SAS 70

December 7, 2008  1:24 PM

Importance of User access policy? SAS70

Keith Harrell Profile: SAS70ExPERT

Recently, I was on a plane flying home and started talking to a CIO about his SAS 70 audit. He seemed dismayed about a former trusted employee taking proprietary data from his company. He noted that they had a policy in place to remove the terminated employee from the company applications; however, this employee was able to walk away with the company’s list of customers.


Authorization of access to company applications and removal is a critical process that should be documented and followed by all employees, including executives. In our discussions, he noted that the CEO was a mover and shaker, but he did not always follow company procedures. This loss of data was a direct result of not following policy.


It is critical to a company and to the SAS 70 audit examination that employees and executives follow company policy to gain access and removals to company applications. Otherwise, why have a policy – Give everyone administrative access.


A good policy should require IT to only be the custodian of applications. They should only provide access when authorized by the business operations and initiated by human resources.

December 3, 2008  4:52 PM

IFRS and the new accounting guidelines? SAS 70

Keith Harrell Profile: SAS70ExPERT

Finally, international accounting standards are being implemented. Even though this will cause some upfront additional expense for companies to conform, in the long run, you will be better able to evaluate the financial stability of companies worldwide. Will this mean SAS 70 audit requirements will also be international?


In Canada currently they have similar SAS 70 audit legislation, but in Europe they do not. If America continues to outsource our financial, medical and application processing, don’t you think that European countries should have a SAS70 audit? If you bank at Citigroup, your help desk may reside in India. Without the SAS 70 audit standard being applied in India, will your financial data be safe? Someone could steal your identify and funds from a server in India; is there enough regulation to help you, especially when you need to purchase your Christmas gifts tomorrow?


As we continue to become a one-world economy, we must take fundamental steps to institute standards to protect our basic financial interests. This includes requiring a SAS 70 audit to be completed by all companies in any country that provides a service. Have you as a consumer requested to see your service providers SAS 70 audit today?

December 2, 2008  1:52 PM

What would you pay for this USB harddrive? SAS70

Keith Harrell Profile: SAS70ExPERT

What would you pay for a eight gigabyte USB harddrive? Some would say billions; especially if it contained your company’s financial or critical data. Everyday you read about lost or stolen company data which may be your intellectual property, credit card, or other personal medical information of your CFO. They are also the fastest and surest way to give a CIO a security headache. What are you doing to protect these information assets?


If your company or your staff is saving company or customer data to a USB drive; you need to set standards in your security managment program to protect this information. A SAS 70 audit will require you to have  standards that include:


1)      Require that all data stored on USB drives be encrypted.

2)      Require that only USB drives that are password protected be used.

3)      Notify and train your employees on this policy and have a procedure in place which requires that an employee report lost or stolen USB drives immediately; otherwise, be prepared for “headlines” and a lawsuit.


Are you involved with securing your corporate data and if so, are you worried about the insecurity of USB disk drives? What measures do you have in place?


December 1, 2008  11:10 PM

Have you received your stimulus today? SAS70

Keith Harrell Profile: SAS70ExPERT

In order to meet budgetary guidelines, you may be wanted to ask for your handout from the US government. I know I would like to receive mine. My business is just getting started, but I could justify that if the economy would have held out, I would be substantially better off. Our newly elected president is going to have a struggle, but I hope that he will find a solution.


By accepting a portion of the stimulus package, US companies have basically outsourced/sold part of their business. Shouldn’t that mean that more regulation is required? With any loan more buy-back options, more oversight is required to make sure funds are managed appropriately, and that contractual agreements are met. Should that include SAS 70 audits? Basically, how can we prevent frivolous use of our funds. I think SAS 70 audits is an essential part of the regulation process.

November 30, 2008  8:39 PM

What cabinet position would you want to be elected too? SAS 70

Keith Harrell Profile: SAS70ExPERT

As we begin a new election process, our President is currently in the process of deciding who will fill cabinet level positions. Some bring foreign prestige, such as Secretary of State, and others focus more on domestic issues, such as Secretary of Treasury. Any of these positions will require persons with decisions making ability and new imaginative ideas to manage our growing economy. If I were Director of Office and Management and Budget, I would want to quickly define requirements to manage any new economic stimulus packages. SAS 70 audits would be a requirement that would be enclosed in any new legislation.


If the Federal Government and Warren Buffett is going to own much of our economy, how can we be sure that the financial transactions are processed correctly and that our personal data is kept safe? Yes! SAS 70 audits can fulfill that role.


Currently, we are dishing out funds at record pace. Sometimes {sarcastically}, I wonder why don’t we give every American a printer, and tell them to print only what they need. As a taxpayer, I don’t have any idea what my return on this investment will be. When you purchase Coca-Cola stock, I know what their dividend will be? What is our return on our investment in Citigroup and AIG?

AS 70 audits must become a fundamental requirement for almost any service organization to conduct business with the Federal Government. Do you agree?

November 27, 2008  4:37 PM

Have you been Clickjacking lately? SAS70

Keith Harrell Profile: SAS70ExPERT

 Clickjacking threatens all major internet browsers – internet explorer, Mozilla firefox, Safari and Opera. What is it? Clickjacking is not when your wife takes over the remote control. It is when a browser user puts his mouse on a sign button, but a tag is placed under the button that the user may not see. When the user clicks, he then sends information to an unauthorized source. This could destroy the legitimacy of your web application or you SaaS.


There are several possible solutions to this hacker attack, but only with updates by the browser vendors. Firefox has a stop-gap solution in place – “no-script.” It is a technical solution and not for everyone. If you process credit card information, your SAS 70 auditor will look to see what precautions you have taken. What measures do you have in place?

November 27, 2008  1:40 AM

Outsource with a Plan – SAS70

Keith Harrell Profile: SAS70ExPERT

As more businesses outsource IT to third-party services, data privacy and integrity are paramount to the success of your operations. The SaaS small and medium businesses have a responsibility to ensure your data is processed correctly and that it is kept safe. SAS 70 audits are requirement.

Before outsourcing to save funds, make sure you have a defined plan. Without it, one small security breach of a politicians’ social security number can destroy your company reputation and your ability to generate new business. This plan should included:

1)definitions related to service levels. You will require your vendor to have uptime of at least 99%.

2) the ability to process your information quickly. Customers accesses your company website and purchasing items should occur relatively fast.

3) reporting functions which allow you monitoring capability and to  capture your data and analyze.

4) a Disaster Recovery plan, a single hardware failure can result in the loss of business.

November 26, 2008  2:17 AM

Have you checked your email today? – SAS70

Keith Harrell Profile: SAS70ExPERT

When considering the scope of your SAS 70 audit, do you consider email an important company asset? Would it contain critical information on your customers? 9 out 10 times an email will contain customer financial data, executive contact information, and related gossip. Some SAS 70 audits fail to note the importance of maintaining security of company email systems.


Email systems must be protected from internal and external threats. Other employees gaining access to other’s email systems or hackers trying to break into your email servers could walk away with critical information. Executives would not be happy when receiving notice of a lawsuit by a customer because a hacker gained the schematics of their datacenter.


If you are using ActiveDirectory, perform periodic reviews users with access to email. In addition, limit administrators to as few as possible. Make sure your user access procedures are documented, approved, and implemented for your company. Terminated employees must be removed from email access immediately. Implementing these fundamental controls will assist you in completion of your SAS70 audit.

November 25, 2008  1:36 AM

Capacity and Utilization in No. 1 in 2008 – SAS70

Keith Harrell Profile: SAS70ExPERT

Even without the SAS70 requirement, capacity and utilization should be a major focus within your DataCenter environment. if you want your energy costs to controlled, simply turn off some of your servers and desktops. The turnoff approach can result in nearly 10% decrease in power consumption for every 100 servers says Nermetes Research. In addition, this will allow the servers in operation to have better processing performance.

Power management may be automated. Software applications will monitor power consumed and turn off equipment when the need decreases.  The software will also power power and capacity usage reports that may be used to further customize your operations.

SAS 70 audits will require you to manage your operations not only to protect your customers data, but to verify that your service level agreements are met.

November 17, 2008  11:23 PM

SaaS and SAS70 – SAS70ExPERT

Keith Harrell Profile: SAS70ExPERT

As more outsourcing of applications takes place in this economy by using SaaS(software-as-a-service), is Management producing costs savings? and how many SAS70’s will you be required to collect? From the Data Center operations, the IT support vendor, and the application provider?


When you perform your cost-benefit analysis items to consider are

  • Who will benefit from access control for your application
  • From where will your visitors/employees/customers be connecting to your information, vpn network, cellphone or pda, or other web enabled device
  • Obtain more control over your licensing costs

As you develop a strategic plan to use SaaS, build fundamental close relationships with your vendors and define them carefully in your contracts. Constantly update your contracts or service level agreements to match your needs and develop tools to monitor the success of your vendor meeting your requirements.


SAS70 must be performed on your SaaS vendor to provide you with the reliability, confidentiality and integrity of service to be provided to you and your customers. Control objectives may be similar or different, but careful examination of the audit report should be performed in order to determine that your data is secure.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: