Risk management

Privacy issues and the SAS70 audit

Privacy as part of your Security Program Management program means adherence to trust and obligation within your company policy, standards, and procedures. SAS 70 auditors may assist you in implementing this risk management into your company standards by:

1.       identifying the data or information that is personable,

2.       examining the private information collected, disclosed and that should be destroyed

3.       ensuring the accountability of the private data

4.       assisting in developing policy and procedure for the risks associated with private data

Based on this standard, you should be able to comply with legal and compliance regulations. This would ensure that privacy standards are considered in all IT projects.  Trackback URL

SAS70 audits require preventative maintenance too!

During a SAS 70 audit of your DataCenter, an auditor will examine the installation of generators, cooling systems, and UPS backup systems. Questions will arise not only about installation, but of continuing preventative maintenance and incident response. An integrated approach should be followed which has is a holistic plan that clearly identifies scheduling, execution, documentation, risk management, and continuing follow-up inspections.

 When preventative maintenance occurs, four results can be expected:

·         a potential issue is identified and immediate actions are taken to prevent a future failure.

·         a potential issues is identified and a repair is scheduled

·         the regular maintenance does not uncover any potential repair

·         a defect is uncovered and unanticipated repair time occurs.

 In order to optimize maintenance windows, Managers should maintain the age of equipment, history of operating and environmental experience (temperature, voltage, run-time, abnormal events), and operating characteristics such as noise, temperature and vibration. Where is your preventative maintenance plan and do you have service level agreements in place today to monitor your network services?  Trackback URL

Asset Identification and Valuation in a Risk Assessment process? SAS 70

What is a fixed asset you say? And what is it’s value today? Don’t know where to start? Call your insurance company….if you don’t have your most precious business assets formally listed or insured, then you need help. From your insurance policy and from your understanding of what are key components that drive your revenue stream, you should be able to get a good idea of how many computers/servers that you have and what is their monetary value.

After asset identification, make sure you determine the replacement cost of your equipment. Recently, in discussions with IT Director at a Fortune 500 Company, he noted that he had made a formal listing of all his information technology equipment. Soon after, he had a flood to occur in his datacenter. Upon contacting his insurance company, he noted that he would only be reimbursed for the depreciated value of his equipment, not the replacement cost. Your $3000 server that you bought today, may only be worth $700 as soon as you walk out of the store when considering the depreciated value. Lesson learned — List your assets, but also understand how much it would truly cost to replace them.

When determining value, monetary terms are not always identifiable. You may have to perform some “ciphering.” Talk to your Company’s CFO or controller, as you may have to understand how the assets are used to generate revenue. From there, determine if the asset value can be calculated by determining a percentage of revenue. Using a financial ratio to determine value can be very subjective, so it is wise to gather several opinions.

As a starting point in a SAS 70 audit, when examining the risk assessment process, the auditor will want to verify that all critical assets have been identified and if you have assigned appropriate values. If you Google the blue book value of your server, or review Craig’s list to determine the price that similar products are selling for, be sure to keep a record so that your auditor may review also. Get your asset list completed today and determine the values, otherwise you may fail to meet your Corporate objectives. SAS70ExPERT@gmail.com.

Risk Assessments and the SAS 70 audit

Management’s risk assessment process is required to be audited in a SAS70 examination; however, in my experience, most auditors do not adequately review Management’s risk assessment process. Without adequate auditing experience, most auditors would not have a basis to determine if Management had reviewed the control risk universe. In addition, Management mostly does not formally document risks, but they are discussed only in Board meeting with among C-level executive’s. The COBIT risk assessment framework can provide Management with the criteria and the details that an inexperienced auditor may use as a guide to examine their risk assessment process

COBIT consists of information that is required to help achieve business objectives. You must first begin with a vulnerability analysis of your business operations. Then determine the threats to these vulnerabilities For example, your greatest risk may be related to the legal liabilities due to incorrect financial statements….. or something more simpler, like loss of a backup tape which contained your customers social security numbers. Third, determine the impact of this threat. Is it a million dollar monetary fine, or could your license to conduct business be taken away. The conclusion is an action plan after which the cycle can start again.

When the SAS 70 auditor discusses your risk assessment process, don’t be afraid to say that you have it all stored in your brain. Without risk documentation, an experience auditing firm will assist you in forming a roadmap of risks that lead to your business success. Mr. CIO, have you determine what are your business risks or your information technology risks today? Have you formally discussed and evaluated them with other c-level executives or with your peers and association’s within your industry. Note from the diagram below the a formal risk assessment process. Next time we will discuss each of these layers in detail. SAS70ExPERT@gmail.com

Do Risk Assessments increase profits? SAS 70 (part two)

When performing your risk assessment as required for the SAS70 audit — dive in head first, but keep your eyes focused on the details. Meet with C-level executives and line-level managers and have direct and open discussions about the perils that your company faces. Don’t be afraid to ask questions or confront CIO’s with pointed questions. If they don’t know the answer or the risk, you are already in big trouble.

Three goals CIO’s should keep in mind during these uncertain economic times are to:

1)      reduce operating expenses

2)      increase capacity in the data center

3)      improve reliability of IT infrastructure

If you determine the risks to not meeting these three objectives, then you are well on your way to completing a reliable risk assessment. Sas70expert@gmail.com

Do Risk Assessments increase profits? SAS 70 (part one)

SAS70 audits are becoming a standard for any outsourced organization. As part of the audit process, a company must perform an internal risk assessment of the IT and business related risks. According to a recent survey of IT Executives, here are the top five areas of most concern:

1. Security
2. Systems management tools
3. Virtualization solutions
4. Product road map
5. Power consumption

While power consumption was number five, I think that it has taken on great significance today than ever before. If you are paying $4.50 at your local gas dealer, then you can expect to continue to pay higher prices for electricity for your data center. What steps are you taking to conserve energy? Are you a part of a “green revolution?” From the component level, the server and rack level and up all the way to the datacenter, I would expect everyone is finding ways to cut costs, and increase profit. I think a risk assessment which reviews the operating details of your Company will assist you in meeting corporate objectives.   

Data Breaches – Do you have a plan? SAS70

You should have a disaster recovery plan when a data breach occurs within your Company. SAS 70 audits mostly will require you to have a plan documented, but the details of the plan are usually not adequately reviewed. Every disaster recovery plan should have basic requirements which include:

1. Who to call when an Exchange server malfunctions?
2. What do you do when a fire occurs in your Datacenter? Do you use the fire extinguisher? Pull the fire alarm? Or run out the front door and call the fire department on your cell phone. There are many tasks that must be done to prevent a catastrophe and each has to be assigned.
3. Where do you report when the Datacenter is flooded? Do you meet at the local coffee shop or the CIO’s home? You need to designate a safe site so that you are quickly able to establish communication and implement the disaster recovery plan.
4. When does the disaster plan take effect? Is it implemented when a laptop is lost? Or an i-Phone is missing? Or is it when a more serious virus causes your network to go down? You have to know when to ring the disaster bells or the CEO, CIO, CFO will not take you seriously if you call him daily about the missing cell phone.
5. How do stop a virus from causing your entire network from disruption or just your access to internet or emails? Do you unplug the network or do you call third party services and report the issue?

If a disaster occurs - consider it like your home were burning….your most critical asset….a disaster recovery plan requires forethought and an impact analysis to make sure that your Company can still function on a day to day basis. Make sure you have a Disaster Recovery Plan ready for your SAS70 audit and so that you can come to work the next day.  Trackback URL

7 essential to have in your SLA’s to have to help you manage your outsourced vendor - SAS70

“Do you understand what impact the outsourced vendor has on your financial stability?” says a SAS 70 auditor. If they fail to make payroll or Friday or if you’re DataCenter fails, what effect will that have on your operations? So as not to be “asleep at the switch,” make sure you understand the vendor’s operations and risks involved. Here are 10 essential specifications that you should have in your service level agreement with you’re outsourced vendor:

1) Data encryption and protection – determine what your vendor is doing from an information technology perspective to protect your information. Are they using applications that have security built-in? Do they have firewalls?

2) Physical Security – review and management of access to buildings and data is critical to protect information technology assets. Tight control must be maintained in order to prevent identify theft and loss of valuable equipment, like exchange servers, racks, and hard drives. Each employee should have ID, preferably biometric, and you should log entry and egress into facilities.

3) Environmental Security – Make sure your data is not only locked in the safe room, but that the environment in the room provides essential protections. Do they have fire extinguishers? Temperature control? Air conditioners? …etc.

4) Confidentiality agreements – Require your business partner/vendor to sign confidentiality agreements/non-disclosure agreements to prevent loss of trade secrets, data, and patents.

5)Employee training – Policies are useless, unless your employees and vendors are trained and aware. Provide all vendors with awareness training of your requirements when processing your information or providing you with services.

6) Require employee background investigations. You want to make sure that the person responsible for managing your money is not a convicted felon. They must have a review of the work history and a validation of the skills.

7)Lastly, Management of vendors- After you have given your requirements to your vendor, how do you know they stay in compliance? A SAS 70 audit is required.  Trackback URL

Is there an elephant in the room? Or did someone just find a SAS70 Audit internal control deficiency/exception?

As a CIO or CSO, what should you do when a SAS 70 auditor finds an exception or an internal control that is not working during your SAS70 audit? Sometimes, in extreme cases as in a family death — there is silence, screaming and shouting, grieving, and then finally acceptance. When an auditor meets with the Chief Executive Officer, it is key that you understand the difference between a material weakness and an internal control deficiency.

A “material weakness” is a internal control deficiency or combination of control weaknesses such that they result in a significant misstatement of revenue or expenses in your financial statements.

A deficiency in internal control exists either in design or operation of a control. A design deficiency exists when you forgot that you had to reconcile inventory. You have been concentrating on sell, sell, sell, and you forgot you had to determine how much inventory you had on hand each month. It happens. An operational deficiency occurs when your Accounting Manager just didn’t perform up to par and the reconciliations they were supposed to do for inventory just weren’t done each month.

Knowing the difference during these difficult economic times is important. So when the white elephant comes into the room, take a deep breath — If you understand the differences in a material weakness and a significant deficiency, you have the information you need to discuss the results of the SAS70 audit and determine the next steps.  Sas70ExPERT@gmail.com

Data Security Breach Myths – SAS70

When a data breach occurs what are you required to do? You heard that you had to include notifications required by federal and state laws when a data breach occurs. Are these myths, truths or dares? You need to know the difference between the myths and the facts. For instance:

Myth 1 – When you loose critical financial or personal data, you must  notify everyone and their mother. I call “Shenanigans!” Only if certain conditions are met, then 45 of the State laws require that you notify the consumer or credit card holder. If the conditions are not met, then notification laws are less strict. For example, if data is not considered critical, data is encrypted, or not accessible, then you may not have to report it.

Myth 2 – You must comply with only the law where the data breach occurred. I call “double Shenanigans!” You must take many factors into account when determining which law to apply to the disaster. First, consider what state your Company is incorporated; then, the residence of the individuals whose information lost.

Myth 3 – Your Company meets California requirements, and their standards are higher than all other states, so I must be in compliance. This is just “completely Shenanigans! Even though California was the first, their have been several states which have used California as a baseline and made improvements and additional requirements. For example, Ohio, Georgia, and Texas, have made stringent laws related to data privacy and require detailed notification and follow-up.

Make sure you have an attorney handy, your plan is detailed to enough so that you can start a plan of action, and begin the communication process when a data breach occurs. Get a plan in place and if required, you will be ready for a SAS70 audit and a data breach catastrophe.  Trackback URL