SAS 70:

Security tokens

Aug 6 2008   6:35PM GMT

Face up to Biometrics for your SAS70 audit (SAS 70)



Posted by: sas70expert
Security management, Third-party services, Security, Identity & Access Management, Security Program Management, Compliance, Auditing, Access, Access control, CIO, DataCenter, Security tokens, SAS 70

Biometric systems are used today not only at your Data center/ co-location facility, but for plain ole’ laptop access. Finger, hand and thumb prints provide you access to all your critical data. In addition, iris/retinal scans and other facial recognition scans provide the credentials required to prevent forgery. What are you using within your Company?

 

For a SAS 70 audit, critical areas to review related to biometrics are:

1)       enrollment process for a new user

2)       accuracy and monitoring of the biometric device

3)       termination of users

 

During enrollment, an individual’s biometric template is created in a database. Make sure you have a documented process for adding and authorizing new users to the database. You must know who may authorize access, and how much access to give the new employee.  

 

Determine the accuracy and monitoring of biometric usage. Review who has used the biometric device, by reviewing the logs an identifying any unusual activity. For example, if you note that Bob has entered the facility 3 times and there is no exit  – then your device may not be working properly.

 

Last, if Adam quits or Alice is fired, then how do you know to delete her credentials from the system? Make sure Human Resources has a policy to notify you immediately when a person needs to be removed from the system. IT should have a checklist of items/inventory to be returned when employee exits and the form should include a sign-off to indicate removal from the biometric device.  Trackback URL

AddThis Social Bookmark Button     0 Comments     RSS Feed     Email a friend

Jun 26 2008   4:30AM GMT

What’s your data loss prevention strategy? – SAS70



Posted by: sas70expert
Security management, Third-party services, Database issues, Networking, Network security, Firewalls, Incident response, Security, Network monitoring, Identity & Access Management, Information risk management, routers, Management, Security Program Management, Compliance, Viruses, Database, patching, Configuration, Database Management Systems, business/IT alignment, Auditing, Monitoring, Access, Access control, Network Management Systems, Data center design, Network, CIO, DataCenter, DataManagement, CEO, management software, Security tokens, Patch management, CFO, router configuration, SAS 70, CSO, Intrustion management, TrendMirco

Are you reviewing you firewall rules quarterly? Have you implemented an (IDS) intrusion detection system? Are your routers set up to prevent unauthorized intruders? Do you have the latest and greatest virus protection? Are you performing a SAS70 audit every six months? Database security breaches are increasing daily and costing tremendous amounts of dollars that should have been spent on IT projects. You should at least have an emergency plan in place when data loss occurs. Without an emergency plan in place, the breach could continue and the legal costs could continue to escalate.