SAS 70 audits review the not only the security of your networks but of the data that is transported across your networks and on the security of your data that remains on your servers and laptops. Before choosing an encryption vendor, there are factors you consider:
- What administrative actions are required? Can keys be changed and modified by the user or does your network administrator have to take action? What if the key is compromised, can it be changed at will? If the key is changed, how do you remember it?
- What steps are taken to manage keys? Are keys kept in a secure database or are they managed individually? Independent solutions allow you more flexibility, but independent users may not always follow the company standards which may give hackers an opportunity.
- Are multiple keys supported and can you create a master? The more critical and sensitive the data, the tougher the key should be crack.
- Is there PKI in corporation? Does the encryption product integrate with an existing PKI production ro des it require software in order to function? Any vendor solution should be able too. SAS70ExPERT@gmail.com
SAS 70 audits focus on COSO controls and examine the leadership experience of executives and training. CIO’s and CSO’s march to the executive suite takes many paths. Opportunities to lead in the C-Level suite come in many forms….some are perhaps luck, others are from angels, but what job titles lead to the CIO or CSO role? According to a recent survey, most CIO’s have a background primarily in IT. In recent, weeks, I have begun to question this polling as I have met several well-respected CIO’s who understand strategy and operations, but do not have a clue as to operating systems, applications or how networks function. In this same poll, only 15% of CIO’s and CSO’ came from areas outside of IT. What side of the fence do you stand on? Do you think an extensive background and training in information technology makes a difference as a c-level executive? As I consider myself a hybrid with a little knowledge and experience on both sides of the fence, I wonder what is respectable? SAS70ExPERT@gmail.com
It’s Monday at 9am, Your server data has been lost. You ask for the backup tape to perform the restore and determine that Friday night backup process failed. You don’t want to start the week off by committing such a sin as to not follow the 11th commandment. The backup data process must occur according to your company schedule and any identified failures should be noted and resolved. In addition, don’t make the mistake of keeping your backup tape on-site. A SAS70 audit that focuses on computer operations will examine your processes to confirm that you are adequately performing data backups. The SAS 70 audit will monitor your compliance with your Company policy – are you required to perform full or incremental backups? How do you know that your backup process was successful? A daily log should be received to indicate which file directories and files were backed up and if it was successful. In addition, your backup software should perform a verification process. When an auditor performs the SAS70 audit, one of the common mistakes by the Management is to forget to review the backup log. Who is in charge of your backup process? SAS70ExPERT@gmail.com
Shazzam!!! Clap on, Clap off!! None of these sayings work to build a strong team for a CIO. An effective CIO must work daily to build trust and a strong bond between his employees.
A SAS70 audit will examine the processes used by a CIO to hire and monitor his employees. A CIO that requires new IT employees to complete an employment application, perform background checks and requires frequent employee evaluations will have a successful SAS70 audit. What are you doing within your Company to build a strong IT team? Sas70expert@gmail.com
Do you have 3 mainframes systems and one stand alone application that you use for recording financial results? Do any of these systems talk to one another? Are you starting to use Saas applications to better manage your data? Knowing how to leverage technologies, old or new, is key to being an effective CIO.
During a SAS70 audit, it is critical that you have an deep understanding of your systems and how they work together. If you are able to provide documentation, such as network diagrams, and data hierarchies to your auditor, then they will be more efficient when determining the controls necessary to be tested within your organization. An effective CIO cannot leverage technologies within corporate walls or as outsourced solutions without having a complete understanding of IT networks, applications, and operating systems. What helps you know how to leverage your company technologies? Or to predict what technologies will work best within your company? email@example.com
Budgets, financial statements, and account analysis all provide you with detailed information on the financial operations of your company. An effective CIO must have a good grasp of his Companies revenue and expenses and how this information flows into his IT operations.
If you are aware of the finances of your operation, then you will be able to understand the facets of the SAS70 audit that deal with the testing and examination of financial transactions. By understanding the processes that record financial transaction, an effective CIO will quickly be able to explain abnormal differences to an auditor. Do you have financial information required to manage your operations? Or are you still managing with an abacus? What types of reports are most effective for helping you guide your organization? Are you using balanced scorecards? Sas70expert@gmail.com
At 5pm, the CEO returned to his office with a cup of coffee and a very unpleasant frown. He barked out a few orders to his administrative assistant. I knew then that ….it was all going to roll down hill. Apparently, an IT Director signed a vendor contract with some very unfavorable terms. Luckily, the IT Director was no longer with the Company, therefore, the CIO, was the one who would be assigned the cleanup work.
In order to deal with this situation, the CIO would have to quickly understand the requirements of the CEO and the expectations of the vendor. If he failed at delivering for either of them, then the effects could have serious consequences on IT operations. These types of political maneuvers happen everyday and it takes a skillful politician as a CIO to produce favorable results.
A CIO can use her political skills to effectively deal with a SAS70 audit. When an auditor identifies an audit exception, the CIO may fully agree with the auditor; however, the description of the audit exception may need to be qualified in order to maintain a close relationship with the CEO. Sometimes, negotiations are even held over simple words, such as “sometimes” as they can make a big difference in the eyes of the Board of Directors or Audit Committee. What are some of the circumstances that you may have been involved in? Were you successful in avoiding pitfalls? What worked best for you?
A very successful CIO told me once, “I can see the stars, but I can’t see the future.” At the time, I was very inexperienced and wasn’t really clear about this statement. Now, I think I understand, his experience, drive, education, and passion allowed him to be able to see opportunities for Company growth and advancement in unproven markets. To be a visionary is one of the most important characteristics of career stability and longevity.
This characteristic will also help you to guide your SAS 70 auditor to a successful audit. Because you know your operations better than anyone else, you should be able to quickly provide your auditor with the answers and solutions required to plan and conduct the audit. By staying on top of your day-to-day operations, and not focusing all your attention on the Boardroom, you will have the information necessary to deal with audit exceptions when they arise. Do you have systems/application or reporting mechanisms in place that provide you operating results on a timely basis? If so, what works best for you within your Company? Sas70expert@gmail.com
If you have to conduct a SAS70 audit within your organization, are you ready? As a CIO, do you have the necessary leadership skills to make an audit a success?
A recent survey by TechRepublic lists the following criteria that an effective CIO or CSO must have in order to lead a 21st century information technology (IT) team. These characteristics are, but not necessarily in order of priority:
Be a visionary
Able to deal with office politics effectively
Have an understanding of financials
Leverage key technologies
Ability to build a strong team
As a CIO, these characteristics are required to be an effective leader. In addition, these same characteristics will make you an effective CIO or CSO when a SAS70 audit is conducted. From the initial planning and scoping phases of the audit, you must take the initiative to develop a strong relationship with your auditor. Don’t be afraid to tell him all the bad and the good when discussing your IT operations. By developing an open rapport, and having frank discussions, you will be able to quickly develop a lasting bond with your auditor. Do you have this type of relationship with your auditor? firstname.lastname@example.org
SAS 70 audits review the authentication procedures required to access computer equipment, including the pre-boot authentication (PBA) procedure. If pre-boot authentication is not required, then the risks of gaining access to your Company data is very high.
What is PBA? Pre-boot authentication is a process that requires a user to authenticate to the operating system prior to loading of the application software. The user must enter his credentials – a username and password before the system load begins. Once authenticated, then Windows or Linux operating system is loaded. If the correct user name and password are not entered, the pre-boot authentication process will not load the operating system and the computer will lock down.
Pre-boot authentication prevents a criminal hacker from gaining access to your data by not loading the operating system. Since the bypass tools load after the operating system, then a hacker want get a chance to try to gain entry or use the Windows XP or Vista emergency disks. SAS70ExPERT@gmail.com