SAS 70

Dec 7 2008   1:24PM GMT

Importance of User access policy? SAS70

Keith Harrell Profile: SAS70ExPERT

Recently, I was on a plane flying home and started talking to a CIO about his SAS 70 audit. He seemed dismayed about a former trusted employee taking proprietary data from his company. He noted that they had a policy in place to remove the terminated employee from the company applications; however, this employee was able to walk away with the company’s list of customers.


Authorization of access to company applications and removal is a critical process that should be documented and followed by all employees, including executives. In our discussions, he noted that the CEO was a mover and shaker, but he did not always follow company procedures. This loss of data was a direct result of not following policy.


It is critical to a company and to the SAS 70 audit examination that employees and executives follow company policy to gain access and removals to company applications. Otherwise, why have a policy – Give everyone administrative access.


A good policy should require IT to only be the custodian of applications. They should only provide access when authorized by the business operations and initiated by human resources.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: