Recently, I was on a plane flying home and started talking to a CIO about his SAS 70 audit. He seemed dismayed about a former trusted employee taking proprietary data from his company. He noted that they had a policy in place to remove the terminated employee from the company applications; however, this employee was able to walk away with the company’s list of customers.

Authorization of access to company applications and removal is a critical process that should be documented and followed by all employees, including executives. In our discussions, he noted that the CEO was a mover and shaker, but he did not always follow company procedures. This loss of data was a direct result of not following policy.

It is critical to a company and to the SAS 70 audit examination that employees and executives follow company policy to gain access and removals to company applications. Otherwise, why have a policy – Give everyone administrative access.

A good policy should require IT to only be the custodian of applications. They should only provide access when authorized by the business operations and initiated by human resources. Sas70expert@gmail.com

At 5pm, the CEO returned to his office with a cup of coffee and a very unpleasant frown. He barked out a few orders to his administrative assistant. I knew then that ….it was all going to roll down hill. Apparently, an IT Director signed a vendor contract with some very unfavorable terms. Luckily, the IT Director was no longer with the Company, therefore, the CIO, was the one who would be assigned the cleanup work.

In order to deal with this situation, the CIO would have to quickly understand the requirements of the CEO and the expectations of the vendor. If he failed at delivering for either of them, then the effects could have serious consequences on IT operations. These types of political maneuvers happen everyday and it takes a skillful politician as a CIO to produce favorable results.

A CIO can use her political skills to effectively deal with a SAS70 audit. When an auditor identifies an audit exception, the CIO may fully agree with the auditor; however, the description of the audit exception may need to be qualified in order to maintain a close relationship with the CEO. Sometimes, negotiations are even held over simple words, such as “sometimes” as they can make a big difference in the eyes of the Board of Directors or Audit Committee. What are some of the circumstances that you may have been involved in? Were you successful in avoiding pitfalls? What worked best for you?

Sas70expert@gmail.com

Don’t be fooled by a big accounting name? A suit with a high priced song! No matter what they say, you have to read the SAS70 report in order to determine the depth of testing performed in a SAS70 audit. SAS70 audits have just now become in demand by industry leaders and you have to determine what value you want from the SAS70 audit. Do you need a box checked? Or will you use this audit process to improve your revenue, your internal controls, and to set you apart from your competition? Prices range all over the board – choose your poison wisely – either you choose an auditor with experience and see that their report provides you with the level of detail and testing to required to make your organization better or — you might as well gamble in Vegas more – and take the big accounting name with little testing that provides you with the check box you need.sas70expert@gmail.com

When I Google today on SAS70? Wow, I have so many choices. With the rankings of companies – it is confusing and perplexing and that I am not even on the first page. How do I get there without breaking the bank? I have read some on the Google site about it and it has left me wanting more. Just like you, I am searching for ways for companies to recognize me and my site and want to follow the rules so that I can make my site visited. One way is to spend, spend, spend. A SEO consulting firm can get you to the top of the page, but it will take a substantial investment. A beginning company may not want to invest big dollars yet, but their has to be other ways to build brand awareness without selling the computer. Have you hired a SEO consultant? What are your experiences? What are some key things that I should be looking for?

Yahoo Messenger, Googletalk, and AIM Messenger instant messaging services are frequently used by employees today for work and social networking. Less than 10% of companies today have policies and those that do have policies do not enforce them. Many SAS70 audits find installation of instant messaging software within corporate environments and that it may cause introduction of malicious coding or cause loss of sensitive data. Therefore, should IM security software be standard installation – whether in the form of email and internet security tools, appliances, or third-party hosted solutions. IM security software would protect against incoming Trojan horses/viruses and detect outgoing data loss by using content filtering; logging and archiving all IM messages, and ensure compliance with company policy. Are you using IM security software protection? If so, which one and is it on a third-party hosted platform? Have you found it to be effective?sas70expert@gmail.com

It’s election year and security to protect some of our most valuable assets is being discussed more frequently – including politicians and data privacy requirements (proposed Regulation S-P). Does that mean you should be considering the Secret Service to guard your data? I don’t think so; however, you should have a plan to manage risk of data loss. This plan should contain proactive thinking that promotes a culture of prevention. A SAS70 audit will assist you in determining your vulnerabilities and identifying weaknesses in information technology network; however, you must continually assess and evaluate scenarios, and stay informed of the latest and greatest networking threats. Communication and training are key to a data protection plan. What are some of the other characteristics?SAS70expert@gmail.com

Can we believe all the hype? Is there a green revolution afoot? From cars to energy to datacenters, everyone is going green. Datacenters have become very complex, with so many interactions among processors, rack systems, power and cooling systems, storage arrays, networks, and communications channels – that they can be regarded as unique virtual environments that consume large amounts of energy. Our need to have access to the internet anywhere and everywhere, requires more capacity and increasing speeds of datacenter components. What steps are you taking to become Green? SAS70ExPERT@gmail.com

As you complete that CISSP or CISA designation and move up the corporate ladder, do you have the right skills to begin making the decisions as CSO or CIO? Even if you have a great understanding of IT operations(networking, disaster recovery, datacenter management), compliance(SAS70, Webtrust, Systrust, SOX), and leadership(Project management, financial budgeting and administration), if you don’t communicate effectively you will not make the list. IT leaders can write, speak until they are red in the face; however, if they are unable to speak general business language, the business audience will not support their IT objectives or provide funding. Some of the more important skills to have as CSO or CIO are:

• Communicate effectively
• Lead during a disaster
• Provide an IT strategy

 What are the important skills that a CSO or CIO must have to be a success? As a team leader? To build Board support? To be an effective information technology project manager/business leader? To build another Google, Microsoft Windows, or Email Exchange?

SAS70ExPERT@gmail.com

Are you reviewing you firewall rules quarterly? Have you implemented an (IDS) intrusion detection system? Are your routers set up to prevent unauthorized intruders? Do you have the latest and greatest virus protection? Are you performing a SAS70 audit every six months? Database security breaches are increasing daily and costing tremendous amounts of dollars that should have been spent on IT projects. You should at least have an emergency plan in place when data loss occurs. Without an emergency plan in place, the breach could continue and the legal costs could continue to escalate.

Various transport methods, such as email, instant messaging, FTP, and encryption have been implemented to share files/data between Companies. But many methods, suffer from security, manageability, and the ability to track/log the transfer of information. Increasing regulations and SAS70 audit guidelines are requiring that privacy and security of data be maintained. What data transfer method are you using and is it secure,manageable and auditable?

The types of data transfer continue to evolve and a variety of people with whom companies exchange data is also changing. For example, many companies outsource processes that they used to perform in-house. Furthermore, some even are processed overseas, especially in India. How much control do you have on your outsourced vendor? How do you know that their process to transfer data is secure and managed appropriately? SAS70ExPERT@gmail.com