Jul 13 2008 7:19PM GMT
Posted by: sas70expert
Security management,
Administration,
Security,
Strategic Enterprise Management,
Information risk management,
Management,
Security Program Management,
Risk management,
business/IT alignment,
CIO,
DataCenter,
CEO,
CFO,
SAS 70,
CSO
Don’t be fooled by a big accounting name? A suit with a high priced song! No matter what they say, you have to read the SAS70 report in order to determine the depth of testing performed in a SAS70 audit. SAS70 audits have just now become in demand by industry leaders and you have to determine what value you want from the SAS70 audit. Do you need a box checked? Or will you use this audit process to improve your revenue, your internal controls, and to set you apart from your competition? Prices range all over the board – choose your poison wisely – either you choose an auditor with experience and see that their report provides you with the level of detail and testing to required to make your organization better or — you might as well gamble in Vegas more – and take the big accounting name with little testing that provides you with the check box you
Jul 9 2008 2:34AM GMT
Posted by: sas70expert
Security management,
Third-party services,
Network security,
Security,
Information risk management,
Compliance,
Encryption,
Auditing,
CIO,
DataCenter,
DataManagement,
CFO,
SAS 70,
CSO,
Intrustion management
Various transport methods, such as email, instant messaging, FTP, and encryption have been implemented to share files/data between Companies. But many methods suffer from security, manageability, and the ability to track/log the transfer of information. Increasing regulations and SAS70 audit guidelines are requiring that privacy and security of data be maintained. There are some new tools on the market, including L I N X T E R. http://linxter.com is a data transfer technology that enables programs to communicate through secure, reliable, and auditable channels. They are hyper connective communication channels that can be managed using a web-based tool.What data transfer methods are your using and is it secure, manageable and auditable?sas70expert@gmail.com
Jul 6 2008 4:18PM GMT
Posted by: sas70expert
Security management,
Administration,
Security,
Information risk management,
Management,
Security Program Management,
Compliance,
Risk management,
human factors,
Auditing,
Monitoring,
Access,
Access control,
Network Management Systems,
Network,
CIO,
DataCenter,
CFO,
SAS 70,
CSO
My business requires distribution and collection of data. Much of it resides on a centrally located server; however, there is data on the laptop that has never been transferred over to the server or that may have been taken off the server for project work. As human beings we will never be perfect. Someone will lend access to their laptop to a friend or customer, a laptop will be lost or stolen, and an unprotected USB drive is a loaded gun just waiting to have the trigger pulled so that data can be transferred off your laptop. Laptops with sensitive data that goes unprotected, can become a media nightmare, a legal hassle and a may limit your customer retention and market growth — a serial killer that stops your business growth and the vendors that support you.
To protect data loss, we now have L0-jack services for laptops when they are stolen. The laptop can be found and once connected to a network will be shut down.But what about the ease we have to install and transfer data to others using USB drives. Even if you use a USB drive that requires a password, is that enough security? I have read recently that laptops were returned after being lost that contained sensitive data such as social security numbers for big companies – including Google. Now that they have the laptop back, is the risk over? What if the data was transferred off the laptop onto a USB drive?
Just like for the SAS70 audit, you have to perform a risk assessment to determine the controls that must be in place, and identify those that can be implemented as time permits. In the situation above, I don’t think focusing on the number of ways that data can be taken off laptops is the key to reducing risk. You should focus more on identifying the type of data that you have, mark the sensitive data, and control access to it – by limiting users, strengthening laptop controls around the sensitive data, and identifying opportunities to record transfer of sensitive data which would provide an audit trail. How are you controlling your data on your laptops?
Jul 4 2008 12:30PM GMT
Posted by: sas70expert
Security management,
Third-party services,
Administration,
Network security,
Security,
Network monitoring,
Information risk management,
Compliance,
Auditing,
Access,
Network,
CIO,
DataCenter,
CEO,
CFO,
SAS 70,
Intrustion management
Yahoo Messenger, Googletalk, and AIM Messenger instant messaging services are frequently used by employees today for work and social networking. Less than 10% of companies today have policies and those that do have policies do not enforce them. Many SAS70 audits find installation of instant messaging software within corporate environments and that it may cause introduction of malicious coding or cause loss of sensitive data. Therefore, should IM security software be standard installation – whether in the form of email and internet security tools, appliances, or third-party hosted solutions. IM security software would protect against incoming Trojan horses/viruses and detect outgoing data loss by using content filtering; logging and archiving all IM messages, and ensure compliance with company policy. Are you using IM security software protection? If so, which one and is it on a third-party hosted platform? Have you found it to be effective?sas70expert@gmail.com
Jul 1 2008 5:45PM GMT
Posted by: sas70expert
Security management,
Third-party services,
Administration,
Database issues,
Disaster Recovery,
Networking,
Active Directory,
Network security,
Storage,
Security,
Network monitoring,
Servers,
Microsoft Windows,
Information risk management,
Management,
Security Program Management,
Risk management,
human factors,
Database,
Database Management Systems,
business/IT alignment,
Access,
Financials,
Access control,
Industry Solutions,
Data center operations,
Network Management Systems,
Data center design,
Network,
CIO,
DataCenter,
DataManagement,
CEO,
management software,
Single sign-on,
FTP,
CFO,
cooling systems,
Backup & recovery,
Exchange,
Backup,
power systems,
SAS 70,
budget,
bugeting,
CSO
It’s election year and security to protect some of our most valuable assets is being discussed more frequently – including politicians and data privacy requirements (proposed Regulation S-P). Does that mean you should be considering the Secret Service to guard your data? I don’t think so; however, you should have a plan to manage risk of data loss. This plan should contain proactive thinking that promotes a culture of prevention. A SAS70 audit will assist you in determining your vulnerabilities and identifying weaknesses in information technology network; however, you must continually assess and evaluate scenarios, and stay informed of the latest and greatest networking threats. Communication and training are key to a data protection plan. What are some of the other characteristics?SAS70expert@gmail.com
Jun 28 2008 1:33AM GMT
Posted by: sas70expert
Security management,
Third-party services,
Administration,
Networking,
Security,
Strategic Enterprise Management,
Microsoft Windows,
Information risk management,
Career development,
Management,
Security Program Management,
Compliance,
Risk management,
human factors,
business/IT alignment,
Auditing,
Monitoring,
Financials,
Data center operations,
CIO,
DataCenter,
DataManagement,
CEO,
management software,
CFO,
Email,
Exchange,
SAS 70,
CSO
As you complete that CISSP or CISA designation and move up the corporate ladder, do you have the right skills to begin making the decisions as CSO or CIO? Even if you have a great understanding of IT operations(networking, disaster recovery, datacenter management), compliance(SAS70, Webtrust, Systrust, SOX), and leadership(Project management, financial budgeting and administration), if you don’t communicate effectively you will not make the list. IT leaders can write, speak until they are red in the face; however, if they are unable to speak general business language, the business audience will not support their IT objectives or provide funding. Some of the more important skills to have as CSO or CIO are:
- Communicate effectively
- Lead during a disaster
- Provide an IT strategy
What are the important skills that a CSO or CIO must have to be a success? As a team leader? To build Board support? To be an effective information technology project manager/business leader? To build another Google, Microsoft Windows, or Email Exchange?
SAS70ExPERT@gmail.com
Jun 26 2008 4:30AM GMT
Posted by: sas70expert
Security management,
Third-party services,
Database issues,
Networking,
Network security,
Firewalls,
Incident response,
Security,
Network monitoring,
Identity & Access Management,
Information risk management,
routers,
Management,
Security Program Management,
Compliance,
Viruses,
Database,
patching,
Configuration,
Database Management Systems,
business/IT alignment,
Auditing,
Monitoring,
Access,
Access control,
Network Management Systems,
Data center design,
Network,
CIO,
DataCenter,
DataManagement,
CEO,
management software,
Security tokens,
Patch management,
CFO,
router configuration,
SAS 70,
CSO,
Intrustion management,
TrendMirco
Are you reviewing you firewall rules quarterly? Have you implemented an (IDS) intrusion detection system? Are your routers set up to prevent unauthorized intruders? Do you have the latest and greatest virus protection? Are you performing a SAS70 audit every six months? Database security breaches are increasing daily and costing tremendous amounts of dollars that should have been spent on IT projects. You should at least have an emergency plan in place when data loss occurs. Without an emergency plan in place, the breach could continue and the legal costs could continue to escalate.
