Security Basics mailing list archives
Re: SAS70
From: Diego Kellner <dkepler () gmail com>
Date: Tue, 17 May 2005 13:30:45 -0300
I've been involved in some SAS70 audits, and as H. Carvey says, the nature of the controls to be audited depends on what has been agreed the controls should be by the auditor or the one requesting the audit. It is also true that most of the audit relies (heavily) on documentation and infosec. proceses... so no matter what you do on a regular basis, did in the past, or plan to do in the future, if there's no evidence, you do nothing. Regards, Kepler On 17 May 2005 19:54:39 -0000, H Carvey <keydet89 () yahoo com> wrote:
In-Reply-To: <20050516213837.8981.qmail () mail securityfocus com> Steve,Recently, I have been tasked with assisting a company with preparing their network for a SAS70 audit.I would suggest to you that it would be better in the eyes of the auditors if you had a process for security/vulnerability management in place, rather than saying that "we scanned our network and fixed the problems we found." Also, I know that this is going to like someone running fingernails down a chalkboard to many, but the key to these things is documentation. If you don't have the documentation, you can't say (a) "we do that", or (b) "we did that". H. Carvey
Current thread:
- SAS70 Steve Fletcher (May 16)
- Re: SAS70 routerg (May 18)
- <Possible follow-ups>
- Re: SAS70 H Carvey (May 17)
- Re: SAS70 Diego Kellner (May 18)
- RE: SAS70 Steve Fletcher (May 23)
- Re: SAS70 John Blackley (May 18)
- RE: SAS70 Robinson, Sonja (May 18)
- RE: SAS70 Steve Fletcher (May 18)
- RE: SAS70 Rosado, Rafael (Rafael) (May 19)
- Re: SAS70 John Blackley (May 19)
- RE: SAS70 Steve Fletcher (May 23)