SAS 70

August 18, 2008  12:33 PM

What’s your standard? SAS70

Posted by: SAS70ExPERT
Auditing, Compliance, ISO, ITIL, SAS 70

ITIL provides you with a simple-to-understand IT standards and specific operational situations for your IT environment. ITIL best practices are prescriptive and descriptive. Are you using it for guidance? Many SAS70 audits will want you what guidance you are using as your IT roadmap – COBIT, ITIL, ISO standards.


COBIT will provide you with overall corporate governance. ISO and ITIL are much more operational and provide in-depth procedures. All of them require resources and funds to implement. Many organizations use a combination – they take a more holistic approach. What do you consider as the most effective for your organization?

August 14, 2008  12:01 PM

What is the difference between a Type I and a Type II SAS70 report? SAS70ExPERT

Posted by: SAS70ExPERT
Auditing, Compliance, DataCenter, SAS 70

Your largest customer called and asked for your SAS70 audit report and which type of audit was completed? Do you perform a Type I or II? Don’t flip a coin; you must consider your objectives.


A SAS 70 Type I audit report provides an audit opinion of your Companies’ operating environment. A Type II report combines the elements of a Type I report but requires extensive testing over a defined period of time. Which is more appropriate for your organization? In accountant speak, it depends.


Consider these objectives: Determine what your customers require and where you’re operating an IT controls need improvement; are your policies and procedures well documented; and how much can you afford. In general, a Company would first perform a Type I, then a Type II SAS 70 audit. You may not have been reviewing firewall logs or monitoring user access to your exchange server over a six month period in order to perform a Type II audit. Therefore, a Type I would be more suitable.  In addition, performing a Type I audit first would allow you to quickly learn the areas of improvement with your IT framework. Which type SAS 70 audit are you pursuing and what are your objectives?

August 11, 2008  8:17 PM

CIO and the SDLC success story – SAS70ExPERT

Posted by: SAS70ExPERT
Auditing, CIO, Compliance, SAS 70, Security, Third-party services

What’s your plan as a new CIO to make IT operations a success? Consider Jack Ben, newly appointed CIO. In his new role, he assumes the management and performance of the financial statement application and has to complete a SAS70 audit in six months.. This application has been in use for over 7 years, and much of the customization, reporting, and user access management is performed by a third party vendor. What roadblocks do you face to meeting strategic objectives and making your bonus plan?


Consider the following:

1)      If your vendor performs customization, then the specialized knowledge to maintain new software upgrades, enhancements and reports remain at the vendor. This could wrestle your CIO title to the ground, unless you require the vendor to supply you with instruction manuals, executive level briefing and/or detailed on-line help features.

2)      In addition, is the software code in escrow? In your vendor contract, you should have a requirement that your vendor maintain the source code in a safe and secure lockbox. Even if your vendor doesn’t survive the economy, your source code will! In addition, you could hire your vendor’s coders to work for you.


In a SAS70 audit, if your sole operating system application is managed by an outsourced vendor, the auditor will request that they have a SAS70 audit performed. In addition, they will require that controls that secure your control of the application. What steps have you put in place to manage your outsourced systems? Do you have a comprehensive SLA? Do you have a project leader that monitors your outsourced vendor and your application?

August 10, 2008  7:54 PM

Telecommuting as a SAS70 audit control? – SAS70ExPERT

Posted by: SAS70ExPERT
Access control, Auditing, CIO, Compliance, Network, SAS 70, Security, Telecommuting, Third-party services

As transportation costs continue to skyrocket over the summer, telework/telecommuting is becoming the new trend among office environments. Basically, we have been doing a form of telework by outsourcing all of our jobs overseas, so this premise is not really new, it’s just new for American workers. 92 percent of workers said their work could be performed from home according to a recent survey by advocacy group Telework Exchange. I agree that operating expenses could be reduced by:

1)      less office space per employee

2)      transportation costs are reduced from commuting to work

3)      reduction in computer hardware expenses


But what is the downside of a remote workforce and what effect will that have on company information assets? These information assets are now stored at a families home on First Avenue, in a 3 bedroom, 2 bath, instead of your 5 story office building. These telecommuting risks will need to examined by management and should be considered in a SAS70 audit.


Consider that most employee homes will not have extended physical or environmental security – only garage door locks and an air conditioner. Their computer office could be located next to their children’s bathroom – which is a likely water hazard, in an open space by a garden window. How easy would it be for a burgular to reach in and knock your coffee cup over, and grab your computer from your first floor home office?Really EASY, as I think many homes today still have yet to have a home alarm system on their windows.Critical company information now could be sold on the internet.


In addition, what network security are you assured that they have on their home computer? Do they have the latest virus preventing application? Is their firewall always up and running or might it be turned off to watch a movie?


Is your IT staff prepared to make housecalls? Your company information assets now resids at your employees home. It is now not on the second floor of your office, but could be 20-30 miles to First Avenue home. You now must manage users that are at locations that are spread miles apart? This may be okay if 15% of your workforce is remote, but what if it is 92%? Is your IT staff trained accordingly? If they have to make housecalls, do transportation costs truly decrease? Who is managing the network while your IT Administrator is stuck in traffic on his way to the Marketing Director’s home to fix his computer?


Any third party vendor must complete a SAS70 audit to assure it customer that their data is secure. Are you ready to expand your company floor space beyond the office perimeter? Telecommuting risks must be considered in the SAS70 audit process. What are some of the risks you have identified? Do you even have any policies in place at your company which specifically discuss the do’s and don’t’s of a telecommuter?

August 8, 2008  4:09 PM

Do Risk Assessments increase profits? SAS 70 (part two)

Posted by: SAS70ExPERT
CIO, DataCenter, Risk management, SAS 70

When performing your risk assessment as required for the SAS70 audit — dive in head first, but keep your eyes focused on the details. Meet with C-level executives and line-level managers and have direct and open discussions about the perils that your company faces. Don’t be afraid to ask questions or confront CIO’s with pointed questions. If they don’t know the answer or the risk, you are already in big trouble.


Three goals CIO’s should keep in mind during these uncertain economic times are to:

1)      reduce operating expenses

2)      increase capacity in the data center

3)      improve reliability of IT infrastructure


If you determine the risks to not meeting these three objectives, then you are well on your way to completing a reliable risk assessment.

August 7, 2008  7:06 PM

Do Risk Assessments increase profits? SAS 70 (part one)

Posted by: SAS70ExPERT
CFO, CIO, CSO, DataCenter, Financials, Information risk management, Risk management, SAS 70, Security, Security management

SAS70 audits are becoming a standard for any outsourced organization. As part of the audit process, a company must perform an internal risk assessment of the IT and business related risks. According to a recent survey of IT Executives, here are the top five areas of most concern:


  1. Security
  2. Systems management tools
  3. Virtualization solutions
  4. Product road map
  5. Power consumption


While power consumption was number five, I think that it has taken on great significance today than ever before. If you are paying $4.50 at your local gas dealer, then you can expect to continue to pay higher prices for electricity for your data center. What steps are you taking to conserve energy? Are you a part of a “green revolution?” From the component level, the server and rack level and up all the way to the datacenter, I would expect everyone is finding ways to cut costs, and increase profit. I think a risk assessment which reviews the operating details of your Company will assist you in meeting corporate objectives.


August 6, 2008  6:35 PM

Face up to Biometrics for your SAS70 audit (SAS 70)

Posted by: SAS70ExPERT
Access, Access control, Auditing, CIO, Compliance, DataCenter, Identity & Access Management, SAS 70, Security, Security management, Security Program Management, Security tokens, Third-party services

Biometric systems are used today not only at your Data center/ co-location facility, but for plain ole’ laptop access. Finger, hand and thumb prints provide you access to all your critical data. In addition, iris/retinal scans and other facial recognition scans provide the credentials required to prevent forgery. What are you using within your Company?


For a SAS 70 audit, critical areas to review related to biometrics are:

1)       enrollment process for a new user

2)       accuracy and monitoring of the biometric device

3)       termination of users


During enrollment, an individual’s biometric template is created in a database. Make sure you have a documented process for adding and authorizing new users to the database. You must know who may authorize access, and how much access to give the new employee.  


Determine the accuracy and monitoring of biometric usage. Review who has used the biometric device, by reviewing the logs an identifying any unusual activity. For example, if you note that Bob has entered the facility 3 times and there is no exit  – then your device may not be working properly.


Last, if Adam quits or Alice is fired, then how do you know to delete her credentials from the system? Make sure Human Resources has a policy to notify you immediately when a person needs to be removed from the system. IT should have a checklist of items/inventory to be returned when employee exits and the form should include a sign-off to indicate removal from the biometric device.

August 4, 2008  2:31 AM

What’s your standard? SAS70

Posted by: SAS70ExPERT
Auditing, CIO, Compliance, DataCenter, patching, Security management, Third-party services

ITIL provides you with a simple-to-understand IT standards and specific operational situations for your IT environment. ITIL best practices are prescriptive and descriptive. Are you using it for guidance? Many SAS70 audits will want you what guidance you are using as your IT roadmap – COBIT, ITIL, ISO standards.


COBIT will provide you with overall corporate governance. ISO and ITIL are much more operational and provide in-depth procedures. All of them require resources and funds to implement. Many organizations use a combination – they take a more holistic approach. What do you consider as the most effective for your organization?

July 31, 2008  2:06 PM

Is Olympic Security enough data protection? SAS70

Posted by: SAS70ExPERT
Auditing, CIO, Compliance, DataCenter, Disaster Recovery, Management, SAS 70, Security, Security management, Third-party services

If I were going to the Olympics as participant, business person or ticket holder, then I would want to consider how much security I need to keep me safe. The 2008 Olympics will cause a heightened awareness of security for the Beijing metropolis and training will occur on many areas of security. Similar to a SAS 70 audit, many types of security will be audited: physical, environmental, network, logical access to applications and systems, and computer operations. A SAS70 audit should provide you with comfort that your assets are safe, that the controls to protect them are operating effectively and that your business is efficient.


If I were going to the Olympics, here are a few safety principles to follow:

  1. Lock your cell phone with a password. If you leave your phone at your favorite restaurant, then you want to be sure that no one can gain access to your contacts, phone numbers, and emails. In addition, be sure to list your name and phone number on the screensaver so that someone call you to return it.
  2. Use encryption on all devices. Use VPN/SSL VPN encryption on your laptop, and cellphone.
  3. Never leave your valuables in the hotel unprotected. Always take your ipod, mp3 player, cell phone, and other corporate electronics with you or put them in the hotel safe. If you don’t have a hotel safe, then lock it in your luggage.
  4. If you have USB flash drives, password protect them and encrypt them.
  5. Buy an Olympic necklace. A string around your neck with your hotel key, photo id, and some change could be lifesaver in a foreign country.

July 29, 2008  11:51 PM

SAS70 audit exceptions

Posted by: SAS70ExPERT
Auditing, CIO, Compliance, Encryption, SAS 70

As I have read many SAS 70 audit reports, my perception of the quality of audit reports is varied. As I stated in previous blogs, there are different standards with which to use to implement information technology controls; however, the SAS70 standard does not require an auditor to meet specific information security requirements. Therefore, an auditor may audit network security rather heavily or not at all. If the SAS 70 standard was changed to provide specific requirements related to IT that were to be audited, then more benchmarking of the effectiveness of controls and of the SAS 70 audit would be available. How do you feel about the quality of audit coverage of network security controls in your SAS70 audit?

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: