DataCenter

Will 2009 be a better year? SAS70

 With a new election just completed, will our future be brighter in 2009? I hope it will be. It seems there is never enough time to get all the work completed, document all the workpapers, and provide exceptional client service. Here some wishes for your business in 2009:

1) your SAS 70 audit will be a success.

2) you will find too many customers who want to pay you too much on the same day that you run out of coffee.

3) Every city in America will realize the value of information and access to the internet. Therefore, the U.S. Government will offer low interest loans to build a Data center in every city.

4) You learn how to work smarter, not harder. Take advantage of your access to a local data center and further your education. Perform research with your neighbors across the world and develop new technologies.

5)The new technologies will lead you to new successful business ventures that will compliment or add to your current services.  SAS70Expert at gmail.com

Have you been Clickjacking lately? SAS70

 Clickjacking threatens all major internet browsers – internet explorer, Mozilla firefox, Safari and Opera. What is it? Clickjacking is not when your wife takes over the remote control. It is when a browser user puts his mouse on a sign button, but a tag is placed under the button that the user may not see. When the user clicks, he then sends information to an unauthorized source. This could destroy the legitimacy of your web application or you SaaS.

There are several possible solutions to this hacker attack, but only with updates by the browser vendors. Firefox has a stop-gap solution in place – “no-script.” It is a technical solution and not for everyone. If you process credit card information, your SAS 70 auditor will look to see what precautions you have taken. What measures do you have in place?  Trackback URL

Have you checked your email today? – SAS70

When considering the scope of your SAS 70 audit, do you consider email an important company asset? Would it contain critical information on your customers? 9 out 10 times an email will contain customer financial data, executive contact information, and related gossip. Some SAS 70 audits fail to note the importance of maintaining security of company email systems.

Email systems must be protected from internal and external threats. Other employees gaining access to other’s email systems or hackers trying to break into your email servers could walk away with critical information. Executives would not be happy when receiving notice of a lawsuit by a customer because a hacker gained the schematics of their datacenter.

If you are using ActiveDirectory, perform periodic reviews users with access to email. In addition, limit administrators to as few as possible. Make sure your user access procedures are documented, approved, and implemented for your company. Terminated employees must be removed from email access immediately. Implementing these fundamental controls will assist you in completion of your SAS70 audit. SAS70expert@gmail.com

Capacity and Utilization in No. 1 in 2008 - SAS70

Even without the SAS70 requirement, capacity and utilization should be a major focus within your DataCenter environment. if you want your energy costs to controlled, simply turn off some of your servers and desktops. The turnoff approach can result in nearly 10% decrease in power consumption for every 100 servers says Nermetes Research. In addition, this will allow the servers in operation to have better processing performance.

Power management may be automated. Software applications will monitor power consumed and turn off equipment when the need decreases.  The software will also power power and capacity usage reports that may be used to further customize your operations.

SAS 70 audits will require you to manage your operations not only to protect your customers data, but to verify that your service level agreements are met.  SAS70expert at gmail.com

SaaS and SAS70 – SAS70ExPERT

As more outsourcing of applications takes place in this economy by using SaaS(software-as-a-service), is Management producing costs savings? and how many SAS70’s will you be required to collect? From the Data Center operations, the IT support vendor, and the application provider?

When you perform your cost-benefit analysis items to consider are

• Who will benefit from access control for your application
• From where will your visitors/employees/customers be connecting to your information, vpn network, cellphone or pda, or other web enabled device
• Obtain more control over your licensing costs
  

As you develop a strategic plan to use SaaS, build fundamental close relationships with your vendors and define them carefully in your contracts. Constantly update your contracts or service level agreements to match your needs and develop tools to monitor the success of your vendor meeting your requirements.

SAS70 must be performed on your SaaS vendor to provide you with the reliability, confidentiality and integrity of service to be provided to you and your customers. Control objectives may be similar or different, but careful examination of the audit report should be performed in order to determine that your data is secure. SAS70ExPERT.biz

SAS70 audits require preventative maintenance too!

During a SAS 70 audit of your DataCenter, an auditor will examine the installation of generators, cooling systems, and UPS backup systems. Questions will arise not only about installation, but of continuing preventative maintenance and incident response. An integrated approach should be followed which has is a holistic plan that clearly identifies scheduling, execution, documentation, risk management, and continuing follow-up inspections.

 When preventative maintenance occurs, four results can be expected:

·         a potential issue is identified and immediate actions are taken to prevent a future failure.

·         a potential issues is identified and a repair is scheduled

·         the regular maintenance does not uncover any potential repair

·         a defect is uncovered and unanticipated repair time occurs.

 In order to optimize maintenance windows, Managers should maintain the age of equipment, history of operating and environmental experience (temperature, voltage, run-time, abnormal events), and operating characteristics such as noise, temperature and vibration. Where is your preventative maintenance plan and do you have service level agreements in place today to monitor your network services?  Trackback URL

What is the difference between a Type I and a Type II SAS70 report? SAS70ExPERT

Your largest customer called and asked for your SAS70 audit report and which type of audit was completed? Do you perform a Type I or II? Don’t flip a coin; you must consider your objectives.

A SAS 70 Type I audit report provides an audit opinion of your Companies’ operating environment. A Type II report combines the elements of a Type I report but requires extensive testing over a defined period of time. Which is more appropriate for your organization? In accountant speak, it depends.

Consider these objectives: Determine what your customers require and where you’re operating an IT controls need improvement; are your policies and procedures well documented; and how much can you afford. In general, a Company would first perform a Type I, then a Type II SAS 70 audit. You may not have been reviewing firewall logs or monitoring user access to your exchange server over a six month period in order to perform a Type II audit. Therefore, a Type I would be more suitable.  In addition, performing a Type I audit first would allow you to quickly learn the areas of improvement with your IT framework. Which type SAS 70 audit are you pursuing and what are your objectives? Sas70expert@gmail.com

Do Risk Assessments increase profits? SAS 70 (part two)

When performing your risk assessment as required for the SAS70 audit — dive in head first, but keep your eyes focused on the details. Meet with C-level executives and line-level managers and have direct and open discussions about the perils that your company faces. Don’t be afraid to ask questions or confront CIO’s with pointed questions. If they don’t know the answer or the risk, you are already in big trouble.

Three goals CIO’s should keep in mind during these uncertain economic times are to:

1)      reduce operating expenses

2)      increase capacity in the data center

3)      improve reliability of IT infrastructure

If you determine the risks to not meeting these three objectives, then you are well on your way to completing a reliable risk assessment. Sas70expert@gmail.com

Do Risk Assessments increase profits? SAS 70 (part one)

SAS70 audits are becoming a standard for any outsourced organization. As part of the audit process, a company must perform an internal risk assessment of the IT and business related risks. According to a recent survey of IT Executives, here are the top five areas of most concern:

1. Security
2. Systems management tools
3. Virtualization solutions
4. Product road map
5. Power consumption

While power consumption was number five, I think that it has taken on great significance today than ever before. If you are paying $4.50 at your local gas dealer, then you can expect to continue to pay higher prices for electricity for your data center. What steps are you taking to conserve energy? Are you a part of a “green revolution?” From the component level, the server and rack level and up all the way to the datacenter, I would expect everyone is finding ways to cut costs, and increase profit. I think a risk assessment which reviews the operating details of your Company will assist you in meeting corporate objectives.   

Face up to Biometrics for your SAS70 audit (SAS 70)

Biometric systems are used today not only at your Data center/ co-location facility, but for plain ole’ laptop access. Finger, hand and thumb prints provide you access to all your critical data. In addition, iris/retinal scans and other facial recognition scans provide the credentials required to prevent forgery. What are you using within your Company?

For a SAS 70 audit, critical areas to review related to biometrics are:

1)       enrollment process for a new user

2)       accuracy and monitoring of the biometric device

3)       termination of users

During enrollment, an individual’s biometric template is created in a database. Make sure you have a documented process for adding and authorizing new users to the database. You must know who may authorize access, and how much access to give the new employee.  

Determine the accuracy and monitoring of biometric usage. Review who has used the biometric device, by reviewing the logs an identifying any unusual activity. For example, if you note that Bob has entered the facility 3 times and there is no exit  – then your device may not be working properly.

Last, if Adam quits or Alice is fired, then how do you know to delete her credentials from the system? Make sure Human Resources has a policy to notify you immediately when a person needs to be removed from the system. IT should have a checklist of items/inventory to be returned when employee exits and the form should include a sign-off to indicate removal from the biometric device.  Trackback URL