Penetration Testing mailing list archives
Re: [PEN-TEST] SAS70; the process and merit thereof?
From: Tom Litney <Tom.Litney () NET-RELIANCE COM>
Date: Wed, 27 Sep 2000 09:30:57 -0700
Craig, Ok I'll take a stab at this though I'm no expert. A SAS70 is a public statement by an independent third party audit firm that states that the controls someone claims are in place actually are in place. This gives the public (or customers) who will never have access to an internal audit the warm and fuzzies that controls are as they claim. Therefore, you should required a SAS70 of anyone you may be planning on doing business with who has access or control of some of your sensitive data. But because it is a public audit, it tends to be high level. You probably would not want the results of a pentest to be made public so that is usually never included in a SAS70 audit. Tom
-----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Craig Anderson Sent: Tuesday, September 26, 2000 8:32 AM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] SAS70; the process and merit thereof? Helu, This is a little off the subject of general penetration testing, but I think it still falls under the general awareness of the pen-testing crowd. Is anyone familiar with the process of attaining SAS70 certification ( Statements and Accounting Standards ) that is used to 'label' an infrastructure sufficiently secure to perform online financial transactions? More importantly, is this just another semi-worthless 'stamp' of approval, ala ICSA ( not to offend anyone.. my opinion though )? Also, has anyone been asked to verify the set of requirements this entails in addition to a penetration test? Thanks in advance, -- Craig
Current thread:
- [PEN-TEST] Load Balancing Servers Ian Edwards (Sep 25)
- Re: [PEN-TEST] Load Balancing Servers Blaise (Sep 25)
- [PEN-TEST] SAS70; the process and merit thereof? Craig Anderson (Sep 27)
- Re: [PEN-TEST] SAS70; the process and merit thereof? Tom Litney (Sep 27)
- Re: [PEN-TEST] SAS70; the process and merit thereof? Joe Calloway (Sep 27)
- [PEN-TEST] SAS70; the process and merit thereof? Craig Anderson (Sep 27)
- <Possible follow-ups>
- Re: [PEN-TEST] Load Balancing Servers Justin Schaefer (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers Jens Knoell (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers Justin Schaefer (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers Gregor Binder (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers Miller Scott Contr 30CS/FTI (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers ollie-infosec (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers Blaise (Sep 25)