Penetration Testing mailing list archives
Re: [PEN-TEST] SAS70; the process and merit thereof?
From: Kevin Flynn <mailtech2 () YAHOO COM>
Date: Wed, 27 Sep 2000 11:25:28 -0700
<$0.02) I've performed a few SAS70 reviews over the past few years. The primary purpose of them is to have an independent auditor perform tests, or agreed upon procedures (AUP) necessary to issue an opinion as to the security and/or performance of a particular system or entity. For example, each year Sungard Recovery Services (provider of hot-site disaster recovery services) engages an outside auditor to issue an opinion as to whether the Sungard facility properly adheres to the claims it makes to the public. Outside auditors perform a review and issue a SAS70 report at the end that provides the opinion, as well as the tests that were performed to arrive at that opinion. Tests that are performed for SAS70s are usually a lot more extensive than those performed with an ICSA certification. Many SAS70s in the financial world do require many AUPs that govern security. It's my own experience that penetration tests by themselves are only able to satisfy a small number of the tests. Most tests really require a more in-depth vulnerability assessment of the network architecture and underlying operating systems. The opinion that results from a SAS70 review is supposed to be fairly reliable. Typically the testing that must take place is fairly extensive. </$0.02) that are specified to --- Craig Anderson <craig () XTIME COM> wrote:
Helu, This is a little off the subject of general penetration testing, but I think it still falls under the general awareness of the pen-testing crowd. Is anyone familiar with the process of attaining SAS70 certification ( Statements and Accounting Standards ) that is used to 'label' an infrastructure sufficiently secure to perform online financial transactions? More importantly, is this just another semi-worthless 'stamp' of approval, ala ICSA ( not to offend anyone.. my opinion though )? Also, has anyone been asked to verify the set of requirements this entails in addition to a penetration test? Thanks in advance, -- Craig
__________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/
Current thread:
- Re: [PEN-TEST] SAS70; the process and merit thereof? Shein, Betty (ISS Southfield) (Sep 27)
- <Possible follow-ups>
- Re: [PEN-TEST] SAS70; the process and merit thereof? Kevin Flynn (Sep 27)
- Re: [PEN-TEST] SAS70; the process and merit thereof? Frederick Budd (Sep 27)