Recent Security Audits at the NIH Computer Center

Last June under the auspices of the HHS Office of Inspector General, a team of auditors from a private CPA firm undertook independent audits at the NIH Computer Center.

Titan, South, and EOS Systems Pass Type II Security Audit

Once again, CIT's Computer Center has earned SAS 70 Type II validation for its large application hosting systems—Titan, South, and EOS. The audit verified that these enterprise systems are suitable for hosting critical applications and highly sensitive data. For the sixth consecutive year, the auditors confirmed that the CIT systems under review met their stated security objectives.

What Is SAS 70?

Developed by the American Institute of Certified Public Accountants, SAS 70—short for “Statement on Auditing Standards No. 70”—is widely accepted by industry and governments around the world.

A Type II audit determines the effectiveness of an organization’s internal controls by means of rigorous testing, examination of documentation, interviews with staff, and first-hand observation of security procedures. The auditors carefully examined all security-related aspects of the NIH Computer Center, including:

•	data security
•	disaster recovery
•	physical security
•	management controls
•	organizational structure
•	risk management
•	communication with staff
•	security investigation process
•	change control practices for hardware and software
•	monitoring of control policies and procedures

What Does This Mean to Our Customers?

With the SAS 70 Type II validation of our controls for the enterprise systems, customers can be confident that data is secure. Moreover, they will not have to incur the expense of their own audit to verify the security of system software and facilities. In short, SAS 70 validation gives our customers peace of mind and saves them money.

The NIH Computer Center's OS/390 and Unix hosting environment is suitable for any type of application—especially critical applications and those with highly sensitive data, such as financial programs and confidential records. Security controls for our application hosting services meet the HHS requirements for protecting data and applications having level 3 (sensitive, unclassified) security designations. The NIH Computer Center hosts many large applications from within NIH, HHS, and other government agencies.

SAS 70 Type I Audit of Windows Servers

In June 2003, the team of auditors also conducted a SAS 70 Type I audit of Windows servers at the NIH Computer Center. The audit covered all of CIT's Windows servers—including Exchange, Web, application hosting, and database servers.

A Type I audit is done at one point in time to verify that service controls are in place and that the controls are suitably designed to achieve specified control objectives. Auditors issued a general statement to CIT that both criteria were satisfied.

Windows servers will be subject to a SAS 70 Type II audit next year.