SAS 70

July 29, 2008  11:51 PM

SAS70 audit exceptions

Keith Harrell Profile: SAS70ExPERT

As I have read many SAS 70 audit reports, my perception of the quality of audit reports is varied. As I stated in previous blogs, there are different standards with which to use to implement information technology controls; however, the SAS70 standard does not require an auditor to meet specific information security requirements. Therefore, an auditor may audit network security rather heavily or not at all. If the SAS 70 standard was changed to provide specific requirements related to IT that were to be audited, then more benchmarking of the effectiveness of controls and of the SAS 70 audit would be available. How do you feel about the quality of audit coverage of network security controls in your SAS70 audit?

July 27, 2008  1:46 AM

Data Breaches – Do you have a plan? SAS70

Keith Harrell Profile: SAS70ExPERT

You should have a disaster recovery plan when a data breach occurs within your Company. SAS 70 audits mostly will require you to have a plan documented, but the details of the plan are usually not adequately reviewed. Every disaster recovery plan should have basic requirements which include:

  1. Who to call when an Exchange server malfunctions?
  2. What do you do when a fire occurs in your Datacenter? Do you use the fire extinguisher? Pull the fire alarm? Or run out the front door and call the fire department on your cell phone. There are many tasks that must be done to prevent a catastrophe and each has to be assigned.
  3. Where do you report when the Datacenter is flooded? Do you meet at the local coffee shop or the CIO’s home? You need to designate a safe site so that you are quickly able to establish communication and implement the disaster recovery plan.
  4. When does the disaster plan take effect? Is it implemented when a laptop is lost? Or an i-Phone is missing? Or is it when a more serious virus causes your network to go down? You have to know when to ring the disaster bells or the CEO, CIO, CFO will not take you seriously if you call him daily about the missing cell phone.
  5. How do stop a virus from causing your entire network from disruption or just your access to internet or emails? Do you unplug the network or do you call third party services and report the issue?


If a disaster occurs – consider it like your home were burning….your most critical asset….a disaster recovery plan requires forethought and an impact analysis to make sure that your Company can still function on a day to day basis. Make sure you have a Disaster Recovery Plan ready for your SAS70 audit and so that you can come to work the next day.

July 24, 2008  1:36 AM

7 essential to have in your SLA’s to have to help you manage your outsourced vendor – SAS70

Keith Harrell Profile: SAS70ExPERT

“Do you understand what impact the outsourced vendor has on your financial stability?” says a SAS 70 auditor. If they fail to make payroll or Friday or if you’re DataCenter fails, what effect will that have on your operations? So as not to be “asleep at the switch,” make sure you understand the vendor’s operations and risks involved. Here are 10 essential specifications that you should have in your service level agreement with you’re outsourced vendor:

1) Data encryption and protection – determine what your vendor is doing from an information technology perspective to protect your information. Are they using applications that have security built-in? Do they have firewalls?

2) Physical Security – review and management of access to buildings and data is critical to protect information technology assets. Tight control must be maintained in order to prevent identify theft and loss of valuable equipment, like exchange servers, racks, and hard drives. Each employee should have ID, preferably biometric, and you should log entry and egress into facilities.

3) Environmental Security – Make sure your data is not only locked in the safe room, but that the environment in the room provides essential protections. Do they have fire extinguishers? Temperature control? Air conditioners? …etc.

4) Confidentiality agreements – Require your business partner/vendor to sign confidentiality agreements/non-disclosure agreements to prevent loss of trade secrets, data, and patents.

5)Employee training – Policies are useless, unless your employees and vendors are trained and aware. Provide all vendors with awareness training of your requirements when processing your information or providing you with services.

6) Require employee background investigations. You want to make sure that the person responsible for managing your money is not a convicted felon. They must have a review of the work history and a validation of the skills.

7)Lastly, Management of vendors- After you have given your requirements to your vendor, how do you know they stay in compliance? A SAS 70 audit is required.

July 22, 2008  12:48 AM

Is there an elephant in the room? Or did someone just find a SAS70 Audit internal control deficiency/exception?

Keith Harrell Profile: SAS70ExPERT

As a CIO or CSO, what should you do when a SAS 70 auditor finds an exception or an internal control that is not working during your SAS70 audit? Sometimes, in extreme cases as in a family death — there is silence, screaming and shouting, grieving, and then finally acceptance. When an auditor meets with the Chief Executive Officer, it is key that you understand the difference between a material weakness and an internal control deficiency.


A “material weakness” is a internal control deficiency or combination of control weaknesses such that they result in a significant misstatement of revenue or expenses in your financial statements.


A deficiency in internal control exists either in design or operation of a control. A design deficiency exists when you forgot that you had to reconcile inventory. You have been concentrating on sell, sell, sell, and you forgot you had to determine how much inventory you had on hand each month. It happens. An operational deficiency occurs when your Accounting Manager just didn’t perform up to par and the reconciliations they were supposed to do for inventory just weren’t done each month.


Knowing the difference during these difficult economic times is important. So when the white elephant comes into the room, take a deep breath — If you understand the differences in a material weakness and a significant deficiency, you have the information you need to discuss the results of the SAS70 audit and determine the next steps.


July 20, 2008  12:20 AM

Data Security Breach Myths – SAS70

Keith Harrell Profile: SAS70ExPERT

When a data breach occurs what are you required to do? You heard that you had to include notifications required by federal and state laws when a data breach occurs. Are these myths, truths or dares? You need to know the difference between the myths and the facts. For instance:


Myth 1When you loose critical financial or personal data, you must  notify everyone and their mother. I call “Shenanigans!” Only if certain conditions are met, then 45 of the State laws require that you notify the consumer or credit card holder. If the conditions are not met, then notification laws are less strict. For example, if data is not considered critical, data is encrypted, or not accessible, then you may not have to report it.


Myth 2 – You must comply with only the law where the data breach occurred. I call “double Shenanigans!” You must take many factors into account when determining which law to apply to the disaster. First, consider what state your Company is incorporated; then, the residence of the individuals whose information lost.


Myth 3 – Your Company meets California requirements, and their standards are higher than all other states, so I must be in compliance. This is just “completely Shenanigans! Even though California was the first, their have been several states which have used California as a baseline and made improvements and additional requirements. For example, Ohio, Georgia, and Texas, have made stringent laws related to data privacy and require detailed notification and follow-up.


Make sure you have an attorney handy, your plan is detailed to enough so that you can start a plan of action, and begin the communication process when a data breach occurs. Get a plan in place and if required, you will be ready for a SAS70 audit and a data breach catastrophe.

July 16, 2008  3:14 PM

Green is mean and lean but is it the ticket to prosperity? SAS70

Keith Harrell Profile: SAS70ExPERT

Exchange Servers are increasingly being added to the electric grid and increasing the world’s energy consumption, carbon emissions and stream wastes. A recent report stated that “U.S. server electricity consumption has doubled in the past five years and now equals that of color TV’s. SAS70 audits review logical and network related controls for servers, but they don’t consider the energy consumption or quality of company environmental efforts.


All kinds of new energy saving ideas are being developed, including air-compressed backup generators. Greenpeace has developed a “Guide to Greener Electronics.” The guide ranks the 18 top manufacturers of personal computers, mobile phones, TV’s and games consoles according to their policies on toxic chemicals and recycling.

I think that this is great, but is it sustainable considering our populations demand for service NOW!? In an electronic age, where I can practically order anything, see any tv show, or buy any music at the touch of a button on my i-Phone, can we expect businesses to  choose green over a quick dollar? As datacenter demand grows and the need for servers bandwidth is required – will you stop and say  “No, I want my children to enjoy clean air, and clean water.” Or will you push forward with a browner (less green) alternative computing solution? Should SAS70 audits evaluate environmental and energy efforts?

July 13, 2008  7:19 PM

What you read is what you get in a SAS70!!

Keith Harrell Profile: SAS70ExPERT

Don’t be fooled by a big accounting name? A suit with a high priced song! No matter what they say, you have to read the SAS70 report in order to determine the depth of testing performed in a SAS70 audit. SAS70 audits have just now become in demand by industry leaders and you have to determine what value you want from the SAS70 audit. Do you need a box checked? Or will you use this audit process to improve your revenue, your internal controls, and to set you apart from your competition? Prices range all over the board – choose your poison wisely – either you choose an auditor with experience and see that their report provides you with the level of detail and testing to required to make your organization better or — you might as well gamble in Vegas more – and take the big accounting name with little testing that provides you with the check box you


July 11, 2008  6:26 PM

How do I get to the top without breaking the Bank? SEO (search engine optimation) and SAS70

Keith Harrell Profile: SAS70ExPERT

When I Google today on SAS70? Wow, I have so many choices. With the rankings of companies – it is confusing and perplexing and that I am not even on the first page. How do I get there without breaking the bank? I have read some on the Google site about it and it has left me wanting more. Just like you, I am searching for ways for companies to recognize me and my site and want to follow the rules so that I can make my site visited. One way is to spend, spend, spend. A SEO consulting firm can get you to the top of the page, but it will take a substantial investment. A beginning company may not want to invest big dollars yet, but their has to be other ways to build brand awareness without selling the computer. Have you hired a SEO consultant? What are your experiences? What are some key things that I should be looking for?

July 9, 2008  2:34 AM

If data is your diamond, why aren’t you protecting it? SAS70

Keith Harrell Profile: SAS70ExPERT

 Various transport methods, such as email, instant messaging, FTP, and encryption have been implemented to share files/data between Companies. But many methods suffer from security, manageability, and the ability to track/log the transfer of information. Increasing regulations and SAS70 audit guidelines are requiring that privacy and security of data be maintained. There are some new tools on the market, including L I N X T E R. is a data transfer technology that enables programs to communicate through secure, reliable, and auditable channels. They are hyper connective communication channels that can be managed using a web-based tool.What data transfer methods are your using and is it secure, manageable and auditable?

July 6, 2008  4:18 PM

How laptops become serial killers? – SAS70

Keith Harrell Profile: SAS70ExPERT

My business requires distribution and collection of data. Much of it resides on a centrally located server; however, there is data on the laptop that has never been transferred over to the server or that may have  been taken off the server for project work. As human beings we will never be perfect. Someone will lend access to their laptop to a friend or customer, a laptop will be lost or stolen, and an unprotected USB drive is a loaded gun just waiting to have the trigger pulled so that data can be transferred off your laptop. Laptops with sensitive data that goes unprotected, can become a media nightmare, a legal hassle and a may limit your customer retention and market growth — a serial killer that stops your business growth and the vendors that support you.


To protect data loss, we now have L0-jack services for laptops when they are stolen. The laptop can be found and once connected to a network will be shut down.But what about the ease we have to install and transfer data to others using USB drives. Even if you use a USB drive that requires a password, is that enough security? I have read recently that laptops were returned after being lost that contained sensitive data such as social security numbers for big companies – including Google. Now that they have the laptop back, is the risk over? What if the data was transferred off the laptop onto a USB drive?


Just like for the SAS70 audit, you have to perform a risk assessment to determine the controls that must be in place, and identify those that can be implemented as time permits. In the situation above, I don’t think focusing on the number of ways that data can be taken off laptops is the key to reducing risk. You should focus more on identifying the type of data that you have, mark the sensitive data, and control access to it – by limiting users, strengthening laptop controls around the sensitive data, and identifying opportunities to record transfer of sensitive data which would provide an audit trail. How are you controlling your data on your laptops?


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: