TechRepublic recently noted the 10 most influential leaders in IT and they are noted below.  What does it take to be a IT leader with a SAS70 audit badge? Several things these great leaders have in common are:

1) Each of these leaders are visionaries in their field. They know enough about their industry and company to be able to successfully predict the next technological revolution and be ready to take action.

2) A strong work ethic. These leader knew that hardwork would provide opportunity for themselves and their staff.

3) These IT leaders were able to take complex organizational structures and make them successful growing corporations. “Keep it simple stupid” is really a learned form of business acumen that guides business strategy for successful leaders.

4) Each of these Companies takes IT security issues seriously, and have security programs that are responsive to customer requests. Not everyone is perfect, but these companies have taken their customers data and needs seriously and take steps daily to protect them.

5) They all have a SAS 70 audit completed on their Company to provide evidence that their internal controls are sound.

10. Bill Gates, Microsoft

At the end of June, Microsoft Chairman Bill Gates stepped down from his full-time job at the world’s largest software company (he remains chairman and still spends about 20% of his working hours on Microsoft stuff). True to his word, Gates has stepped back from the spotlight. However, he still casts a huge shadow over the business technology world, in part because a number of his visions have not come to fruition yet – most notably his ideas for next generation computer interfaces – and partly because Microsoft CEO Steve Ballmer was so erratic in 2008 (ah hem, Yahoo debacle) and has yet to articulate a clear vision for how Microsoft will innovate business software in the years ahead.

9. Mark Templeton, Citrix

Citrix was supposed to have been eliminated years ago when Microsoft started bundling Terminal Services into Windows Server. However, it never happened. Under the leadership of President and CEO Mark Templeton, Citrix has done two things to remain relevant: 1.) expand its product lines and 2.) re-market its itself to fit the changing times. Citrix has chosen its acquisitions wisely, with wins such as Xen virtualization software and GoToMeeting and GoToMyPC for remote workers. Meanwhile, Templeton, a former marketing executive, has re-fashioned the company by successfully hitching its wagon to virtualization. For example, terminal services is now application virtualization for Citrix. It also doesn’t hurt that Citrix’s software also goes a step beyond the version of Terminal Services that you get in Windows, and Citrix has also aggressively partnered with Microsoft.

8. Steve Jobs, Apple

Apple and its CEO Steve Jobs have had a far larger impact on consumer computing than business systems over the past several years, but Apple made one move in 2008 that was significant enough to land Jobs on this list on its merits alone. In a software update in mid-2008, Jobs and Apple took their highly successful iPhone and connected it with Exchange ActiveSync, making it capable of enterprise-class e-mail, contacts, and calendaring. This also made the iPhone a much stronger competitor to BlackBerry, Windows Mobile, and Symbian. However, the iPhone’s meteoric ascent hasn’t hurt the big smartphone vendors – at least not yet. It has actually brought more awareness to smartphones (making it a required tool for knowledge workers) and helped expand the overall smartphone market. These aren’t just tools for executives, salespeople, financial nerds, and bureaucrats anymore.

7. Safra Catz, Oracle

When you have a company that makes almost 50% of its revenue from existing software and support contracts, then it’s critical to have a leader who can drive operational efficiency. For enterprise software giant Oracle, that leader is Safra Catz, its President and former CFO. While CEO Larry Ellison remains the highly-colorful figurehead of the company, Catz is the one in charge of integrating its steady stream of acquisitions – 10 in 2008 – and handling the company’s operational strategy. With Microsoft nipping at its heals from the SMB side and SAP and IBM trying to steal away enterprise accounts, Oracle’s empire should be shrinking, but it’s not. It has put together the most diverse set of enterprise software products and it has assimilated them very well under Catz’s leadership. She is one of only two non-CEOs on this list, but the successes of Oracle’s acquisitions make her a worthy addition.

6. Eric Schmidt, Google

While Google ultimately aims for a broader consumer focus of building great tools to broaden the power of the Internet, the company is quietly making inroads with its business technology products. Whether it’s the expansion of Gmail functionality to become a true competitor to Microsoft Outlook, large organizations such as the Washington D.C. municipality migrating from Microsoft Office to Google Apps, the continued expansion of the Google enterprise search appliances, or the potential for Android smartphones to become powerful business devices, you can see Google methodically moving into the enterprise arena. And don’t forget that Google Chairman/CEO Eric Schmidt previously worked for two enterprise vendors, Sun Microsystems and Novell.

5. Marc Benioff, Salesforce.com

There’s no better success story for cloud computing and software as a service (SaaS) in the business world than Salesforce.com. The Web-based CRM tool continued its meteoric growth in 2008 and its Chairman/CEO Marc Benioff continued to wave the flag for SaaS as the next great evolution in the business technology world. If he has his way, Benioff will take Salesforce.com beyond CRM and build the world’s first great cloud computing platform for businesses. Don’t count him out.

4. Anne Mulcahy, Xerox

During the past five years, Anne Mulcahy – as Xerox CEO and Chairman – has turned around the fortunes of the company that was once synonymous with the photocopier. Mulcahy instituted strict financial discipline including major cost costs, while also ramping up Xerox’s services business, pushing innovation with expanded  research and development efforts, and growing its footprint in emerging markets. Ironically, Xerox consultants now show companies how to save paper and reduce the number of printers – often by replacing a bunch of HP printers with one big machine from Xerox.

3. Craig Barrett, Intel

With Bill Gates fading into the sunset, Intel Chairman Craig Barrett has emerged as one of the IT industry’s chief ambassadors. He traveled to over 30 countries in 2008, met with various heads of state, and served as the chair of a United Nations task force on technology in the developing world. “Technology is a tool to address some of the world’s most pressing challenges related to health care, education, economic development and the environment,” said Barrett. This broader vision of the role of technology in society is fueling Intel’s strategy as the company continues to drive down the cost of computers with chips that are smaller, less expensive, and cost less to operate.

2. John Chambers, Cisco

Cisco continues to completely dominate the enterprise networking market. Now, it’s trying to do the same in the small and medium business market. Its telepresence systems are also poised for a big breakthrough as the price of the product drops and businesses cut their travel budgets in these lean economic times. Now, it’s also rumored that Cisco will enter the blade server market. Chambers is a high-energy visionary with lots of discipline, and he has Cisco hitting on all cylinders.

1. Mark Hurd, Hewlett-Packard

Last year, I left Mark Hurd off the list and even remarked that Carly Fiorina deserved a lot of the credit for Hewlett-Packard’s resurgence because its roots are based in the HP-Compaq merger, which Fiorina had the guts to do. But, it becomes clearer every year that Hurd is making the right calls and motivating the various HP divisions to execute. HP is back on top in the PC market (having overtaken Dell), it is tied for the lead in servers with IBM, and it is even making strong moves in the networking market with its ProCurve gear. Plus, it bought EDS in 2008 to expand its footprint in IT services. All of the while, it has allowed its incumbent printer business to quietly take a back seat. That’s why HP is doing so well, even in the face of economic headwinds, and that’s why Hurd deserves the top spot on this list. SAS70ExpERT@gmail.com

What would you pay for a eight gigabyte USB harddrive? Some would say billions; especially if it contained your company’s financial or critical data. Everyday you read about lost or stolen company data which may be your intellectual property, credit card, or other personal medical information of your CFO. They are also the fastest and surest way to give a CIO a security headache. What are you doing to protect these information assets?

If your company or your staff is saving company or customer data to a USB drive; you need to set standards in your security managment program to protect this information. A SAS 70 audit will require you to have  standards that include:

1)      Require that all data stored on USB drives be encrypted.

2)      Require that only USB drives that are password protected be used.

3)      Notify and train your employees on this policy and have a procedure in place which requires that an employee report lost or stolen USB drives immediately; otherwise, be prepared for “headlines” and a lawsuit.

Are you involved with securing your corporate data and if so, are you worried about the insecurity of USB disk drives? What measures do you have in place? Sas70expert@gmail.com

Which new technologies are you adopting? With Web 2.0, social networking, wikis, and blogs – oh mY! With so many new avenues to penetrate your market, the decisions you make today can effect the success of your SAS 70 audit. When evaluating new technology, always first determine your company objectives as we previously discussed. In addition, you will need to remember to consider what new security features must be implemented in your computing environment to prevent downtime. It is essential early in the process that you identify the threats, the risks, and then create a plan.

 In identifying threats, the assessment team must consider who or what could compromise a target system’s components such that the system’s security attributes would be jeopardized. You should focus on how the information assets and components differ from what you already have. In identifying the security risks, consider what will th total potential impact on the organization. When your system is compromised – and it will be – how would you handle the loss of critical data?

To address technology security risks, requires a documented plan and you must train your employees on how to enact the plan. The SAS70 audit will require you to have a plan in place and it will examine who are the participants in the plan. The plan should include not only IT, but operations and senior management. Where is your security plan? SAS70ExPERT@gmail.com

SAS70 audits are becoming a standard for any outsourced organization. As part of the audit process, a company must perform an internal risk assessment of the IT and business related risks. According to a recent survey of IT Executives, here are the top five areas of most concern:

1. Security
2. Systems management tools
3. Virtualization solutions
4. Product road map
5. Power consumption

While power consumption was number five, I think that it has taken on great significance today than ever before. If you are paying $4.50 at your local gas dealer, then you can expect to continue to pay higher prices for electricity for your data center. What steps are you taking to conserve energy? Are you a part of a “green revolution?” From the component level, the server and rack level and up all the way to the datacenter, I would expect everyone is finding ways to cut costs, and increase profit. I think a risk assessment which reviews the operating details of your Company will assist you in meeting corporate objectives. Sas70expert@gmail.com

For a SAS 70 audit, critical areas to review related to biometrics are:

1)       enrollment process for a new user

2)       accuracy and monitoring of the biometric device

3)       termination of users

During enrollment, an individual’s biometric template is created in a database. Make sure you have a documented process for adding and authorizing new users to the database. You must know who may authorize access, and how much access to give the new employee.  

Determine the accuracy and monitoring of biometric usage. Review who has used the biometric device, by reviewing the logs an identifying any unusual activity. For example, if you note that Bob has entered the facility 3 times and there is no exit  – then your device may not be working properly.

Last, if Adam quits or Alice is fired, then how do you know to delete her credentials from the system? Make sure Human Resources has a policy to notify you immediately when a person needs to be removed from the system. IT should have a checklist of items/inventory to be returned when employee exits and the form should include a sign-off to indicate removal from the biometric device. Sas70expert@gmail.com

ITIL provides you with a simple-to-understand IT standards and specific operational situations for your IT environment. ITIL best practices are prescriptive and descriptive. Are you using it for guidance? Many SAS70 audits will want you what guidance you are using as your IT roadmap – COBIT, ITIL, ISO standards.

COBIT will provide you with overall corporate governance. ISO and ITIL are much more operational and provide in-depth procedures. All of them require resources and funds to implement. Many organizations use a combination – they take a more holistic approach. What do you consider as the most effective for your organization? Sas70Expert@gmail.com

If I were going to the Olympics as participant, business person or ticket holder, then I would want to consider how much security I need to keep me safe. The 2008 Olympics will cause a heightened awareness of security for the Beijing metropolis and training will occur on many areas of security. Similar to a SAS 70 audit, many types of security will be audited: physical, environmental, network, logical access to applications and systems, and computer operations. A SAS70 audit should provide you with comfort that your assets are safe, that the controls to protect them are operating effectively and that your business is efficient.

If I were going to the Olympics, here are a few safety principles to follow:

1. Lock your cell phone with a password. If you leave your phone at your favorite restaurant, then you want to be sure that no one can gain access to your contacts, phone numbers, and emails. In addition, be sure to list your name and phone number on the screensaver so that someone call you to return it.
2. Use encryption on all devices. Use VPN/SSL VPN encryption on your laptop, and cellphone.
3. Never leave your valuables in the hotel unprotected. Always take your ipod, mp3 player, cell phone, and other corporate electronics with you or put them in the hotel safe. If you don’t have a hotel safe, then lock it in your luggage.
4. If you have USB flash drives, password protect them and encrypt them.
5. Buy an Olympic necklace. A string around your neck with your hotel key, photo id, and some change could be lifesaver in a foreign country. sas70expert@gmail.com

“Do you understand what impact the outsourced vendor has on your financial stability?” says a SAS 70 auditor. If they fail to make payroll or Friday or if you’re DataCenter fails, what effect will that have on your operations? So as not to be “asleep at the switch,” make sure you understand the vendor’s operations and risks involved. Here are 10 essential specifications that you should have in your service level agreement with you’re outsourced vendor:

1) Data encryption and protection – determine what your vendor is doing from an information technology perspective to protect your information. Are they using applications that have security built-in? Do they have firewalls?

2) Physical Security – review and management of access to buildings and data is critical to protect information technology assets. Tight control must be maintained in order to prevent identify theft and loss of valuable equipment, like exchange servers, racks, and hard drives. Each employee should have ID, preferably biometric, and you should log entry and egress into facilities.

3) Environmental Security – Make sure your data is not only locked in the safe room, but that the environment in the room provides essential protections. Do they have fire extinguishers? Temperature control? Air conditioners? …etc.

4) Confidentiality agreements – Require your business partner/vendor to sign confidentiality agreements/non-disclosure agreements to prevent loss of trade secrets, data, and patents.

5)Employee training – Policies are useless, unless your employees and vendors are trained and aware. Provide all vendors with awareness training of your requirements when processing your information or providing you with services.

6) Require employee background investigations. You want to make sure that the person responsible for managing your money is not a convicted felon. They must have a review of the work history and a validation of the skills.

7)Lastly, Management of vendors- After you have given your requirements to your vendor, how do you know they stay in compliance? A SAS 70 audit is required. sas70expert@gmail.com

Exchange Servers are increasingly being added to the electric grid and increasing the world’s energy consumption, carbon emissions and stream wastes. A recent report stated that “U.S. server electricity consumption has doubled in the past five years and now equals that of color TV’s. SAS70 audits review logical and network related controls for servers, but they don’t consider the energy consumption or quality of company environmental efforts.

All kinds of new energy saving ideas are being developed, including air-compressed backup generators. Greenpeace has developed a “Guide to Greener Electronics.” The guide ranks the 18 top manufacturers of personal computers, mobile phones, TV’s and games consoles according to their policies on toxic chemicals and recycling.

I think that this is great, but is it sustainable considering our populations demand for service NOW!? In an electronic age, where I can practically order anything, see any tv show, or buy any music at the touch of a button on my i-Phone, can we expect businesses to  choose green over a quick dollar? As datacenter demand grows and the need for servers bandwidth is required – will you stop and say  “No, I want my children to enjoy clean air, and clean water.” Or will you push forward with a browner (less green) alternative computing solution? Should SAS70 audits evaluate environmental and energy efforts? sas70expert@gamil.com

Don’t be fooled by a big accounting name? A suit with a high priced song! No matter what they say, you have to read the SAS70 report in order to determine the depth of testing performed in a SAS70 audit. SAS70 audits have just now become in demand by industry leaders and you have to determine what value you want from the SAS70 audit. Do you need a box checked? Or will you use this audit process to improve your revenue, your internal controls, and to set you apart from your competition? Prices range all over the board – choose your poison wisely – either you choose an auditor with experience and see that their report provides you with the level of detail and testing to required to make your organization better or — you might as well gamble in Vegas more – and take the big accounting name with little testing that provides you with the check box you need.sas70expert@gmail.com