total potential impact on the organization. When your system is compromised – and it will be – how would you handle the loss of critical data?

 

To address technology security risks, requires a documented plan and you must train your employees on how to enact the plan. The SAS70 audit will require you to have a plan in place and it will examine who are the participants in the plan. The plan should include not only IT, but operations and senior management. Where is your security plan? SAS70ExPERT@gmail.com


September 19, 2008  5:34 PM

Asset Identification and Valuation in a Risk Assessment process? SAS 70



Posted by: SAS70ExPERT
budget, CFO, Financials, Management, Risk management, SAS 70

What is a fixed asset you say? And what is it’s value today? Don’t know where to start? Call your insurance company….if you don’t have your most precious business assets formally listed or insured, then you need help. From your insurance policy and from your understanding of what are key components that drive your revenue stream, you should be able to get a good idea of how many computers/servers that you have and what is their monetary value.

 

After asset identification, make sure you determine the replacement cost of your equipment. Recently, in discussions with IT Director at a Fortune 500 Company, he noted that he had made a formal listing of all his information technology equipment. Soon after, he had a flood to occur in his datacenter. Upon contacting his insurance company, he noted that he would only be reimbursed for the depreciated value of his equipment, not the replacement cost. Your $3000 server that you bought today, may only be worth $700 as soon as you walk out of the store when considering the depreciated value. Lesson learned — List your assets, but also understand how much it would truly cost to replace them.

 

When determining value, monetary terms are not always identifiable. You may have to perform some “ciphering.” Talk to your Company’s CFO or controller, as you may have to understand how the assets are used to generate revenue. From there, determine if the asset value can be calculated by determining a percentage of revenue. Using a financial ratio to determine value can be very subjective, so it is wise to gather several opinions.

 

As a starting point in a SAS 70 audit, when examining the risk assessment process, the auditor will want to verify that all critical assets have been identified and if you have assigned appropriate values. If you Google the blue book value of your server, or review Craig’s list to determine the price that similar products are selling for, be sure to keep a record so that your auditor may review also. Get your asset list completed today and determine the values, otherwise you may fail to meet your Corporate objectives. SAS70ExPERT@gmail.com.

 


September 17, 2008  11:06 PM

Making the Outsourcing Decision – SAS 70



Posted by: SAS70ExPERT
Management, management software, SAS 70, Third-party services

When deciding to outsource information technology to third-party services, Executive management should conduct an analysis to evaluate available options and determine if the vendor capabilities aligns with corporate objectives. First, determine what the driving factors that require you to outsource are – is it simple economics, as cost of technology for your industry is beyond your reach, or do you not have the internal talent to manage an entire network infrastructure. By identifying the company specific strategic drivers for outsourcing, you will be able to quickly weed away the inept vendors.

 

When selecting the outsourced vendor, carefully screen each vendor to determine if they have the necessary expertise to perform on time and after hours when emergencies occur. Don’t just go to lunch with the local sales representative and expect him to be there when an emergency occurs. Be sure to get all guarantees in writing, and a service level agreement is required. Due diligence is required to understand and compare the capabilities in order to meet corporate objectives. sas70expert@gmail.com


September 17, 2008  3:35 PM

Risk Assessments and the SAS 70 audit



Posted by: SAS70ExPERT
Access, Auditing, CIO, COBIT, Management, Monitoring, Network, Risk management, SAS 70

Management’s risk assessment process is required to be audited in a SAS70 examination; however, in my experience, most auditors do not adequately review Management’s risk assessment process. Without adequate auditing experience, most auditors would not have a basis to determine if Management had reviewed the control risk universe. In addition, Management mostly does not formally document risks, but they are discussed only in Board meeting with among C-level executive’s. The COBIT risk assessment framework can provide Management with the criteria and the details that an inexperienced auditor may use as a guide to examine their risk assessment process

 

COBIT consists of information that is required to help achieve business objectives. You must first begin with a vulnerability analysis of your business operations. Then determine the threats to these vulnerabilities For example, your greatest risk may be related to the legal liabilities due to incorrect financial statements….. or something more simpler, like loss of a backup tape which contained your customers social security numbers. Third, determine the impact of this threat. Is it a million dollar monetary fine, or could your license to conduct business be taken away. The conclusion is an action plan after which the cycle can start again.

 

When the SAS 70 auditor discusses your risk assessment process, don’t be afraid to say that you have it all stored in your brain. Without risk documentation, an experience auditing firm will assist you in forming a roadmap of risks that lead to your business success. Mr. CIO, have you determine what are your business risks or your information technology risks today? Have you formally discussed and evaluated them with other c-level executives or with your peers and association’s within your industry. Note from the diagram below the a formal risk assessment process. Next time we will discuss each of these layers in detail. SAS70ExPERT@gmail.com

 

Asset

Identification

and Valuation

Vulnerability

 

 Assessment

   Threat

 

Assessment

    Risk

 

Assessment

 Counter-

 

 measures

 Control

 

Evaluation

Residual

 

Risk

Action

 

  Plan



Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: