Jul 6 2008 4:18PM GMT
Posted by: sas70expert
Security management,
Administration,
Security,
Information risk management,
Management,
Security Program Management,
Compliance,
Risk management,
human factors,
Auditing,
Monitoring,
Access,
Access control,
Network Management Systems,
Network,
CIO,
DataCenter,
CFO,
SAS 70,
CSO
My business requires distribution and collection of data. Much of it resides on a centrally located server; however, there is data on the laptop that has never been transferred over to the server or that may have been taken off the server for project work. As human beings we will never be perfect. Someone will lend access to their laptop to a friend or customer, a laptop will be lost or stolen, and an unprotected USB drive is a loaded gun just waiting to have the trigger pulled so that data can be transferred off your laptop. Laptops with sensitive data that goes unprotected, can become a media nightmare, a legal hassle and a may limit your customer retention and market growth — a serial killer that stops your business growth and the vendors that support you.
To protect data loss, we now have L0-jack services for laptops when they are stolen. The laptop can be found and once connected to a network will be shut down.But what about the ease we have to install and transfer data to others using USB drives. Even if you use a USB drive that requires a password, is that enough security? I have read recently that laptops were returned after being lost that contained sensitive data such as social security numbers for big companies – including Google. Now that they have the laptop back, is the risk over? What if the data was transferred off the laptop onto a USB drive?
Just like for the SAS70 audit, you have to perform a risk assessment to determine the controls that must be in place, and identify those that can be implemented as time permits. In the situation above, I don’t think focusing on the number of ways that data can be taken off laptops is the key to reducing risk. You should focus more on identifying the type of data that you have, mark the sensitive data, and control access to it – by limiting users, strengthening laptop controls around the sensitive data, and identifying opportunities to record transfer of sensitive data which would provide an audit trail. How are you controlling your data on your laptops?
Jul 1 2008 5:45PM GMT
Posted by: sas70expert
Security management,
Third-party services,
Administration,
Database issues,
Disaster Recovery,
Networking,
Active Directory,
Network security,
Storage,
Security,
Network monitoring,
Servers,
Microsoft Windows,
Information risk management,
Management,
Security Program Management,
Risk management,
human factors,
Database,
Database Management Systems,
business/IT alignment,
Access,
Financials,
Access control,
Industry Solutions,
Data center operations,
Network Management Systems,
Data center design,
Network,
CIO,
DataCenter,
DataManagement,
CEO,
management software,
Single sign-on,
FTP,
CFO,
cooling systems,
Backup & recovery,
Exchange,
Backup,
power systems,
SAS 70,
budget,
bugeting,
CSO
It’s election year and security to protect some of our most valuable assets is being discussed more frequently – including politicians and data privacy requirements (proposed Regulation S-P). Does that mean you should be considering the Secret Service to guard your data? I don’t think so; however, you should have a plan to manage risk of data loss. This plan should contain proactive thinking that promotes a culture of prevention. A SAS70 audit will assist you in determining your vulnerabilities and identifying weaknesses in information technology network; however, you must continually assess and evaluate scenarios, and stay informed of the latest and greatest networking threats. Communication and training are key to a data protection plan. What are some of the other characteristics?SAS70expert@gmail.com
Jun 28 2008 1:33AM GMT
Posted by: sas70expert
Security management,
Third-party services,
Administration,
Networking,
Security,
Strategic Enterprise Management,
Microsoft Windows,
Information risk management,
Career development,
Management,
Security Program Management,
Compliance,
Risk management,
human factors,
business/IT alignment,
Auditing,
Monitoring,
Financials,
Data center operations,
CIO,
DataCenter,
DataManagement,
CEO,
management software,
CFO,
Email,
Exchange,
SAS 70,
CSO
As you complete that CISSP or CISA designation and move up the corporate ladder, do you have the right skills to begin making the decisions as CSO or CIO? Even if you have a great understanding of IT operations(networking, disaster recovery, datacenter management), compliance(SAS70, Webtrust, Systrust, SOX), and leadership(Project management, financial budgeting and administration), if you don’t communicate effectively you will not make the list. IT leaders can write, speak until they are red in the face; however, if they are unable to speak general business language, the business audience will not support their IT objectives or provide funding. Some of the more important skills to have as CSO or CIO are:
- Communicate effectively
- Lead during a disaster
- Provide an IT strategy
What are the important skills that a CSO or CIO must have to be a success? As a team leader? To build Board support? To be an effective information technology project manager/business leader? To build another Google, Microsoft Windows, or Email Exchange?
SAS70ExPERT@gmail.com
