Ibm Information Management Trends Nov 2009 by ika10101

VIEWS: 6 PAGES: 13

More Info
									SAS Institute Inc.
2009 SysTrust Report

Period from November 1, 2008 through
September 30, 2009
                                                               Ernst & Young LLP
                                                               Suite 500
                                                               4130 ParkLake Avenue
                                                               Raleigh, NC 27612
                                                               Tel: +1 919 981 2800
                                                               Fax: +1 919 981 2997
                                                               www.ey.com



                          Report of Independent Accountants

The Board of Directors
SAS Institute Inc.

We have examined management’s assertion that SAS Institute Inc. (SAS), during the
period November 1, 2008 through September 30, 2009, maintained effective controls
to provide reasonable assurance that:

•   the ASP Network Environment (certain Information Technology General Controls
    related to the firewall, routers, hubs, bridges, and switches) was protected against
    unauthorized access (both physical and logical); and
•   the ASP Network Environment (certain Information Technology General Controls
    related to the firewall, routers, hubs, bridges, and switches) was available for
    operation and use, as committed and agreed

based on the AICPA/CICA Trust Services Security and Availability Criteria. This
assertion is the responsibility of SAS’ management. Our responsibility is to express an
opinion based on our examination.

Our examination was conducted in accordance with attestation standards established
by the American Institute of Certified Public Accountants and, accordingly, included
(1) obtaining an understanding of SAS’ relevant security and availability controls,
(2) testing and evaluating the operating effectiveness of the controls and
(3) performing such other procedures as we considered necessary in the
circumstances. We believe that our examination provides a reasonable basis for our
opinion.

Because of inherent limitations in controls, error or fraud may occur and not be
detected. Furthermore, the projection of any conclusions, based on our findings, to
future periods is subject to the risk that the validity of such conclusions may be
altered because of changes made to the system or controls, the failure to make
needed changes to the system or controls, or a deterioration in the degree of
effectiveness of the controls.




                                                                                                               1

                                                               A member firm of Ernst & Young Global Limited
In our opinion, SAS’ management’s assertion referred to above is fairly stated, in all
material respects, based on the AICPA/CICA Trust Services Security and Availability
Criteria.

The SysTrust Seal on SAS’ Web site constitutes a symbolic representation of the
contents of this report and it is not intended, nor should it be construed, to update
this report or provide any additional assurance.



                                                             
December 1, 2009




                                                                                                               2

                                                               A member firm of Ernst & Young Global Limited
     Report by Management on the Controls Over the ASP Network Environment (certain
     Information Technology General Controls) Based on the AICPA/CICA Trust Services
                    Principles and Criteria for Security and Availability

                 For the Period November 1, 2008 through September 30, 2009

SAS Institute, Inc. maintained effective controls over the security and availability of the ASP
Network environment to provide reasonable assurance that:

•   the ASP Network environment (certain Information Technology General Controls related to
    the firewall, routers, hubs, bridges, and switches) was protected against unauthorized access
    (both physical or logical) and
•   the ASP Network environment (certain Information Technology General Controls related to
    the firewall, routers, hubs, bridges, and switches) was available for operation and use as
    committed and agreed

during the period November 1, 2008 through September, 30, 2009, based on the AICPA/CICA
Trust Services TM Security and Availability Criteria established by the American Institute of
Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants
(CICA).

Our attached System Description of the ASP Network environment (certain Information
Technology General Controls) summarizes certain aspects of the Systems covered by our
assertion.


Mr. Donald Parker
Chief Financial Officer
SAS Institute, Inc.


Ms. Suzanne Gordon
Chief Information Officer
SAS Institute, Inc.


Dr. James Goodnight
Chief Executive Officer
SAS Institute, Inc.



December 1, 2009
SAS Institute Inc.
ASP Network Environment System Description


   System Description of the SAS Institute Inc. Controls Over the ASP Network
   Environment Based on the AICPA/CICA Trust Services Principles and Criteria
                           for Security and Availability

A. Overview of Operations

   SAS Institute Inc. (SAS or the Company) Information Technology Services (ITS) is
   dedicated to providing secure computing and network services for the Application
   Service Provider (ASP) environment. The SAS ASP Service Offering is part of SAS’
   growing business model. SAS ASP Services offer the use of selected SAS products
   on a subscription basis, with data acquisition, storage, analysis, and results
   transmission all housed at SAS. The ASP model supports different sectors of the
   SAS software product lines, and therefore the available product and/or solutions
   have the option to move to the subscription service model.

   The ASP IT Infrastructure environment supports multiple applications, each of
   which provides application specific services. The purpose of this report is to
   identify and document the controls within the ASP IT Infrastructure environment,
   which supports the multiple applications residing within the ASP environment.
   Specifically, this report pertains to the controls regarding the data center physical
   security and environmental safeguards, logical access, and change management to
   the network devices. This report does not cover the operating systems, software,
   or transaction processing of the applications being supported by the ASP Network
   environment.

B. Control Environment

   1. SAS’ Organizational Structure

   The ASP environment, specifically the infrastructure environment, is supported by
   the Information Systems Division (ISD) on behalf of business units that are
   organizationally separate from ISD. The organizational chart in Figure 1 shows the
   relationships among the principal groups that manage and/or benefit from the ASP
   environment. ITS is the ISD department committed to maintaining a scalable, high
   performance computing infrastructure with a focus on availability and security.
   ITS’ primary role is to design and implement a robust ASP Infrastructure, through
   the use of SAS’ IT management product offerings like IT Resource Management
   and IT Service Level Management.


                                                                                       2
SAS Institute Inc.
ASP Network Environment System Description
   ITS researches and deploys current computing hardware and software when it
   makes good business sense for the ASP environment. ITS focuses on IT Security
   and Continuity of Business to help protect the ASP environment’s assets and the
   productivity of ASP solutions. ITS works with each Application team within the ASP
   environment and the IT Governance Council (ITG) to align it’s activities with SAS’
   business priorities and continue to provide superior services and support.




Figure 1 – SAS Organization as Related to the ASP environment

   2. Management Control

   The organization has a formal management information and reporting system that
   enables management to monitor key control and performance measurements.

   Adherence to the goals of management is monitored through use of the ISD
   scorecard, which has been implemented to quantitatively measure the trends for
   the goals and objectives. The scorecard is reviewed by ISD executives and
   discussed during ISD Department Head meetings.



                                                                                    3
SAS Institute Inc.
ASP Network Environment System Description
   3. Controls Related to Personnel

   SAS has a formal hiring process designed to help ensure that new employees are
   qualified and able to complete their job responsibilities. Each job candidate is
   interviewed by SAS personnel within the employing department to determine if
   background and experience is appropriate for the job function. Additionally,
   background checks are performed and references are checked prior to hiring new
   personnel.

   Employees who are involved in supporting the ASP environment are trained in their
   respective areas of expertise. Network and system engineers are encouraged to
   achieve certifications from vendors and independent certification organizations.
   The Global Information Security (GIS) group has Certified Information Systems
   Security Professionals (CISSP), and individuals with
   SysAdmin/Audit/Network/Security (SANS) certifications. SAS ASP employees are
   also required to attend annual training on ASP Policies & Proceudres.

   4. Internal Audit

   There is an internal audit group in the General Administration Office, reporting to
   the Chief Administration Officer. They are responsible for governance with respect
   to financial operations at the corporate level. The GIS group provides some audit
   functions to meet the needs of some ASP customers.

C. Risk Assessment

The GIS group is responsible for providing Risk Assessment services, specifically
focused around security threats, for SAS. Additionally, the GIS team evaluates known
vulnerabilities and risk, which would adversely affect the availability and security of
the ASP environment. The International Business Machines’ (IBM) X-Force Internet
Risk Assessment service is used daily to measure the potential impact of current
threats on SAS.

An individual from GIS reviews and assesses the daily reports provided by IBM, and
distributes information to parties responsible for managing potentially affected
resources, including the ASP Systems Support Managers, and the ASP Hosting
Manager. The GIS team follows-up on all threats that are considered critical and
makes sure the risk has been mitigated within a reasonable period of time. All
correspondence associated with the Risk Assessment process is logged in an
Exchange Public Folder.

                                                                                      4
SAS Institute Inc.
ASP Network Environment System Description
D. Monitoring

ISD has implemented a program, “P3,” to measure and align activities and completion
of objectives throughout the year. Each department has identified objectives within
the ISD Scorecard and they are reviewed in a variety of ways, including:

•   Existing and planned projects are integrated into the objectives,
•   During the weekly ISD Department Heads’ meeting, a casual review of leading
    projects and outlier situations are discussed,
•   Measurements from these objectives are developed into the ISD Scorecard, using
    SAS Strategic Performance Management (SPM), and
•   During one-on-one meetings with the CIO, goal attainment and barriers to success
    are discussed.

    The organization has implemented the program to monitor and review compliance
    with objectives set by the organization.

E. Information and Communication

       1. Policies and Procedures

       All information regarding the ASP operation is documented on-line, and is
       available via the internal SAS Intranet. Critical documentation for networks is
       also stored offline in the event of an incident that causes on-line access to be
       unavailable.

       2. Information Systems

       The Company’s ASP applications reside in a common ASP network environment,
       which is the scope of this report. The ASP network environment includes the
       physical environment supporting the hardware on which the applications reside
       as well as access to the physical environment. Additionally, the scope of the
       report includes controls the Company has implemented to restrict logical
       access to the network environment. Finally, this report focuses on controls
       related to changes made to devices within the network environment.




                                                                                          5
SAS Institute Inc.
ASP Network Environment System Description
      3. Physical Security

      The ASP IT Infrastructure environment (the Environment) is physically located
      in the SAS data center on the SAS campus in Cary, NC. Like all buildings on the
      SAS campus, physical access is restricted to employees or third parties that
      have been issued badges by the SAS Security Department. Receptionists at the
      front door of each building are responsible for challenging anyone attempting to
      gain access to a building without displaying a SAS badge. Visitors or anyone
      without a SAS badge, are required to sign in, obtain a visitor badge, and be
      escorted by a badge holder.

      SAS provides an unencumbered working environment for employees and
      contractors. Permitting physical access to a building doesn’t mean that all
      resources inside the building are also accessible. Additional physical security is
      enforced to specific areas wthin the building including the ASP environment.

      Once inside, badge holders must use their badges to gain physical access to the
      data center. Only employees and contractors that have responsibilities inside
      the data center have badges that permit access. Once inside the data center,
      access to the ASP environment is limited to IT support roles, and can only be
      authorized by the Data Center Operations (DCO) Manager and ASP Hosting
      Manager.

      Only escorted third parties may gain entry to the ASP environment and they are
      required to sign in and out each time they enter and exit the area. In order for
      unescorted third parties to gain entry to the ASP environment, they must be
      sponsored by someone that has badge access to the environment, or
      management of the IT support organization for which badge access has been
      granted. The sponsor must communicate their approval to the Data Center
      Operations staff, which will permit the use of a service badge by the third party.
      The service badge is signed in and out by the third party each time it is used,
      and it must be returned at the end of each business day. Unescorted third
      parties may escort other third parties, and they must sign in and out of the ASP
      area each time they enter and exit.

      The Data Center Operations group provides continuous coverage for all ASP
      systems and networks. Availability of ASP systems and networks is considered
      critical, which mandates constant monitoring of those resources. The
      Performance Enhancement Resource Center (PERC) provides the primary
      monitoring facility for ASP resources.

                                                                                       6
SAS Institute Inc.
ASP Network Environment System Description
      4. Logical Access

      Logical access to system resources (for example, programs, data, tables, and
      parameters) is restricted to properly authorized individuals.

      Access controls for the ASP environment are baselined at the host and network
      level. Host access is restricted to employees that are designated to support the
      host operating system and host-based services, and employees that are
      designated to support the ASP application. Authorization for host and host-
      based services access is granted by the ASP Hosting Manager and the GIS
      group. Application support access authorization is granted by the ASP
      Application manager that is responsible for the application.

      Network access to the ASP environment from the SAS network is limited to
      application support personnel, network on-call personnel, and data center
      personnel. Logical access to network devices is limited to network on-call
      personnel. Each authorized person uses their own account and password to gain
      access to network devices. The naming conventions for the accounts and the
      complexity rules for their passwords are the same for network on-call personnel
      as for all other accounts at SAS. Those conventions and rules have been
      accepted by SAS as sufficient for protecting the assets of SAS, including those
      in the ASP environment, and are described below. Access to network devices in
      the ASP environment are managed by Terminal Access Controller Access
      Control System (TACACS), which provides logging of all access attempts, and
      command level logging. This provides assurance that all access to network
      devices is accounted for, down to the commands that are executed.

      5. Password Requirements for SAS Accounts in Windows Active Directory

      Logical access to the ASP network devices requires the use of a unique user ID
      and password. Minimum length, password complexity requirements, maximum
      password age, account lockout duration, account lockout, minimum password
      age, and password history are enforced by Windows Active Directory.

      The ASP environment perimeter has a dedicated firewall installed that is
      designed to provide a barrier to traffic coming from the Internet and traffic
      coming from the SAS network. All firewall configuration changes are approved
      by the ASP Hosting Manager, and logged.




                                                                                       7
SAS Institute Inc.
ASP Network Environment System Description
      An Intrusion Detection System (IDS) is in place to monitor incoming IP traffic,
      and alert on suspicious traffic. The IDS logs are reviewed by the Global
      Information Security (GIS) group on a regular basis.

      All change controlled modifications to ASP systems at the host, host services
      level, and network devices are approved by the ASP Hosting and GIS Manager
      prior to implementation. Once a change is approved, they are logged in the
      Production Environment Resource Center (PERC) and Management of
      Infrastructure Delivery, Availability, and Service (MIDAS) ASP Change
      Management application system. The Maintenance modifications to ASP
      systems at the host, host services, and on network devices (except routers and
      firewalls) do not require prior approval, but can only be performed by personnel
      that are authorized to by the ASP Hosting and GIS Manager. Maintenance
      modifications to ASP routers and firewalls require prior approval. Routers and
      firewalls require approval because they directly affect the access controls,
      while primitive devices, such as hubs and bridges require changes, such as cable
      input in hub ports. Changes to the primitive devices are controlled by
      monitoring of change control documentation and physical access to the devices.
      All logical access changes are approved by the ASP Hosting Manager, GIS, and
      the appropriate ASP Systems Support Manager (for systems and systems level
      applications), and documented in the Management of Infrastructure Delivery,
      Availability, and Service (MIDAS) ASP Change Management application.

      6. Elevated privileges

      There is only one level of access to the ASP Network devices (All access). Only
      a limited number of network engineers who need such access in order to
      perform their ASP responsibilities receive such access.

      7. Systems Development and Conversion Methodology

      All changes are logged and tracked in the Production Environment Resource
      Center (PERC) and then tracked for approvals in the Management of
      Infrastructure Delivery, Availability, and Service application (MIDAS). The
      MIDAS ASP change management application manages all changes in the ASP
      hosting environment and is used to document all host and host service changes
      for ASP systems. Changes in state are approved by the ASP Hosting and GIS
      Manager, or the appropriate ASP Systems Support Manager. The ASP Hosting
      Manager is responsible for notifying all affected ASP Systems Support
      Managers of upcoming changes at the host or host services level. The ASP

                                                                                        8
SAS Institute Inc.
ASP Network Environment System Description
      Systems Support Manager is responsible for testing all changes prior to making
      them available in their respective production application environments.

      SAS uses a scheduled outage calendar to control when non-emergency changes
      are made to the ASP environment. Scheduled outages are used to update
      operating systems and host services to maintain resistance to current, known
      threats to those platforms. Emergency changes are made to ASP systems and
      networks following emergency protocols, as documented in the ASP Policies
      and Procedures manual. The emergency protocol includes daily comparison of
      firewall settings to document and understand changes made, restricting access
      to the network environment (physically and logically), and monitoring of access
      versus change documentation.

      8. Computer Operations

      All systems within the ASP environment operate with the expressed approval of
      the ASP Hosting Manager, and the appropriate ASP Systems Support Manager.
      Operational procedures executed by ASP Systems Support staff and DCO
      include the monitoring of system performance and availability via PERC.
      Escalation procedures for the ASP environment are included in the ASP Policies
      and Procedures Manual, and the DCO Operations Manual, and all DCO personnel
      are required to follow them.




                                                                                    9
Ernst & Young LLP
Assurance | Tax | Transactions | Advisory

About Ernst & Young
Ernst & Young is a global leader in assurance, tax,
transaction and advisory services. Worldwide, our
144,000 people are united by our shared values
and an unwavering commitment to quality. We
make a difference by helping our people, our clients
and our wider communities achieve their potential.
For more information, please visit www.ey.com.

								
To top