Network

Nov 17 2008   11:23PM GMT

SaaS and SAS70 – SAS70ExPERT

Posted by: sas70expert
Management, Access control, Data center operations, Network, SaaS, SAS 70

As more outsourcing of applications takes place in this economy by using SaaS(software-as-a-service), is Management producing costs savings? and how many SAS70’s will you be required to collect? From the Data Center operations, the IT support vendor, and the application provider?

 

When you perform your cost-benefit analysis items to consider are

• Who will benefit from access control for your application
• From where will your visitors/employees/customers be connecting to your information, vpn network, cellphone or pda, or other web enabled device
• Obtain more control over your licensing costs
  

As you develop a strategic plan to use SaaS, build fundamental close relationships with your vendors and define them carefully in your contracts. Constantly update your contracts or service level agreements to match your needs and develop tools to monitor the success of your vendor meeting your requirements.

 

SAS70 must be performed on your SaaS vendor to provide you with the reliability, confidentiality and integrity of service to be provided to you and your customers. Control objectives may be similar or different, but careful examination of the audit report should be performed in order to determine that your data is secure. SAS70ExPERT.biz

Oct 1 2008   4:26AM GMT

Back to basics – Security awareness and education – SAS70

Posted by: sas70expert
Network security, Incident response, Security, Security Program Management, Network, CIO, SAS 70

For any security program, you must start at the basics and begin with a information security plan. In a SAS 70 audit, an auditor will examine a CIO’s operations to determine that you have security program management, incident response, and that appropriate training is provided to your employees. Your security plan should include at least include:

·          Procedures to protect and provide access to IT systems and applications

·          Procedures to report incidents when they occur

·          Investigation practices required to prevent future incidents

·          The right to revoke any user access at anytime

 

Training should occur regularly for all employees and no employee should be granted access to your systems without taking your company’s network security training. Do you have a plan in place? If so, send me a generic sample and I will share it with our readers.  Trackback URL

Sep 21 2008   9:22PM GMT

Security is essential for all new technology investments? SAS70

Posted by: sas70expert
Security management, Third-party services, Management, Auditing, Network, SAS 70

Which new technologies are you adopting? With Web 2.0, social networking, wikis, and blogs – oh mY! With so many new avenues to penetrate your market, the decisions you make today can effect the success of your SAS 70 audit. When evaluating new technology, always first determine your company objectives as we previously discussed. In addition, you will need to remember to consider what new security features must be implemented in your computing environment to prevent downtime. It is essential early in the process that you identify the threats, the risks, and then create a plan.

 

 In identifying threats, the assessment team must consider who or what could compromise a target system’s components such that the system’s security attributes would be jeopardized. You should focus on how the information assets and components differ from what you already have. In identifying the security risks, consider what will th total potential impact on the organization. When your system is compromised – and it will be – how would you handle the loss of critical data?

 

To address technology security risks, requires a documented plan and you must train your employees on how to enact the plan. The SAS70 audit will require you to have a plan in place and it will examine who are the participants in the plan. The plan should include not only IT, but operations and senior management. Where is your security plan?  Trackback URL

Sep 17 2008   3:35PM GMT

Risk Assessments and the SAS 70 audit

Posted by: sas70expert
Management, Risk management, Auditing, Monitoring, Access, Network, CIO, COBIT, SAS 70

Management’s risk assessment process is required to be audited in a SAS70 examination; however, in my experience, most auditors do not adequately review Management’s risk assessment process. Without adequate auditing experience, most auditors would not have a basis to determine if Management had reviewed the control risk universe. In addition, Management mostly does not formally document risks, but they are discussed only in Board meeting with among C-level executive’s. The COBIT risk assessment framework can provide Management with the criteria and the details that an inexperienced auditor may use as a guide to examine their risk assessment process

 

COBIT consists of information that is required to help achieve business objectives. You must first begin with a vulnerability analysis of your business operations. Then determine the threats to these vulnerabilities For example, your greatest risk may be related to the legal liabilities due to incorrect financial statements….. or something more simpler, like loss of a backup tape which contained your customers social security numbers. Third, determine the impact of this threat. Is it a million dollar monetary fine, or could your license to conduct business be taken away. The conclusion is an action plan after which the cycle can start again.

 

When the SAS 70 auditor discusses your risk assessment process, don’t be afraid to say that you have it all stored in your brain. Without risk documentation, an experience auditing firm will assist you in forming a roadmap of risks that lead to your business success. Mr. CIO, have you determine what are your business risks or your information technology risks today? Have you formally discussed and evaluated them with other c-level executives or with your peers and association’s within your industry. Note from the diagram below the a formal risk assessment process. Next time we will discuss each of these layers in detail. SAS70ExPERT@gmail.com

 

Asset Identification and Valuation

Vulnerability

Assessment

Threat

Assessment

Risk

Assessment

Counter-

measures

Control

Evaluation

Residual

Risk

Action

Plan

Sep 14 2008   11:17PM GMT

Encrypting for Security - SAS70

Posted by: sas70expert
Uncategorized, Networking, Network monitoring, Identity & Access Management, routers, Security Program Management, Encryption, Auditing, Development, Network

SAS 70 audits review the not only the security of your networks but of the data that is transported across your networks and on the security of your data that remains on your servers and laptops. Before choosing an encryption vendor, there are factors you consider:

• What administrative actions are required? Can keys be changed and modified by the user or does your network administrator have to take action? What if the key is compromised, can it be changed at will? If the key is changed, how do you remember it?
• What steps are taken to manage keys? Are keys kept in a secure database or are they managed individually? Independent solutions allow you more flexibility, but independent users may not always follow the company standards which may give hackers an opportunity.
• Are multiple keys supported and can you create a master? The more critical and sensitive the data, the tougher the key should be crack. 
• Is there PKI in corporation? Does the encryption product integrate with an existing PKI production ro des it require software in order to function? Any vendor solution should be able too.  Trackback URL

Sep 12 2008   5:17AM GMT

CIO’s deserve respect? Are you respectable and what are these characteristics? SAS70

Posted by: sas70expert
Compliance, Auditing, Network, CIO, SAS 70, CSO

SAS 70 audits focus on COSO controls and examine the leadership experience of executives and training. CIO’s and CSO’s march to the executive suite takes many paths. Opportunities to lead in the C-Level suite come in many forms….some are perhaps luck, others are from angels, but what job titles lead to the CIO or CSO role? According to a recent survey, most CIO’s have a background primarily in IT. In recent, weeks, I have begun to question this polling as I have met several well-respected CIO’s who understand strategy and operations, but do not have a clue as to operating systems, applications or how networks function. In this same poll, only 15% of CIO’s and CSO’ came from areas outside of IT. What side of the fence do you stand on? Do you think an extensive background and training in information technology makes a difference as a c-level executive? As I consider myself a hybrid with a little knowledge and experience on both sides of the fence, I wonder what is respectable?  Trackback URL

Sep 5 2008   7:19AM GMT

Successful traits of a CIO equal successful SAS70 audits (Part 5) – SAS 70

Posted by: sas70expert
Security, Compliance, Auditing, Financials, Network, CIO, SAS 70

Do you have 3 mainframes systems and one stand alone application that you use for recording financial results? Do any of these systems talk to one another? Are you starting to use Saas applications to better manage your data? Knowing how to leverage technologies, old or new, is key to being an effective CIO.

 

During a SAS70 audit, it is critical that you have an deep understanding of your systems and how they work together. If you are able to provide documentation, such as network diagrams, and data hierarchies to your auditor, then they will be more efficient when determining the controls necessary to be tested within your organization. An effective CIO cannot leverage technologies within corporate walls or as outsourced solutions without having a complete understanding of IT networks, applications, and operating systems. What helps you know how to leverage your company technologies? Or to predict what technologies will work best within your company?   

Aug 20 2008   4:26AM GMT

Is pre-boot authentication required? SAS70

Posted by: sas70expert
Management, Access, Access control, Network, SAS 70

SAS 70 audits review the authentication procedures required to access computer equipment, including the pre-boot authentication (PBA) procedure.  If pre-boot authentication is not required, then the risks of gaining access to your Company data is very high.

What is PBA? Pre-boot authentication is a process that requires a user to authenticate to the operating system prior to loading of the application software. The user must enter his credentials - a username and password before the system load begins. Once authenticated, then Windows or Linux operating system is loaded. If the correct user name and password are not entered, the pre-boot authentication process will not load the operating system and the computer will lock down.

Pre-boot authentication prevents a criminal hacker from gaining access to your data by not loading the operating system. Since the bypass tools load after the operating system, then a hacker want get a chance to try to gain entry or use the Windows XP or Vista emergency disks.   SAS70ExPERT at gmail.com

Aug 10 2008   7:54PM GMT

Telecommuting as a SAS70 audit control? – SAS70ExPERT

Posted by: sas70expert
Third-party services, Security, Compliance, Auditing, Access control, Network, CIO, Telecommuting, SAS 70

As transportation costs continue to skyrocket over the summer, telework/telecommuting is becoming the new trend among office environments. Basically, we have been doing a form of telework by outsourcing all of our jobs overseas, so this premise is not really new, it’s just new for American workers. 92 percent of workers said their work could be performed from home according to a recent survey by advocacy group Telework Exchange. I agree that operating expenses could be reduced by:

1)      less office space per employee

2)      transportation costs are reduced from commuting to work

3)      reduction in computer hardware expenses

 

But what is the downside of a remote workforce and what effect will that have on company information assets? These information assets are now stored at a families home on First Avenue, in a 3 bedroom, 2 bath, instead of your 5 story office building. These telecommuting risks will need to examined by management and should be considered in a SAS70 audit.

 

Consider that most employee homes will not have extended physical or environmental security – only garage door locks and an air conditioner. Their computer office could be located next to their children’s bathroom – which is a likely water hazard, in an open space by a garden window. How easy would it be for a burgular to reach in and knock your coffee cup over, and grab your computer from your first floor home office?Really EASY, as I think many homes today still have yet to have a home alarm system on their windows.Critical company information now could be sold on the internet.

 

In addition, what network security are you assured that they have on their home computer? Do they have the latest virus preventing application? Is their firewall always up and running or might it be turned off to watch a movie?

 

Is your IT staff prepared to make housecalls? Your company information assets now resids at your employees home. It is now not on the second floor of your office, but could be 20-30 miles to First Avenue home. You now must manage users that are at locations that are spread miles apart? This may be okay if 15% of your workforce is remote, but what if it is 92%? Is your IT staff trained accordingly? If they have to make housecalls, do transportation costs truly decrease? Who is managing the network while your IT Administrator is stuck in traffic on his way to the Marketing Director’s home to fix his computer?

 

Any third party vendor must complete a SAS70 audit to assure it customer that their data is secure. Are you ready to expand your company floor space beyond the office perimeter? Telecommuting risks must be considered in the SAS70 audit process. What are some of the risks you have identified? Do you even have any policies in place at your company which specifically discuss the do’s and don’t’s of a telecommuter?  Trackback URL

Jul 6 2008   4:18PM GMT

How laptops become serial killers? - SAS70

Posted by: sas70expert
Security management, Administration, Security, Information risk management, Management, Security Program Management, Compliance, Risk management, human factors, Auditing, Monitoring, Access, Access control, Network Management Systems, Network, CIO, DataCenter, CFO, SAS 70, CSO

My business requires distribution and collection of data. Much of it resides on a centrally located server; however, there is data on the laptop that has never been transferred over to the server or that may have  been taken off the server for project work. As human beings we will never be perfect. Someone will lend access to their laptop to a friend or customer, a laptop will be lost or stolen, and an unprotected USB drive is a loaded gun just waiting to have the trigger pulled so that data can be transferred off your laptop. Laptops with sensitive data that goes unprotected, can become a media nightmare, a legal hassle and a may limit your customer retention and market growth — a serial killer that stops your business growth and the vendors that support you.

 

To protect data loss, we now have L0-jack services for laptops when they are stolen. The laptop can be found and once connected to a network will be shut down.But what about the ease we have to install and transfer data to others using USB drives. Even if you use a USB drive that requires a password, is that enough security? I have read recently that laptops were returned after being lost that contained sensitive data such as social security numbers for big companies – including Google. Now that they have the laptop back, is the risk over? What if the data was transferred off the laptop onto a USB drive?

 

Just like for the SAS70 audit, you have to perform a risk assessment to determine the controls that must be in place, and identify those that can be implemented as time permits. In the situation above, I don’t think focusing on the number of ways that data can be taken off laptops is the key to reducing risk. You should focus more on identifying the type of data that you have, mark the sensitive data, and control access to it – by limiting users, strengthening laptop controls around the sensitive data, and identifying opportunities to record transfer of sensitive data which would provide an audit trail. How are you controlling your data on your laptops?