For any security program, you must start at the basics and begin with a information security plan. In a SAS 70 audit, an auditor will examine a CIO’s operations to determine that you have security program management, incident response, and that appropriate training is provided to your employees. Your security plan should include at least include:

·          Procedures to protect and provide access to IT systems and applications

·          Procedures to report incidents when they occur

·          Investigation practices required to prevent future incidents

·          The right to revoke any user access at anytime

Training should occur regularly for all employees and no employee should be granted access to your systems without taking your company’s network security training. Do you have a plan in place? If so, send me a generic sample and I will share it with our readers. Sas70expert@gmail.com

Yahoo Messenger, Googletalk, and AIM Messenger instant messaging services are frequently used by employees today for work and social networking. Less than 10% of companies today have policies and those that do have policies do not enforce them. Many SAS70 audits find installation of instant messaging software within corporate environments and that it may cause introduction of malicious coding or cause loss of sensitive data. Therefore, should IM security software be standard installation – whether in the form of email and internet security tools, appliances, or third-party hosted solutions. IM security software would protect against incoming Trojan horses/viruses and detect outgoing data loss by using content filtering; logging and archiving all IM messages, and ensure compliance with company policy. Are you using IM security software protection? If so, which one and is it on a third-party hosted platform? Have you found it to be effective?sas70expert@gmail.com

It’s election year and security to protect some of our most valuable assets is being discussed more frequently – including politicians and data privacy requirements (proposed Regulation S-P). Does that mean you should be considering the Secret Service to guard your data? I don’t think so; however, you should have a plan to manage risk of data loss. This plan should contain proactive thinking that promotes a culture of prevention. A SAS70 audit will assist you in determining your vulnerabilities and identifying weaknesses in information technology network; however, you must continually assess and evaluate scenarios, and stay informed of the latest and greatest networking threats. Communication and training are key to a data protection plan. What are some of the other characteristics?SAS70expert@gmail.com

Can we believe all the hype? Is there a green revolution afoot? From cars to energy to datacenters, everyone is going green. Datacenters have become very complex, with so many interactions among processors, rack systems, power and cooling systems, storage arrays, networks, and communications channels – that they can be regarded as unique virtual environments that consume large amounts of energy. Our need to have access to the internet anywhere and everywhere, requires more capacity and increasing speeds of datacenter components. What steps are you taking to become Green? SAS70ExPERT@gmail.com

Are you reviewing you firewall rules quarterly? Have you implemented an (IDS) intrusion detection system? Are your routers set up to prevent unauthorized intruders? Do you have the latest and greatest virus protection? Are you performing a SAS70 audit every six months? Database security breaches are increasing daily and costing tremendous amounts of dollars that should have been spent on IT projects. You should at least have an emergency plan in place when data loss occurs. Without an emergency plan in place, the breach could continue and the legal costs could continue to escalate.