Aug 6 2008 6:35PM GMT
Posted by: sas70expert
Security management,
Third-party services,
Security,
Identity & Access Management,
Security Program Management,
Compliance,
Auditing,
Access,
Access control,
CIO,
DataCenter,
Security tokens,
SAS 70
Biometric systems are used today not only at your Data center/ co-location facility, but for plain ole’ laptop access. Finger, hand and thumb prints provide you access to all your critical data. In addition, iris/retinal scans and other facial recognition scans provide the credentials required to prevent forgery. What are you using within your Company?
For a SAS 70 audit, critical areas to review related to biometrics are:
1) enrollment process for a new user
2) accuracy and monitoring of the biometric device
3) termination of users
During enrollment, an individual’s biometric template is created in a database. Make sure you have a documented process for adding and authorizing new users to the database. You must know who may authorize access, and how much access to give the new employee.
Determine the accuracy and monitoring of biometric usage. Review who has used the biometric device, by reviewing the logs an identifying any unusual activity. For example, if you note that Bob has entered the facility 3 times and there is no exit – then your device may not be working properly.
Last, if Adam quits or Alice is fired, then how do you know to delete her credentials from the system? Make sure Human Resources has a policy to notify you immediately when a person needs to be removed from the system. IT should have a checklist of items/inventory to be returned when employee exits and the form should include a sign-off to indicate removal from the biometric device. Trackback URL
Jul 16 2008 3:14PM GMT
Posted by: sas70expert
Security management,
Third-party services,
Security,
Identity & Access Management,
Management,
Security Program Management,
Compliance,
Risk management,
Auditing,
Access control,
Network Management Systems,
CIO,
DataCenter,
Exchange,
power systems,
SAS 70,
TrendMirco
Exchange Servers are increasingly being added to the electric grid and increasing the world’s energy consumption, carbon emissions and stream wastes. A recent report stated that “U.S. server electricity consumption has doubled in the past five years and now equals that of color TV’s. SAS70 audits review logical and network related controls for servers, but they don’t consider the energy consumption or quality of company environmental efforts.
All kinds of new energy saving ideas are being developed, including air-compressed backup generators. Greenpeace has developed a “Guide to Greener Electronics.” The guide ranks the 18 top manufacturers of personal computers, mobile phones, TV’s and games consoles according to their policies on toxic chemicals and recycling.
I think that this is great, but is it sustainable considering our populations demand for service NOW!? In an electronic age, where I can practically order anything, see any tv show, or buy any music at the touch of a button on my i-Phone, can we expect businesses to choose green over a quick dollar? As datacenter demand grows and the need for servers bandwidth is required – will you stop and say “No, I want my children to enjoy clean air, and clean water.” Or will you push forward with a browner (less green) alternative computing solution? Should SAS70 audits evaluate environmental and energy efforts? sas70expert at gamil.com
Jun 26 2008 4:30AM GMT
Posted by: sas70expert
Security management,
Third-party services,
Database issues,
Networking,
Network security,
Firewalls,
Incident response,
Security,
Network monitoring,
Identity & Access Management,
Information risk management,
routers,
Management,
Security Program Management,
Compliance,
Viruses,
Database,
patching,
Configuration,
Database Management Systems,
business/IT alignment,
Auditing,
Monitoring,
Access,
Access control,
Network Management Systems,
Data center design,
Network,
CIO,
DataCenter,
DataManagement,
CEO,
management software,
Security tokens,
Patch management,
CFO,
router configuration,
SAS 70,
CSO,
Intrustion management,
TrendMirco
Are you reviewing you firewall rules quarterly? Have you implemented an (IDS) intrusion detection system? Are your routers set up to prevent unauthorized intruders? Do you have the latest and greatest virus protection? Are you performing a SAS70 audit every six months? Database security breaches are increasing daily and costing tremendous amounts of dollars that should have been spent on IT projects. You should at least have an emergency plan in place when data loss occurs. Without an emergency plan in place, the breach could continue and the legal costs could continue to escalate.
Jun 25 2008 11:21AM GMT
Posted by: sas70expert
Third-party services,
Networking,
Security,
Identity & Access Management,
routers,
Compliance,
Encryption,
business/IT alignment,
Auditing,
Monitoring,
Access control,
CIO,
DataCenter,
DataManagement,
CEO,
FTP,
instant messaging,
CFO,
Email,
Exchange,
SAS 70,
CSO
Various transport methods, such as email, instant messaging, FTP, and encryption have been implemented to share files/data between Companies. But many methods, suffer from security, manageability, and the ability to track/log the transfer of information. Increasing regulations and SAS70 audit guidelines are requiring that privacy and security of data be maintained. What data transfer method are you using and is it secure,manageable and auditable?
The types of data transfer continue to evolve and a variety of people with whom companies exchange data is also changing. For example, many companies outsource processes that they used to perform in-house. Furthermore, some even are processed overseas, especially in India. How much control do you have on your outsourced vendor? How do you know that their process to transfer data is secure and managed appropriately? Trackback URL
Jun 22 2008 11:50PM GMT
Posted by: sas70expert
Networking,
Security,
Strategic Enterprise Management,
Identity & Access Management,
Compliance,
business/IT alignment,
Auditing,
Monitoring,
CIO,
DataCenter,
CEO,
CFO,
SAS 70,
budget,
bugeting,
CSO
An IT strategic plan is critical to be a success in today’s economy and to grow your CIO career. Don’t be afraid to define some concrete details about your datacenter network and the IT security required. Here are some important characteristics of an IT strategic plan:
Timing/Length – Start NOW! You can’t get there without an IT roadmap. Make it in increments of one year, 3 years, and five years.
Scope – Obtain the business goals and objectives. Understand how information technology will support achievement of these goals. Design your IT plan to not only meet these objectives, but to add additional value and revenue when each of these goals is attained.
Presentation – Keep it simple. From the Boardroom to the staff meeting, keep everyone focused on the high level IT goals. Be specific about how IT and business will work together to meet the requirements. Simple statements to drive your IT department towards success are best.
Monitoring – Put measurements in place which include deadlines. Monitor these like a hawk. The goal is not precision, but to keep moving forward. Revise and update the IT plan as necessary.
Communicate – How does the Boardroom know you are success? You are your own marketer and so is your staff. When you achieve success in completing an IT project, be sure to inform your staff and your management. Identify internal and external meetings to inform.
SAS70ExPERT@gmail.com
Jun 19 2008 2:28PM GMT
Posted by: sas70expert
Third-party services,
Active Directory,
Security,
Microsoft Windows,
Identity & Access Management,
Compliance,
Auditing,
Access,
Access control,
CIO,
DataCenter,
DataManagement,
Single sign-on,
Exchange,
SAS 70,
CSO
Is it Yahoo? Or Google? Or? Shouldn’t it be the individual consumer? Every time you register on a website to download a movie or order a box of nuts, that information is being recorded. Some websites don’t keep this information confidential; it becomes entrenched in the search engine optimization techniques used by search engines and your name, address, and phone number may be appearing in random searches by someone in the Antarctic.
Without additional privacy legislation and SAS70 audits, your personal information may not be so personal anymore. Currently, if your personal information is leaked to the public, Companies only have to inform you of the data breach, and get you a credit monitoring service. Does this seem fair? Should you have a single signon that is secure and corruption is preventable?
