Re: [PEN-TEST] SAS70; the process and merit thereof?

[Tom Litney <Tom.Litney () NET-RELIANCE COM>]

Craig,

   Ok I'll take a stab at this though I'm no expert.  A SAS70 is a public
statement by an independent third party audit firm that states that the
controls someone claims are in place actually are in place.  This gives the
public (or customers) who will never have access to an internal audit the
warm and fuzzies that controls are as they claim.  Therefore, you should
required a SAS70 of anyone you may be planning on doing business with who
has access or control of some of your sensitive data.  But because it is a
public audit, it tends to be high level.  You probably would not want the
results of a pentest to be made public so that is usually never included in
a SAS70 audit.

   Tom

> -----Original Message-----
> From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
> Of Craig Anderson
> Sent: Tuesday, September 26, 2000 8:32 AM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: [PEN-TEST] SAS70; the process and merit thereof?
>
>
> Helu,
>
>   This is a little off the subject of general penetration testing, but I
> think it still falls under the general awareness of the pen-testing crowd.
>
>   Is anyone familiar with the process of attaining SAS70 certification
> ( Statements and Accounting Standards ) that is used to 'label' an
> infrastructure sufficiently secure to perform online financial
> transactions?
>
>   More importantly, is this just another semi-worthless 'stamp' of
> approval, ala ICSA ( not to offend anyone.. my opinion though )?
>
>   Also, has anyone been asked to verify the set of requirements this
> entails in addition to a penetration test?
>
>
>
> Thanks in advance,
>
> -- Craig