Clickjacking threatens all major internet browsers – internet explorer, Mozilla firefox, Safari and Opera. What is it? Clickjacking is not when your wife takes over the remote control. It is when a browser user puts his mouse on a sign button, but a tag is placed under the button that the user may not see. When the user clicks, he then sends information to an unauthorized source. This could destroy the legitimacy of your web application or you SaaS.

There are several possible solutions to this hacker attack, but only with updates by the browser vendors. Firefox has a stop-gap solution in place – “no-script.” It is a technical solution and not for everyone. If you process credit card information, your SAS 70 auditor will look to see what precautions you have taken. What measures do you have in place? Sas70expert@gmail.com

When you perform your cost-benefit analysis items to consider are

• Who will benefit from access control for your application
• From where will your visitors/employees/customers be connecting to your information, vpn network, cellphone or pda, or other web enabled device
• Obtain more control over your licensing costs
  

As you develop a strategic plan to use SaaS, build fundamental close relationships with your vendors and define them carefully in your contracts. Constantly update your contracts or service level agreements to match your needs and develop tools to monitor the success of your vendor meeting your requirements.

SAS70 must be performed on your SaaS vendor to provide you with the reliability, confidentiality and integrity of service to be provided to you and your customers. Control objectives may be similar or different, but careful examination of the audit report should be performed in order to determine that your data is secure. SAS70ExPERT.biz

For any security program, you must start at the basics and begin with a information security plan. In a SAS 70 audit, an auditor will examine a CIO’s operations to determine that you have security program management, incident response, and that appropriate training is provided to your employees. Your security plan should include at least include:

·          Procedures to protect and provide access to IT systems and applications

·          Procedures to report incidents when they occur

·          Investigation practices required to prevent future incidents

·          The right to revoke any user access at anytime

Training should occur regularly for all employees and no employee should be granted access to your systems without taking your company’s network security training. Do you have a plan in place? If so, send me a generic sample and I will share it with our readers. Sas70expert@gmail.com

Which new technologies are you adopting? With Web 2.0, social networking, wikis, and blogs – oh mY! With so many new avenues to penetrate your market, the decisions you make today can effect the success of your SAS 70 audit. When evaluating new technology, always first determine your company objectives as we previously discussed. In addition, you will need to remember to consider what new security features must be implemented in your computing environment to prevent downtime. It is essential early in the process that you identify the threats, the risks, and then create a plan.

 In identifying threats, the assessment team must consider who or what could compromise a target system’s components such that the system’s security attributes would be jeopardized. You should focus on how the information assets and components differ from what you already have. In identifying the security risks, consider what will th total potential impact on the organization. When your system is compromised – and it will be – how would you handle the loss of critical data?

To address technology security risks, requires a documented plan and you must train your employees on how to enact the plan. The SAS70 audit will require you to have a plan in place and it will examine who are the participants in the plan. The plan should include not only IT, but operations and senior management. Where is your security plan? SAS70ExPERT@gmail.com

Management’s risk assessment process is required to be audited in a SAS70 examination; however, in my experience, most auditors do not adequately review Management’s risk assessment process. Without adequate auditing experience, most auditors would not have a basis to determine if Management had reviewed the control risk universe. In addition, Management mostly does not formally document risks, but they are discussed only in Board meeting with among C-level executive’s. The COBIT risk assessment framework can provide Management with the criteria and the details that an inexperienced auditor may use as a guide to examine their risk assessment process

COBIT consists of information that is required to help achieve business objectives. You must first begin with a vulnerability analysis of your business operations. Then determine the threats to these vulnerabilities For example, your greatest risk may be related to the legal liabilities due to incorrect financial statements….. or something more simpler, like loss of a backup tape which contained your customers social security numbers. Third, determine the impact of this threat. Is it a million dollar monetary fine, or could your license to conduct business be taken away. The conclusion is an action plan after which the cycle can start again.

When the SAS 70 auditor discusses your risk assessment process, don’t be afraid to say that you have it all stored in your brain. Without risk documentation, an experience auditing firm will assist you in forming a roadmap of risks that lead to your business success. Mr. CIO, have you determine what are your business risks or your information technology risks today? Have you formally discussed and evaluated them with other c-level executives or with your peers and association’s within your industry. Note from the diagram below the a formal risk assessment process. Next time we will discuss each of these layers in detail. SAS70ExPERT@gmail.com

]]> http://itknowledgeexchange.techtarget.com/sas-70/risk-assessments-and-the-sas-70-audit/feed/ 0 http://itknowledgeexchange.techtarget.com/sas-70/encrypting-for-security-sas70/ http://itknowledgeexchange.techtarget.com/sas-70/encrypting-for-security-sas70/#comments Sun, 14 Sep 2008 23:17:20 +0000 SAS70ExPERT http://itknowledgeexchange.techtarget.com/sas-70/encrypting-for-security-sas70/

SAS 70 audits review the not only the security of your networks but of the data that is transported across your networks and on the security of your data that remains on your servers and laptops. Before choosing an encryption vendor, there are factors you consider:

• What administrative actions are required? Can keys be changed and modified by the user or does your network administrator have to take action? What if the key is compromised, can it be changed at will? If the key is changed, how do you remember it?
• What steps are taken to manage keys? Are keys kept in a secure database or are they managed individually? Independent solutions allow you more flexibility, but independent users may not always follow the company standards which may give hackers an opportunity.
• Are multiple keys supported and can you create a master? The more critical and sensitive the data, the tougher the key should be crack. 
• Is there PKI in corporation? Does the encryption product integrate with an existing PKI production ro des it require software in order to function? Any vendor solution should be able too. SAS70ExPERT@gmail.com

SAS 70 audits focus on COSO controls and examine the leadership experience of executives and training. CIO’s and CSO’s march to the executive suite takes many paths. Opportunities to lead in the C-Level suite come in many forms….some are perhaps luck, others are from angels, but what job titles lead to the CIO or CSO role? According to a recent survey, most CIO’s have a background primarily in IT. In recent, weeks, I have begun to question this polling as I have met several well-respected CIO’s who understand strategy and operations, but do not have a clue as to operating systems, applications or how networks function. In this same poll, only 15% of CIO’s and CSO’ came from areas outside of IT. What side of the fence do you stand on? Do you think an extensive background and training in information technology makes a difference as a c-level executive? As I consider myself a hybrid with a little knowledge and experience on both sides of the fence, I wonder what is respectable? SAS70ExPERT@gmail.com

Do you have 3 mainframes systems and one stand alone application that you use for recording financial results? Do any of these systems talk to one another? Are you starting to use Saas applications to better manage your data? Knowing how to leverage technologies, old or new, is key to being an effective CIO.

During a SAS70 audit, it is critical that you have an deep understanding of your systems and how they work together. If you are able to provide documentation, such as network diagrams, and data hierarchies to your auditor, then they will be more efficient when determining the controls necessary to be tested within your organization. An effective CIO cannot leverage technologies within corporate walls or as outsourced solutions without having a complete understanding of IT networks, applications, and operating systems. What helps you know how to leverage your company technologies? Or to predict what technologies will work best within your company? sas70expert@gmail.com

What is PBA? Pre-boot authentication is a process that requires a user to authenticate to the operating system prior to loading of the application software. The user must enter his credentials – a username and password before the system load begins. Once authenticated, then Windows or Linux operating system is loaded. If the correct user name and password are not entered, the pre-boot authentication process will not load the operating system and the computer will lock down.

Pre-boot authentication prevents a criminal hacker from gaining access to your data by not loading the operating system. Since the bypass tools load after the operating system, then a hacker want get a chance to try to gain entry or use the Windows XP or Vista emergency disks.  SAS70ExPERT@gmail.com

As transportation costs continue to skyrocket over the summer, telework/telecommuting is becoming the new trend among office environments. Basically, we have been doing a form of telework by outsourcing all of our jobs overseas, so this premise is not really new, it’s just new for American workers. 92 percent of workers said their work could be performed from home according to a recent survey by advocacy group Telework Exchange. I agree that operating expenses could be reduced by:

1)      less office space per employee

2)      transportation costs are reduced from commuting to work

3)      reduction in computer hardware expenses

But what is the downside of a remote workforce and what effect will that have on company information assets? These information assets are now stored at a families home on First Avenue, in a 3 bedroom, 2 bath, instead of your 5 story office building. These telecommuting risks will need to examined by management and should be considered in a SAS70 audit.

Consider that most employee homes will not have extended physical or environmental security – only garage door locks and an air conditioner. Their computer office could be located next to their children’s bathroom – which is a likely water hazard, in an open space by a garden window. How easy would it be for a burgular to reach in and knock your coffee cup over, and grab your computer from your first floor home office?Really EASY, as I think many homes today still have yet to have a home alarm system on their windows.Critical company information now could be sold on the internet.

In addition, what network security are you assured that they have on their home computer? Do they have the latest virus preventing application? Is their firewall always up and running or might it be turned off to watch a movie?

Is your IT staff prepared to make housecalls? Your company information assets now resids at your employees home. It is now not on the second floor of your office, but could be 20-30 miles to First Avenue home. You now must manage users that are at locations that are spread miles apart? This may be okay if 15% of your workforce is remote, but what if it is 92%? Is your IT staff trained accordingly? If they have to make housecalls, do transportation costs truly decrease? Who is managing the network while your IT Administrator is stuck in traffic on his way to the Marketing Director’s home to fix his computer?

Any third party vendor must complete a SAS70 audit to assure it customer that their data is secure. Are you ready to expand your company floor space beyond the office perimeter? Telecommuting risks must be considered in the SAS70 audit process. What are some of the risks you have identified? Do you even have any policies in place at your company which specifically discuss the do’s and don’t’s of a telecommuter? SAS70ExPERT@gmail.com