Skip Over Navigation Links
Interface Online Center for Information Technology (CIT)
Search Interface Issues:

December 17, 2001 [Number 221]     Printable Version Printable version (379k PDF)

Index

Previous Story

Next Story

Annual Audit Confirms Security of Titan, South, and EOS Systems

Once again, the annual security audit of the NIH Computer Center systems—OS/390 (Titan, South) and Unix (EOS)—has confirmed that CIT provides a computing environment suitable for critical applications and highly sensitive data. Ernst & Young LLP, independent auditors, under the direction of the DHHS Office of Inspector General (OIG), conducted a SAS 70 "Type II" security audit of Titan, South, and EOS for the period from October 1, 2000, through September 30, 2001. The auditors found that CIT’s controls for all three are suitably designed, implemented, and managed to reasonably ensure that all security objectives are achieved.

SAS 70 is an auditing standard established by the American Institute of Certified Public Accountants. SAS 70 reviews verify that controls are in place as stated in the documentation for the system under review, and "Type II" indicates that the controls are actively challenged and tested by the auditor. Industry and government accept these standards as a means for assuring application owners that a service organization’s systems are operated to adequately protect sensitive information from unauthorized disclosure or modification.

The SAS 70 audit was conducted to verify that the following control objectives were met:

  • access to production programs and data files of the applications hosted on CIT computers is restricted to authorized individuals and programs
  • adequate consideration is given to minimize the effect of a disaster and intermittent disruptions on the processing of user data
  • all changes to operating systems software are authorized, properly tested, reviewed, approved, documented, and implemented
  • physical access—to the machine room housing the computers and operation of the computers and related processing equipment—is restricted to appropriately authorized personnel

The final SAS 70 Report is being reviewed by Ernst & Young management after which it will be forwarded to DHHS OIG. The final report is expected to be available in December. The report contains sufficient information to certify that Titan, South, and EOS are operated at DHHS Security Level 3.

 
Published by Center for Information Technology, National Institutes of Health
Interface Comments |  Accessibility