SAPLIB

SAS 70 Environmental Controls Security Examination Audit

admin — Sat, 18 Sep 2010 10:00:56 +0000

The environment of the data center will come under scrutiny as well. Not only will the auditors examine the physical access controls to the data center but they will also examine the suitability of the data center to house sensitive information and systems. As such the following items are examined
- The structure of the walls, ceiling, and floor
- The security of the wiring
- Fire suppression
- Environmental controls
- Power

The auditors will look for ways of using the lack of controls to either access sensitive areas or information and the ability of the systems to continue to function during adverse conditions.

SAS 70 Logical Access Controls Security Examination Audit

admin — Sat, 18 Sep 2010 10:00:07 +0000

Logical access controls determine which individuals have access to what information. Some of the items examined here are mechanisms in place on computer and network systems and some pertain to the overall architecture of the offerings provided by the organization. Some of the items that will be investigated include
- Individuals who have access to client information
- Individuals with privileged access to network devices such as firewalls and routers and computer systems
- Appropriateness of individual access to job function
- Appropriateness of user management procedures to identify dormant and unused accounts and to determine individual access
- Restriction of customer access to prevent the sharing of information
- Mechanisms in place to prevent unauthorized access to client information (both with regard to other clients and employees)

The information that is necessary to evaluate these issues is not solely related to the controls on the computer systems. The auditors will need to understand the underlying architecture that separates sensitive information and the procedures used by the organization to manage user access effectively.

Security Clearance Levels in the United States

admin — Tue, 07 Sep 2010 22:05:22 +0000

Secret or Level 2 Clearance
A secret clearance (also known as ‘collateral secret’ or ‘ordinary secret’) is broadly similar to the UK SC clearance. There are a number of things that can complicate obtaining secret clearance:
- Residences in foreign countries
- Relatives outside the United States
- Significant ties with non-US citizens
- Bankruptcy and unpaid bills
- Criminal charges of any kind.

Poor financial history is the number-one cause of rejection and foreign activities and criminal records are also common causes for disqualification. A secret clearance requires an NACLC check. It must also be reinvestigated every 10 years (though, in practice, it tends to happen more often).

Top Secret or Level 3 Clearance
As you would expect, ‘Top Secret’ is the most stringent clearance. A top secret (TS) clearance is usually only given following a singlescope background investigation (SSBI). This will include independent investigation into the following:
- Citizenship;
- Education;
- Employment;
- References;
- Neighborhood and friends;
- Credit;
- Local agency checks;
- Public records.

Top secret clearances, in general, afford one access to data that directly affects national security or other highly sensitive data. There are far fewer individuals with TS clearances than secret clearances. A TS clearance can ake as few as 3-6 months to obtain, but more often it takes between six and 18 months and sometimes even up to three years. The SSBI must be renewed every five years.

Download Free Onapsis’ SAP Security In-Depth publication

admin — Fri, 11 Dec 2009 10:16:31 +0000

SAP Security In-Depth is a free technical publication leaded by the Onapsis Research Labs with the purpose of providing specialized information about the current and future risks in the SAP security field, allowing all the different actors (financial managers, information security managers, SAP administrators, auditors, consultants and the general professional community) to better understand the involved risks and the techniques and tools available to assess and mitigate them.

Onapsis.com

Wireless LAN Security Policy Checklist

admin — Fri, 10 Jul 2009 22:52:16 +0000

Download Free Wireless LAN Security Policy Checklist
- Identify who may use WLAN technology in an company
- Identify whether Internet access is required
- Describe who can install access points and other wireless equipment
- Provide limitations on the location of and physical security for access points
- Describe the type of information that may be sent over wireless links
- Describe conditions under which wireless devices are allowed
- Define standard security settings for access points
- Describe limitations on how the wireless device may be used, such as location
- Describe the hardware and software configuration of all wireless devices
- Provide guidelines on reporting losses of wireless devices and security incidents
- Provide guidelines for the protection of wireless clients to minimize/reduce theft
- Provide guidelines on the use of encryption and key management
- Define the frequency and scope of security assessments to include access point discovery.

Download