Recently, I was on a plane flying home and started talking to a CIO about his SAS 70 audit. He seemed dismayed about a former trusted employee taking proprietary data from his company. He noted that they had a policy in place to remove the terminated employee from the company applications; however, this employee was able to walk away with the company’s list of customers.

Authorization of access to company applications and removal is a critical process that should be documented and followed by all employees, including executives. In our discussions, he noted that the CEO was a mover and shaker, but he did not always follow company procedures. This loss of data was a direct result of not following policy.

It is critical to a company and to the SAS 70 audit examination that employees and executives follow company policy to gain access and removals to company applications. Otherwise, why have a policy – Give everyone administrative access.

A good policy should require IT to only be the custodian of applications. They should only provide access when authorized by the business operations and initiated by human resources. Sas70expert@gmail.com

When you perform your cost-benefit analysis items to consider are

• Who will benefit from access control for your application
• From where will your visitors/employees/customers be connecting to your information, vpn network, cellphone or pda, or other web enabled device
• Obtain more control over your licensing costs
  

As you develop a strategic plan to use SaaS, build fundamental close relationships with your vendors and define them carefully in your contracts. Constantly update your contracts or service level agreements to match your needs and develop tools to monitor the success of your vendor meeting your requirements.

SAS70 must be performed on your SaaS vendor to provide you with the reliability, confidentiality and integrity of service to be provided to you and your customers. Control objectives may be similar or different, but careful examination of the audit report should be performed in order to determine that your data is secure. SAS70ExPERT.biz

Access rights for current employees are essential for the completion of a successful audit. Your company should have a hiring and firing policy that is followed to the letter of the law. When an employee is hired or fired they should have an authorization process to add or delete from company systems or applications. It is essential that you educate your current employees, contractors, an third party users on this process on a continual basis.

Your company should company not only operating systems or applications, but physical access to company assets. Shared passwords or usernames should be immediately deactivated once an employee or third party leaves. When developing a policy for hiring or terminating consider:

1.       whether the termination or change of employment will be initiated by your or a third party

2.       the current responsibilities of the employee

3.       the value of the company assets or data that the employee has access too.

Without a good termination policy or checklist, you will have exceptions within your SAS 70 audit. SAS70ExPERT@gmail.com

Wachovia Bank has sent you an email stating that your account has been compromised and that you must click the link and enter your username and password. STOP!!! This is phishing. Phishing usually takes the form of illegimate email that looks real! But it is only pretending to be your authorized vendor requesting information. A SAS 70 auditor will require you to have an escalation policy in to assist in preventing unauthorized access to company information assets. Your companies escalation policy should include:

·          Procedures which inform whom you should contact should such an event occur

·          In addition, many companies will want you to report the link or forward the entire email to their corporate security administrator

Be sure your authentication policy for your approved users is strong. It should require username and passwords and other secondary authentication mechanisms which are not easily guessed or used frequently. Have you been phished lately? Sas70expert@gmail.com

What is PBA? Pre-boot authentication is a process that requires a user to authenticate to the operating system prior to loading of the application software. The user must enter his credentials – a username and password before the system load begins. Once authenticated, then Windows or Linux operating system is loaded. If the correct user name and password are not entered, the pre-boot authentication process will not load the operating system and the computer will lock down.

Pre-boot authentication prevents a criminal hacker from gaining access to your data by not loading the operating system. Since the bypass tools load after the operating system, then a hacker want get a chance to try to gain entry or use the Windows XP or Vista emergency disks.  SAS70ExPERT@gmail.com

As transportation costs continue to skyrocket over the summer, telework/telecommuting is becoming the new trend among office environments. Basically, we have been doing a form of telework by outsourcing all of our jobs overseas, so this premise is not really new, it’s just new for American workers. 92 percent of workers said their work could be performed from home according to a recent survey by advocacy group Telework Exchange. I agree that operating expenses could be reduced by:

1)      less office space per employee

2)      transportation costs are reduced from commuting to work

3)      reduction in computer hardware expenses

But what is the downside of a remote workforce and what effect will that have on company information assets? These information assets are now stored at a families home on First Avenue, in a 3 bedroom, 2 bath, instead of your 5 story office building. These telecommuting risks will need to examined by management and should be considered in a SAS70 audit.

Consider that most employee homes will not have extended physical or environmental security – only garage door locks and an air conditioner. Their computer office could be located next to their children’s bathroom – which is a likely water hazard, in an open space by a garden window. How easy would it be for a burgular to reach in and knock your coffee cup over, and grab your computer from your first floor home office?Really EASY, as I think many homes today still have yet to have a home alarm system on their windows.Critical company information now could be sold on the internet.

In addition, what network security are you assured that they have on their home computer? Do they have the latest virus preventing application? Is their firewall always up and running or might it be turned off to watch a movie?

Is your IT staff prepared to make housecalls? Your company information assets now resids at your employees home. It is now not on the second floor of your office, but could be 20-30 miles to First Avenue home. You now must manage users that are at locations that are spread miles apart? This may be okay if 15% of your workforce is remote, but what if it is 92%? Is your IT staff trained accordingly? If they have to make housecalls, do transportation costs truly decrease? Who is managing the network while your IT Administrator is stuck in traffic on his way to the Marketing Director’s home to fix his computer?

Any third party vendor must complete a SAS70 audit to assure it customer that their data is secure. Are you ready to expand your company floor space beyond the office perimeter? Telecommuting risks must be considered in the SAS70 audit process. What are some of the risks you have identified? Do you even have any policies in place at your company which specifically discuss the do’s and don’t’s of a telecommuter? SAS70ExPERT@gmail.com

For a SAS 70 audit, critical areas to review related to biometrics are:

1)       enrollment process for a new user

2)       accuracy and monitoring of the biometric device

3)       termination of users

During enrollment, an individual’s biometric template is created in a database. Make sure you have a documented process for adding and authorizing new users to the database. You must know who may authorize access, and how much access to give the new employee.  

Determine the accuracy and monitoring of biometric usage. Review who has used the biometric device, by reviewing the logs an identifying any unusual activity. For example, if you note that Bob has entered the facility 3 times and there is no exit  – then your device may not be working properly.

Last, if Adam quits or Alice is fired, then how do you know to delete her credentials from the system? Make sure Human Resources has a policy to notify you immediately when a person needs to be removed from the system. IT should have a checklist of items/inventory to be returned when employee exits and the form should include a sign-off to indicate removal from the biometric device. Sas70expert@gmail.com

“Do you understand what impact the outsourced vendor has on your financial stability?” says a SAS 70 auditor. If they fail to make payroll or Friday or if you’re DataCenter fails, what effect will that have on your operations? So as not to be “asleep at the switch,” make sure you understand the vendor’s operations and risks involved. Here are 10 essential specifications that you should have in your service level agreement with you’re outsourced vendor:

1) Data encryption and protection – determine what your vendor is doing from an information technology perspective to protect your information. Are they using applications that have security built-in? Do they have firewalls?

2) Physical Security – review and management of access to buildings and data is critical to protect information technology assets. Tight control must be maintained in order to prevent identify theft and loss of valuable equipment, like exchange servers, racks, and hard drives. Each employee should have ID, preferably biometric, and you should log entry and egress into facilities.

3) Environmental Security – Make sure your data is not only locked in the safe room, but that the environment in the room provides essential protections. Do they have fire extinguishers? Temperature control? Air conditioners? …etc.

4) Confidentiality agreements – Require your business partner/vendor to sign confidentiality agreements/non-disclosure agreements to prevent loss of trade secrets, data, and patents.

5)Employee training – Policies are useless, unless your employees and vendors are trained and aware. Provide all vendors with awareness training of your requirements when processing your information or providing you with services.

6) Require employee background investigations. You want to make sure that the person responsible for managing your money is not a convicted felon. They must have a review of the work history and a validation of the skills.

7)Lastly, Management of vendors- After you have given your requirements to your vendor, how do you know they stay in compliance? A SAS 70 audit is required. sas70expert@gmail.com

Exchange Servers are increasingly being added to the electric grid and increasing the world’s energy consumption, carbon emissions and stream wastes. A recent report stated that “U.S. server electricity consumption has doubled in the past five years and now equals that of color TV’s. SAS70 audits review logical and network related controls for servers, but they don’t consider the energy consumption or quality of company environmental efforts.

All kinds of new energy saving ideas are being developed, including air-compressed backup generators. Greenpeace has developed a “Guide to Greener Electronics.” The guide ranks the 18 top manufacturers of personal computers, mobile phones, TV’s and games consoles according to their policies on toxic chemicals and recycling.

I think that this is great, but is it sustainable considering our populations demand for service NOW!? In an electronic age, where I can practically order anything, see any tv show, or buy any music at the touch of a button on my i-Phone, can we expect businesses to  choose green over a quick dollar? As datacenter demand grows and the need for servers bandwidth is required – will you stop and say  “No, I want my children to enjoy clean air, and clean water.” Or will you push forward with a browner (less green) alternative computing solution? Should SAS70 audits evaluate environmental and energy efforts? sas70expert@gamil.com

My business requires distribution and collection of data. Much of it resides on a centrally located server; however, there is data on the laptop that has never been transferred over to the server or that may have  been taken off the server for project work. As human beings we will never be perfect. Someone will lend access to their laptop to a friend or customer, a laptop will be lost or stolen, and an unprotected USB drive is a loaded gun just waiting to have the trigger pulled so that data can be transferred off your laptop. Laptops with sensitive data that goes unprotected, can become a media nightmare, a legal hassle and a may limit your customer retention and market growth — a serial killer that stops your business growth and the vendors that support you.

To protect data loss, we now have L0-jack services for laptops when they are stolen. The laptop can be found and once connected to a network will be shut down.But what about the ease we have to install and transfer data to others using USB drives. Even if you use a USB drive that requires a password, is that enough security? I have read recently that laptops were returned after being lost that contained sensitive data such as social security numbers for big companies – including Google. Now that they have the laptop back, is the risk over? What if the data was transferred off the laptop onto a USB drive?

Just like for the SAS70 audit, you have to perform a risk assessment to determine the controls that must be in place, and identify those that can be implemented as time permits. In the situation above, I don’t think focusing on the number of ways that data can be taken off laptops is the key to reducing risk. You should focus more on identifying the type of data that you have, mark the sensitive data, and control access to it – by limiting users, strengthening laptop controls around the sensitive data, and identifying opportunities to record transfer of sensitive data which would provide an audit trail. How are you controlling your data on your laptops? sas70expert@gmail.com