How many times have you asked your service provider to give you a copy of their latest SAS70 Type II audit? We wouldn't be doing our job if we didn't look for a clean SAS70 audit report.
As we become more global, and work with international service providers, perhaps we need to stop asking for the SAS70 and start asking for a copy of the SSAE 16 (SOC 1) audit report. You familiar with this report? This became effective as of June 15, 2011.
Here is a great website to take a look at and study. http://www.ssae-16.com/ssae-16-type-ii/ . Really pay attention to who needs this report. Data center and co-location customers - pay attention, this report is essential for you to get from your provider.
There are 3 types for the SOC Report:
SOC 1 Report - The SOC 1 Report is a report on controls at a service organization relevant to user entities' internal control over financial reporting.
SOC 2 Report - The SOC 2 Report is a report on controls at a service organization relevant to non-financial controls.
SOC 3 Report - Similiar to a SOC 2 Report, a SOC 3 Report is a report on controls at a service organization relevant to non-financial controls.
SSAE 16 is an improvement to the current standard for Reporting on Controls at a Service Organization, the SAS70, with some changes that will help bring your service provider company and the rest of the provider companies in the US up to date with new international service organization reporting standards, ISAE 3402. What I like is the improved clarity and risk assertion, and documentation.
One recommendation, it can be overwhelming. Make sure if you are undertaking doing these type of audits as a service provider, that you have a real business case to do it. Are your customers demanding it? Do you have public companies that require it? It takes a long time, great effort, and expense to complete these type of reports.
So as a customer, asking for these types of reports from my service provider, should I pay to receive this audit report? Would that help offset the cost(s) or is it the cost of doing business?
I know as a CIO, responsible for my company data, applications, and services being provided by a 3rd party - I would demand seeing a clean report.
Take the time to read up on the SSAE 16 reports. I think you will be pleased with the reports.
Keep it positive!
Scott Arnett
scott.arnett@charter.net
About Me
- Scott Arnett
- Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.
Friday, August 31, 2012
Thursday, August 30, 2012
VMWare - New CEO
VMware CEO Paul Maritz steps down and leaves behind a solid vision of IT Transformation.
I had the opportunity to meet Paul a few years back. What impressed me most was his ability to relate to me as a customer, IT leader and share his vision of technology. During our discussion it was not a sales pitch on VMware products, but focused on the technology, trends and reaching vitualization.
Mr. Martiz long held a vision of cloud computing and that virtualization was just a part of that overall vision. The vision of transformation of IT to automation, agility and efficiency. I appreciated his view that this transformation is both infrastructure and application.
Pat Gelsinger has some big shoes to fill. While it is true that he has some family history from his days at EMC, does he share the same vision is the question. Time will tell, but from my experience with both these gentleman, Pat does not have the passion or fire for the technology or drive.
The next few years will be key to their success has Cloud and virtualized technology continues to mature. In an ideal world, no longer do we need to order some specialized hardware, then hire a consultant to install it and program the device in its specialized language. Instead, we'll simply define an application and all of the resources that it needs, including all of its compute, storage, networking and security needs, then group all of those things together to create a logical application. There's work ahead, but I see the Software-Defined Data Center as enabling this dramatic simplification. I am ready for the transformation!
That leads to the next topic we should discuss soon, and that is to the continued proliferation of client devices coming into the enterprise. The borders and structure of the company IT shops are quickly changing. Paul understood that and was instrumental in pushing technology to deliver on that vision.
I wish him well, and much success. My hat off to him for a job well done at VMware.
Keep it positive!
Scott Arnett
scott.arnett@charter.net
I had the opportunity to meet Paul a few years back. What impressed me most was his ability to relate to me as a customer, IT leader and share his vision of technology. During our discussion it was not a sales pitch on VMware products, but focused on the technology, trends and reaching vitualization.
Mr. Martiz long held a vision of cloud computing and that virtualization was just a part of that overall vision. The vision of transformation of IT to automation, agility and efficiency. I appreciated his view that this transformation is both infrastructure and application.
Pat Gelsinger has some big shoes to fill. While it is true that he has some family history from his days at EMC, does he share the same vision is the question. Time will tell, but from my experience with both these gentleman, Pat does not have the passion or fire for the technology or drive.
The next few years will be key to their success has Cloud and virtualized technology continues to mature. In an ideal world, no longer do we need to order some specialized hardware, then hire a consultant to install it and program the device in its specialized language. Instead, we'll simply define an application and all of the resources that it needs, including all of its compute, storage, networking and security needs, then group all of those things together to create a logical application. There's work ahead, but I see the Software-Defined Data Center as enabling this dramatic simplification. I am ready for the transformation!
That leads to the next topic we should discuss soon, and that is to the continued proliferation of client devices coming into the enterprise. The borders and structure of the company IT shops are quickly changing. Paul understood that and was instrumental in pushing technology to deliver on that vision.
I wish him well, and much success. My hat off to him for a job well done at VMware.
Keep it positive!
Scott Arnett
scott.arnett@charter.net
Friday, August 24, 2012
Smart Phone Payments - Ready?
Remember when credit cards first came out, boy everyone was excited and some even went crazy with them. Now, are we on the edge of another significant change in how we make purchases? Moving even farther away from good old cash, the mobile payment era is here and picking up speed.
Are we ready for this though? Consumers ready? Companies ready? How about security around this? Online security, transaction security - how about if I leave my smartphone on the table at Starbucks? Many good questions, but are we ignoring the risks? This mobile payment process is moving forward....
With so many new mobile payment systems surfacing, analysts say they could
pose too many choices and will only confuse the buying public. Since the U.S.
already has a number of credit card options, including Visa, MasterCard,
American Express and Discover, some users won't be motivated to try another
payment option linked to a smartphone.
I go back to how secure is this service. You have a physical device prone to being lost, forgotten or stolen. You have transactions taken place on an unsecure device to an unknow service provider? I think we need more information around the security of this payment option. I would like to see some standards established, some vulnerability assessments, and safeguards put in place. I know I won't be signing up anytime soon.
To answer the first question - are we ready? Consumers in certain age groups and demographics are perhaps, but I don't think the sevice providers are ready, nor the security posture of such a service.
Keep it positive!
Scott Arnett
scott.arnett@charter.net
Are we ready for this though? Consumers ready? Companies ready? How about security around this? Online security, transaction security - how about if I leave my smartphone on the table at Starbucks? Many good questions, but are we ignoring the risks? This mobile payment process is moving forward....
The biggest move ahead could occur in September,
when Apple is widely expected to embrace a mobile
payment scheme with its next-generation iPhone.
Google
Wallet, meanwhile, is nearly a year old. And the Isis
consortium of three U.S. carriers could officially launch its first mobile
payment network in Austin and Salt Lake City any day now. So with all this effort, where are the details around the security of these services?
Starbucks, Dunkin Donuts and others are taking image shots of your smartphone screen - much like a debit card transaction. Is that better?
Various other mobile payment approaches have
recently emerged, including the Merchant
Customer Exchange, a mobile payments network announced Aug. 15 that will
rely on smartphones and some unnamed technology. The founders include retail
heavyweights Best Buy, Walmart, Target and 7-Eleven.
I go back to how secure is this service. You have a physical device prone to being lost, forgotten or stolen. You have transactions taken place on an unsecure device to an unknow service provider? I think we need more information around the security of this payment option. I would like to see some standards established, some vulnerability assessments, and safeguards put in place. I know I won't be signing up anytime soon.
To answer the first question - are we ready? Consumers in certain age groups and demographics are perhaps, but I don't think the sevice providers are ready, nor the security posture of such a service.
Keep it positive!
Scott Arnett
scott.arnett@charter.net
Tuesday, August 21, 2012
Cloud Computing Myths
Hello IT Professionals. I have been getting a great deal of email to get this blog back to daily activity. I will do my best to post more frequently. I enjoy the emails though, and the humor in them. Always welcome.
I did want to take a few moments to talk about Cloud Computing Myths - as I see so much activity around cloud, there are some pot holes along the way. Here are a few of the big myths you need to be aware of:
I did want to take a few moments to talk about Cloud Computing Myths - as I see so much activity around cloud, there are some pot holes along the way. Here are a few of the big myths you need to be aware of:
Myth one: the public cloud is the most inexpensive way to procure IT services!
I hate to burst anyone's bubble on this one, but if you are going to the cloud only to cut costs, you will be disappointed. A characteristic of the public cloud is a relatively inexpensive “pay-as-you-use” model. For example, the starting price for standard on-demand instances with the Amazon EC2 Web service is less than a dime per hour based on system size, operating system, and locale. It’s easy to see why people think all delivery from the public cloud is cheaper than that delivered by internal IT.
I hate to burst anyone's bubble on this one, but if you are going to the cloud only to cut costs, you will be disappointed. A characteristic of the public cloud is a relatively inexpensive “pay-as-you-use” model. For example, the starting price for standard on-demand instances with the Amazon EC2 Web service is less than a dime per hour based on system size, operating system, and locale. It’s easy to see why people think all delivery from the public cloud is cheaper than that delivered by internal IT.
However, if you look under the covers, the picture changes. In fact, for resources that are needed constantly, enterprises can actually reduce costs by leveraging other cloud models, such as shared services delivered by a private cloud. How about a hybrid model to meet peak demands, yet offer more cost-efficient solutions.
My recomendation to fellow CIOs has always been to sit down with Architecture the Strategy team - and build a plan. At the core of cloud computing - is having a strategy. Whether you're using a public cloud service, building a private cloud, or taking a hybrid cloud approach - the need to have your specific requirements incorporated into a well-developed cloud strategy. It's no a simple exercise, as the cloud roadmap must address all aspects of your performance, security, control, and availability requirements. But wait, we are missing a key element to all of this - and many of us do it. The business needs what? What business capability do we need to support? How will our cloud strategy support the business? What new capability can we deliver to the business with a cloud solution?
Let's make sure we are looking at new technology that will deliver value to the business, and not follow a trend.
Next, I will talk on Cloud Myth #2 - Critical Applications can't be in the cloud. Come back again to read on that myth.
My recomendation to fellow CIOs has always been to sit down with Architecture the Strategy team - and build a plan. At the core of cloud computing - is having a strategy. Whether you're using a public cloud service, building a private cloud, or taking a hybrid cloud approach - the need to have your specific requirements incorporated into a well-developed cloud strategy. It's no a simple exercise, as the cloud roadmap must address all aspects of your performance, security, control, and availability requirements. But wait, we are missing a key element to all of this - and many of us do it. The business needs what? What business capability do we need to support? How will our cloud strategy support the business? What new capability can we deliver to the business with a cloud solution?
Let's make sure we are looking at new technology that will deliver value to the business, and not follow a trend.
Next, I will talk on Cloud Myth #2 - Critical Applications can't be in the cloud. Come back again to read on that myth.
Keep it positive!
Scott Arnett
Subscribe to:
Posts (Atom)