For any security program, you must start at the basics and begin with a information security plan. In a SAS 70 audit, an auditor will examine a CIO’s operations to determine that you have security program management, incident response, and that appropriate training is provided to your employees. Your security plan should include at least include:
· Procedures to protect and provide access to IT systems and applications
· Procedures to report incidents when they occur
· Investigation practices required to prevent future incidents
· The right to revoke any user access at anytime
Training should occur regularly for all employees and no employee should be granted access to your systems without taking your company’s network security training. Do you have a plan in place? If so, send me a generic sample and I will share it with our readers. Sas70expert@gmail.com]]>
During a SAS 70 audit of your DataCenter, an auditor will examine the installation of generators, cooling systems, and UPS backup systems. Questions will arise not only about installation, but of continuing preventative maintenance and incident response. An integrated approach should be followed which has is a holistic plan that clearly identifies scheduling, execution, documentation, risk management, and continuing follow-up inspections.
When preventative maintenance occurs, four results can be expected:
· a potential issue is identified and immediate actions are taken to prevent a future failure.
· a potential issues is identified and a repair is scheduled
· the regular maintenance does not uncover any potential repair
· a defect is uncovered and unanticipated repair time occurs.
In order to optimize maintenance windows, Managers should maintain the age of equipment, history of operating and environmental experience (temperature, voltage, run-time, abnormal events), and operating characteristics such as noise, temperature and vibration. Where is your preventative maintenance plan and do you have service level agreements in place today to monitor your network services? SAS70ExPERT@gmail.com]]>
You should have a disaster recovery plan when a data breach occurs within your Company. SAS 70 audits mostly will require you to have a plan documented, but the details of the plan are usually not adequately reviewed. Every disaster recovery plan should have basic requirements which include:
If a disaster occurs – consider it like your home were burning….your most critical asset….a disaster recovery plan requires forethought and an impact analysis to make sure that your Company can still function on a day to day basis. Make sure you have a Disaster Recovery Plan ready for your SAS70 audit and so that you can come to work the next day. Sas70Expert@gmail.com]]>
Are you reviewing you firewall rules quarterly? Have you implemented an (IDS) intrusion detection system? Are your routers set up to prevent unauthorized intruders? Do you have the latest and greatest virus protection? Are you performing a SAS70 audit every six months? Database security breaches are increasing daily and costing tremendous amounts of dollars that should have been spent on IT projects. You should at least have an emergency plan in place when data loss occurs. Without an emergency plan in place, the breach could continue and the legal costs could continue to escalate.