SAS 70

July 1, 2008  5:45 PM

Do you need the Secret Service to guard your data? – SAS70

Keith Harrell Profile: SAS70ExPERT

It’s election year and security to protect some of our most valuable assets is being discussed more frequently – including politicians and data privacy requirements (proposed Regulation S-P). Does that mean you should be considering the Secret Service to guard your data? I don’t think so; however, you should have a plan to manage risk of data loss. This plan should contain proactive thinking that promotes a culture of prevention. A SAS70 audit will assist you in determining your vulnerabilities and identifying weaknesses in information technology network; however, you must continually assess and evaluate scenarios, and stay informed of the latest and greatest networking threats. Communication and training are key to a data protection plan. What are some of the other characteristics?


June 30, 2008  3:19 AM

DataCenters that go Green! – SAS70

Keith Harrell Profile: SAS70ExPERT

Can we believe all the hype? Is there a green revolution afoot? From cars to energy to datacenters, everyone is going green. Datacenters have become very complex, with so many interactions among processors, rack systems, power and cooling systems, storage arrays, networks, and communications channels – that they can be regarded as unique virtual environments that consume large amounts of energy. Our need to have access to the internet anywhere and everywhere, requires more capacity and increasing speeds of datacenter components. What steps are you taking to become Green?


June 28, 2008  1:33 AM

Are you ready to make decisions as CSO or CIO? – SAS70

Keith Harrell Profile: SAS70ExPERT

As you complete that CISSP or CISA designation and move up the corporate ladder, do you have the right skills to begin making the decisions as CSO or CIO? Even if you have a great understanding of IT operations(networking, disaster recovery, datacenter management), compliance(SAS70, Webtrust, Systrust, SOX), and leadership(Project management, financial budgeting and administration), if you don’t communicate effectively you will not make the list. IT leaders can write, speak until they are red in the face; however, if they are unable to speak general business language, the business audience will not support their IT objectives or provide funding. Some of the more important skills to have as CSO or CIO are:

  • Communicate effectively
  • Lead during a disaster
  • Provide an IT strategy

 What are the important skills that a CSO or CIO must have to be a success? As a team leader? To build Board support? To be an effective information technology project manager/business leader? To build another Google, Microsoft Windows, or Email Exchange?


June 26, 2008  4:30 AM

What’s your data loss prevention strategy? – SAS70

Keith Harrell Profile: SAS70ExPERT

Are you reviewing you firewall rules quarterly? Have you implemented an (IDS) intrusion detection system? Are your routers set up to prevent unauthorized intruders? Do you have the latest and greatest virus protection? Are you performing a SAS70 audit every six months? Database security breaches are increasing daily and costing tremendous amounts of dollars that should have been spent on IT projects. You should at least have an emergency plan in place when data loss occurs. Without an emergency plan in place, the breach could continue and the legal costs could continue to escalate.


June 25, 2008  11:21 AM

Data Exchange and SAS70

Keith Harrell Profile: SAS70ExPERT

Various transport methods, such as email, instant messaging, FTP, and encryption have been implemented to share files/data between Companies. But many methods, suffer from security, manageability, and the ability to track/log the transfer of information. Increasing regulations and SAS70 audit guidelines are requiring that privacy and security of data be maintained. What data transfer method are you using and is it secure,manageable and auditable?


The types of data transfer continue to evolve and a variety of people with whom companies exchange data is also changing. For example, many companies outsource processes that they used to perform in-house. Furthermore, some even are processed overseas, especially in India. How much control do you have on your outsourced vendor? How do you know that their process to transfer data is secure and managed appropriately?

June 22, 2008  11:50 PM

IT Strategic Plan – What is the recipe? – SAS70

Keith Harrell Profile: SAS70ExPERT

An IT strategic plan is critical to be a success in today’s economy and to grow your CIO career. Don’t be afraid to define some concrete details about your datacenter network and the IT security required. Here are some important characteristics of an IT strategic plan:


Timing/Length – Start NOW! You can’t get there without an IT roadmap. Make it in increments of one year, 3 years, and five years.


Scope – Obtain the business goals and objectives. Understand how information technology will support achievement of these goals. Design your IT plan to not only meet these objectives, but to add additional value and revenue when each of these goals is attained.


Presentation – Keep it simple. From the Boardroom to the staff meeting, keep everyone focused on the high level IT goals. Be specific about how IT and business will work together to meet the requirements. Simple statements to drive your IT department towards success are best.


Monitoring – Put measurements in place which include deadlines. Monitor these like a hawk. The goal is not precision, but to keep moving forward. Revise and update the IT plan as necessary.


Communicate – How does the Boardroom know you are success? You are your own marketer and so is your staff. When you achieve success in completing an IT project, be sure to inform your staff and your management. Identify internal and external meetings to inform.



June 19, 2008  2:28 PM

Which search engine owns you? Identity management is owned by whom? – SAS70

Keith Harrell Profile: SAS70ExPERT

 Is it Yahoo? Or Google? Or? Shouldn’t it be the individual consumer? Every time you register on a website to download a movie or order a box of nuts, that information is being recorded. Some websites don’t keep this information confidential; it becomes entrenched in the search engine optimization techniques used by search engines and your name, address, and phone number may be appearing in random searches by someone in the Antarctic.


Without additional privacy legislation and SAS70 audits, your personal information may not be so personal anymore. Currently, if your personal information is leaked to the public, Companies only have to inform you of the data breach, and get you a credit monitoring service. Does this  seem fair? Should you have a single signon that is secure and corruption is preventable?




June 17, 2008  11:45 AM

Networks, laptops and virus in your Starbucks? How much do you want in your coffee? – SAS70

Keith Harrell Profile: SAS70ExPERT
Digital certificates, IBM, Identity & Access Management, Microsoft Windows, Order Management, Protocol analysis, Strategic Enterprise Management

Wi-fi networks are everywhere… keep employees thinking, moving and socializing. Can we just drink coffee at Starbucks? UNTHINKABLE!! As more and more of these networks become prevalent and we become connected to one big network that never ends, what is going to happen if that unthinkable malware or virus infects your network? Will it start on your pda/phone, or on your laptop at 8:05am and then spread to your home computer at 8:07 and then off to your corporate network at 8:15am. Researchers at Indiana University  are predicting that unsecured wireless networks could launch a potential network attack that spreads like wildfire to personal, home, and business networks. How can you combat such an attack? 

First, those wi-fi networks need monitoring and standards – a SAS70 audit to review network controls. Included in a SAS70 audit is a review of your router controls to make sure that you have some insurance in place to prevent network downtime.

 When the routers are taken out of the box and set on the shelf and plugged in, that is not the only installation required. Administrative passwords and SSID’s need to be strengthen and hardened so that Mr Hacker is not able to stop your credit card from being accepted. Use administrative passwords that are not common, require numbers and letters, and are not your mothers name. The same requirements should be used for SSID’s.In addition, turn on encryption, preferably WPA – which is considered almost impossible to crack. What controls/insurance do you have in place?



June 16, 2008  4:46 AM

CIO, CEO, CFO’s role in future Information Technology(IT) – SAS70

Keith Harrell Profile: SAS70ExPERT
Order Management

When I was with the big four, we couldn’t just be auditors, we were risk management consultants. Today, it seems that IT job titles and roles are in a similar transition.As a consultant/auditor, I am always discussing with the client the value that I bring to their organization as an experienced SAS70 auditor. Because of my expertise my audit will be much more in-depth, more efficient and effective with their time, resources, and revenue.

According to Computerworld, the below job titles are examples of the kinds you’ll see cropping up in IT in the not-too-distant future. IT job titles with any hint of computers, databases, software development languages or data network will disappear.

· Product Architect

· Chief Delivery Officer

· Chief Process Officer

Why? It’s a direct result of IT becoming integrated into the business strategy and being considered a partner in the business instead of a service provider who has no effect on revenue.

Xcel Energy, a $10 billion electric power and natural gas utility in Minneapolis, is changing the way it looks at IT. The company expects its data managers to be able to look at data and figure out answers to questions, such as where money is being lost. In other words, the company wants someone to put data in a business context.

The outsourcing of ping, power, and pipe is common to third party vendors. Even management of the application is increasing outsourced; however, companies still need IT to manage the flow of data in/out of the application, the relationship with the outsourced vendor, and assist in performing data analysis.

The focus more on life-cycle management, vendor management and data analysis has raised the expertise requirements of IT functions and is requiring more business management decisions to be made by IT. Moving IT management away from technology management doesn’t take them out of the picture, it will make them more critical to the survival of the business and elevate their ability to make a difference within their companies strategic direction.

How do you think your role is changing? Are you being elevated? Or just asked to do more with less?

SAS70ExPERT@gmail. com

June 14, 2008  6:39 AM

CIO – Are you sitting on your DataCenter assets or using them?

Keith Harrell Profile: SAS70ExPERT
Order Management

Are you sitting on your DataCenter assets or using them? CIO/SAS70


As the economy continues to be unsteady, what are your priorities as CIO? As CEO’s continue to be fired, CIO’s should use the uncertainty to prioritize there IT efforts, strengthen their information security within their DataCenters, and improve communication to the business of IT efforts.


IT project funds are shrinking. Are you concentrating in the area that will return results to the bottom line of the business and keep your paycheck coming? Re-evaluate your priorities now – concentrate on those projects that will improve revenue; that will make you a superstar in the eyes of your management, and will solidify your job.


Prioritize and communicate to get the most value from all the hard work that you do. According to survey results, only 10% of CIO’s say that they did an excellent job of communicating the value of their IT assets to their bosses. If you performed a SAS70 audit, not only tell your customers, but make your internal management aware of it, as it should strengthen your network security internal controls. CIO’s should form an alliance with CFO’s to communicate the business value of the core IT assets and the projects completed within the year. Make efforts to let the Board, Management and other stakeholders aware of your hardwork and that are critical to survival of the business and quantity the net return that these IT projects bring to the organization. Scorecards work best to quickly identify areas of accomplishments, areas in process, and future plans. I use a similar technique to communicate to the audited the SAS70 audit process, results, issues and deadlines. What other methods do you use? Do you plan on cutting or adding to your IT budget for 2008 an 2009?


TAGs: DataCenter, Budgeting, Business/IT alignment, Career development, CIO,


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: