Storage

Nov 27 2008   1:40AM GMT

Outsource with a Plan - SAS70

Posted by: sas70expert
Third-party services, Disaster Recovery, Monitoring, SaaS, SAS 70

As more businesses outsource IT to third-party services, data privacy and integrity are paramount to the success of your operations. The SaaS small and medium businesses have a responsibility to ensure your data is processed correctly and that it is kept safe. SAS 70 audits are requirement.

Before outsourcing to save funds, make sure you have a defined plan. Without it, one small security breach of a politicians’ social security number can destroy your company reputation and your ability to generate new business. This plan should included:

1)definitions related to service levels. You will require your vendor to have uptime of at least 99%.

2) the ability to process your information quickly. Customers accesses your company website and purchasing items should occur relatively fast.

3) reporting functions which allow you monitoring capability and to  capture your data and analyze.

4) a Disaster Recovery plan, a single hardware failure can result in the loss of business.

 SAS70expert at gmail.com

Sep 25 2008   11:06AM GMT

Outsourcing your data backup process – SAS70

Posted by: sas70expert
Third-party services, Management, Backup, SAS 70

During the SAS70 audit, an examination will be performed on your data backup process. If you have outsourced this to a local vendor, you are still responsible for making sure that your data is kept safe, secure, and is backed up properly. Hosted or online backup processes are very attractive for small to medium size businesses. Why? They don’t have to maintain the expertise internally and the IT equipment is expensive.

 

How best do you manage your backup provider? Be sure to have a service level agreement in place. The service level agreement should provide you response times for when you need help. And you will! When you need to find that lost report that is due for your presentation today, you will want the file restored today – NOT in 24-36 hours. In addition, review your own internet connection as you will need a fast one to transfer your data. Does your outsourced vendor take care of your needs?   

Outsourcing your data backup process – SAS70

 

During the SAS70 audit, an examination will be performed on your data backup process. If you have outsourced this to a local vendor, you are still responsible for making sure that your data is kept safe, secure, and is backed up properly. Hosted or online backup processes are very attractive for small to medium size businesses. Why? They don’t have to maintain the expertise internally and the IT equipment is expensive.

 

How best do you manage your backup provider? Be sure to have a service level agreement in place. The service level agreement should provide you response times for when you need help. And you will! When you need to find that lost report that is due for your presentation today, you will want the file restored today – NOT in 24-36 hours. In addition, review your own internet connection as you will need a fast one to transfer your data. Does your outsourced vendor take care of your needs?   

Sep 10 2008   12:16AM GMT

11th Commandment - Thou shalt perform the data backup process. – SAS70

Posted by: sas70expert
Management, Compliance, Auditing, Backup, SAS 70

It’s Monday at 9am, Your server data has been lost. You ask for the backup tape to perform the restore and determine that Friday night backup process failed. You don’t want to start the week off by committing such a sin as to not follow the 11^th commandment. The backup data process must occur according to your company schedule and any identified failures should be noted and resolved. In addition, don’t make the mistake of keeping your backup tape on-site. A SAS70 audit that focuses on computer operations will examine your processes to confirm that you are adequately performing data backups. The SAS 70 audit will monitor your compliance with your Company policy – are you required to perform full or incremental backups? How do you know that your backup process was successful? A daily log should be received to indicate which file directories and files were backed up and if it was successful. In addition, your backup software should perform a verification process. When an auditor performs the SAS70 audit, one of the common mistakes by the Management is to forget to review the backup log. Who is in charge of your backup process?  SAS70ExPERT at gmail.com

Jul 31 2008   2:06PM GMT

Is Olympic Security enough data protection? SAS70

Posted by: sas70expert
Security management, Third-party services, Disaster Recovery, Security, Management, Compliance, Auditing, CIO, DataCenter, SAS 70

If I were going to the Olympics as participant, business person or ticket holder, then I would want to consider how much security I need to keep me safe. The 2008 Olympics will cause a heightened awareness of security for the Beijing metropolis and training will occur on many areas of security. Similar to a SAS 70 audit, many types of security will be audited: physical, environmental, network, logical access to applications and systems, and computer operations. A SAS70 audit should provide you with comfort that your assets are safe, that the controls to protect them are operating effectively and that your business is efficient.

 

If I were going to the Olympics, here are a few safety principles to follow:

1. Lock your cell phone with a password. If you leave your phone at your favorite restaurant, then you want to be sure that no one can gain access to your contacts, phone numbers, and emails. In addition, be sure to list your name and phone number on the screensaver so that someone call you to return it.
2. Use encryption on all devices. Use VPN/SSL VPN encryption on your laptop, and cellphone.
3. Never leave your valuables in the hotel unprotected. Always take your ipod, mp3 player, cell phone, and other corporate electronics with you or put them in the hotel safe. If you don’t have a hotel safe, then lock it in your luggage.
4. If you have USB flash drives, password protect them and encrypt them.
5. Buy an Olympic necklace. A string around your neck with your hotel key, photo id, and some change could be lifesaver in a foreign country. sas70expert@gmail.com

Jul 27 2008   1:46AM GMT

Data Breaches – Do you have a plan? SAS70

Posted by: sas70expert
Disaster Recovery, Networking, Incident response, Security, Compliance, Risk management, Auditing, CIO, DataCenter, Backup & recovery, Backup, SAS 70

You should have a disaster recovery plan when a data breach occurs within your Company. SAS 70 audits mostly will require you to have a plan documented, but the details of the plan are usually not adequately reviewed. Every disaster recovery plan should have basic requirements which include:

1. Who to call when an Exchange server malfunctions?
2. What do you do when a fire occurs in your Datacenter? Do you use the fire extinguisher? Pull the fire alarm? Or run out the front door and call the fire department on your cell phone. There are many tasks that must be done to prevent a catastrophe and each has to be assigned.
3. Where do you report when the Datacenter is flooded? Do you meet at the local coffee shop or the CIO’s home? You need to designate a safe site so that you are quickly able to establish communication and implement the disaster recovery plan.
4. When does the disaster plan take effect? Is it implemented when a laptop is lost? Or an i-Phone is missing? Or is it when a more serious virus causes your network to go down? You have to know when to ring the disaster bells or the CEO, CIO, CFO will not take you seriously if you call him daily about the missing cell phone.
5. How do stop a virus from causing your entire network from disruption or just your access to internet or emails? Do you unplug the network or do you call third party services and report the issue?

 

If a disaster occurs - consider it like your home were burning….your most critical asset….a disaster recovery plan requires forethought and an impact analysis to make sure that your Company can still function on a day to day basis. Make sure you have a Disaster Recovery Plan ready for your SAS70 audit and so that you can come to work the next day.  Trackback URL

Jul 1 2008   5:45PM GMT

Do you need the Secret Service to guard your data? – SAS70

Posted by: sas70expert
Security management, Third-party services, Administration, Database issues, Disaster Recovery, Networking, Active Directory, Network security, Storage, Security, Network monitoring, Servers, Microsoft Windows, Information risk management, Management, Security Program Management, Risk management, human factors, Database, Database Management Systems, business/IT alignment, Access, Financials, Access control, Industry Solutions, Data center operations, Network Management Systems, Data center design, Network, CIO, DataCenter, DataManagement, CEO, management software, Single sign-on, FTP, CFO, cooling systems, Backup & recovery, Exchange, Backup, power systems, SAS 70, budget, bugeting, CSO

It’s election year and security to protect some of our most valuable assets is being discussed more frequently – including politicians and data privacy requirements (proposed Regulation S-P). Does that mean you should be considering the Secret Service to guard your data? I don’t think so; however, you should have a plan to manage risk of data loss. This plan should contain proactive thinking that promotes a culture of prevention. A SAS70 audit will assist you in determining your vulnerabilities and identifying weaknesses in information technology network; however, you must continually assess and evaluate scenarios, and stay informed of the latest and greatest networking threats. Communication and training are key to a data protection plan. What are some of the other characteristics?SAS70expert@gmail.com

 

Jun 30 2008   3:19AM GMT

DataCenters that go Green! – SAS70

Posted by: sas70expert
Third-party services, Networking, Network security, Network monitoring, Strategic Enterprise Management, Microsoft Windows, Management, Database Management Systems, Industry Solutions, Data center operations, Network Management Systems, Blackberry, Data center design, CIO, Mobile, DataCenter, DataManagement, CEO, CFO, storage arrays, cooling systems, Exchange, power systems, SAS 70, CSO, Rack systems

Can we believe all the hype? Is there a green revolution afoot? From cars to energy to datacenters, everyone is going green. Datacenters have become very complex, with so many interactions among processors, rack systems, power and cooling systems, storage arrays, networks, and communications channels - that they can be regarded as unique virtual environments that consume large amounts of energy. Our need to have access to the internet anywhere and everywhere, requires more capacity and increasing speeds of datacenter components. What steps are you taking to become Green?   

Jun 16 2008   4:46AM GMT

CIO, CEO, CFO’s role in future Information Technology(IT) - SAS70

Posted by: sas70expert
Disaster Recovery, Networking, Storage, Security, Microsoft Windows, Career development, Compliance, business/IT alignment, Auditing, CIO, DataCenter, DataManagement, CFO, Email, Exchange, SAS 70, budget, bugeting, CSO

When I was with the big four, we couldn’t just be auditors, we were risk management consultants. Today, it seems that IT job titles and roles are in a similar transition.As a consultant/auditor, I am always discussing with the client the value that I bring to their organization as an experienced SAS70 auditor. Because of my expertise my audit will be much more in-depth, more efficient and effective with their time, resources, and revenue.

According to Computerworld, the below job titles are examples of the kinds you’ll see cropping up in IT in the not-too-distant future. IT job titles with any hint of computers, databases, software development languages or data network will disappear.

· Product Architect

· Chief Delivery Officer

· Chief Process Officer

Why? It’s a direct result of IT becoming integrated into the business strategy and being considered a partner in the business instead of a service provider who has no effect on revenue.

Xcel Energy, a $10 billion electric power and natural gas utility in Minneapolis, is changing the way it looks at IT. The company expects its data managers to be able to look at data and figure out answers to questions, such as where money is being lost. In other words, the company wants someone to put data in a business context.

The outsourcing of ping, power, and pipe is common to third party vendors. Even management of the application is increasing outsourced; however, companies still need IT to manage the flow of data in/out of the application, the relationship with the outsourced vendor, and assist in performing data analysis.

The focus more on life-cycle management, vendor management and data analysis has raised the expertise requirements of IT functions and is requiring more business management decisions to be made by IT. Moving IT management away from technology management doesn’t take them out of the picture, it will make them more critical to the survival of the business and elevate their ability to make a difference within their companies strategic direction.

How do you think your role is changing? Are you being elevated? Or just asked to do more with less?

SAS70ExPERT@gmail. com

Jun 14 2008   6:39AM GMT

CIO - Are you sitting on your DataCenter assets or using them?

Posted by: sas70expert
Networking, Storage, Security, Microsoft Windows, Career development, Compliance, business/IT alignment, Auditing, CIO, DataCenter, DataManagement, CEO, CFO, Email, Exchange, SAS 70, budget, bugeting, CSO

Are you sitting on your DataCenter assets or using them? CIO/SAS70

 

As the economy continues to be unsteady, what are your priorities as CIO? As CEO’s continue to be fired, CIO’s should use the uncertainty to prioritize there IT efforts, strengthen their information security within their DataCenters, and improve communication to the business of IT efforts.

 

IT project funds are shrinking. Are you concentrating in the area that will return results to the bottom line of the business and keep your paycheck coming? Re-evaluate your priorities now – concentrate on those projects that will improve revenue; that will make you a superstar in the eyes of your management, and will solidify your job.

 

Prioritize and communicate to get the most value from all the hard work that you do. According to survey results, only 10% of CIO’s say that they did an excellent job of communicating the value of their IT assets to their bosses. If you performed a SAS70 audit, not only tell your customers, but make your internal management aware of it, as it should strengthen your network security internal controls. CIO’s should form an alliance with CFO’s to communicate the business value of the core IT assets and the projects completed within the year. Make efforts to let the Board, Management and other stakeholders aware of your hardwork and that are critical to survival of the business and quantity the net return that these IT projects bring to the organization. Scorecards work best to quickly identify areas of accomplishments, areas in process, and future plans. I use a similar technique to communicate to the audited the SAS70 audit process, results, issues and deadlines. What other methods do you use? Do you plan on cutting or adding to your IT budget for 2008 an 2009?

 

TAGs: DataCenter, Budgeting, Business/IT alignment, Career development, CIO,

 

Jun 11 2008   12:47AM GMT

Exchange and Email

Posted by: sas70expert
Disaster Recovery, Auditing, Email, Backup & recovery, Exchange, Backup, SAS 70

SAS70 audits do not require disaster recovery to be audited; however, backups of email can be critical to survival of a Company should they be sued.

The process to back up emails can be expensive and time-consuming. I tried clustering Exchange servers. It was a mistake from the start – it became too complicated, I had to add 3 additional staff, hardware and don’t forget the licensing costs.

There are some appliances that make it easier to replicate to Exchange and other major mail servers. What appliances worked best for you? Or are there other techniques you can recommend to expedite the email backup process?