Security Basics mailing list archives
RE: SAS70
From: "Steve Fletcher" <safletcher () insightbb com>
Date: Mon, 23 May 2005 01:22:35 -0500
I know exactly what you mean! The idea that you can choose what you are audited on just seems bizarre to me. You either follow standard practices or you dont. Its that simple. But, that apparently is not how this works. Thank you for the information. It helps a lot. And, it helps that I have gotten some more information from the customer, including a preliminary audit that was done before I came in. That, combined with the information I have gained from people such as yourself, has helped IMMENSELY to get a better idea of what I need to do. Thanks for the help, Steve Fletcher MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+ safletcher () insightbb com ________________________________________ From: JOHN FORRISTEL [mailto:counteroffense () sbcglobal net] Sent: Tuesday, May 17, 2005 9:42 AM To: Steve Fletcher; 'Security-Basics' Subject: Re: SAS70 Steve, The SAS70 audit is all about the controls that you have in place and the logs that are generated. This concept was hard for me to wrap my tiny brain around. They don't care that you are doing something; they care if there is a policy/procedure and that you are following it. For example, they know you have a firewall, and that it is properly configured. "Do you test it? When? Show me the logs of you doing this. Show me the written procedure that outlines the test." It is very different from any other IT audit I've seen. They will want screen shots of your Active Directory Policies to show that users are forced to change their passwords. They will want to see any controls you have in place to keep developers out of production data. They want to see email retention policies and proof that you are following it. They want to see logs of IDS detections, and what the policy is for handling them. The policy can say, "Inform the VP and Prez of the company, law enforcement, etc." They want to know how you go about checking the IDS logs, and where the logs are stored. Make sure the site had backup and restore tests logged, and that there is a procedures for the actual backups and offsite storage. They may want to visit the offsite storage place. Again, it's all about the paper trail that shows proof that you are doing everything you say you are doing. Side note: They didn't do any checking of our network at my site. I was thinking that that was coming, but it didn't. In fact, when I showed then the Snort filters that i had written, they looked confused. The UNIX scripting that loggs users access was beyond them; they just wanted to see that it was being done and checked. John Steve Fletcher <safletcher () insightbb com> wrote: I am not sure if this is the correct list for this or not, but I thought I would try this list first. Recently, I have been tasked with assisting a company with preparing their network for a SAS70 audit. Unfortunately, I am not very familiar with the requirements for SAS70. I have done some searching, but have found very limited information on what this audit covers. I know that it is primarily a financial audit including information systems, but other than that, I have not been able to find any useful information. I am sure that the network currently has security issues, but I am concerned with whether the issues I see are critical to fix prior to the SAS70 audit. Any information on what this covers would be greatly appreciated. Thanks, Steve Fletcher MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+ safletcher () insightbb com
Current thread:
- SAS70 Steve Fletcher (May 16)
- Re: SAS70 routerg (May 18)