Penetration Testing mailing list archives

Re: [PEN-TEST] SAS70; the process and merit thereof?

From: Kevin Flynn <mailtech2 () YAHOO COM>
Date: Wed, 27 Sep 2000 11:25:28 -0700

<$0.02)
I've performed a few SAS70 reviews over the past few
years.  The primary purpose of them is to have an
independent auditor perform tests, or agreed upon
procedures (AUP) necessary to issue an opinion as to
the security and/or performance of a particular system
or entity.  For example, each year Sungard Recovery
Services (provider of hot-site disaster recovery
services) engages an outside auditor to issue an
opinion as to whether the Sungard facility properly
adheres to the claims it makes to the public.  Outside
auditors perform a review and issue a SAS70 report at
the end that provides the opinion, as well as the
tests that were performed to arrive at that opinion.
Tests that are performed for SAS70s are usually a lot
more extensive than those performed with an ICSA
certification.

Many SAS70s in the financial world do require many
AUPs that govern security.  It's my own experience
that
penetration tests by themselves are only able to
satisfy a small number of the tests.  Most tests
really require a more in-depth vulnerability
assessment of the network architecture and underlying
operating systems.

The opinion that results from a SAS70 review is
supposed to be fairly reliable.  Typically the testing
that must take place is fairly extensive.
</$0.02)


that are specified to

--- Craig Anderson <craig () XTIME COM> wrote:

Helu,

  This is a little off the subject of general
penetration testing, but I
think it still falls under the general awareness of
the pen-testing crowd.

  Is anyone familiar with the process of attaining
SAS70 certification
( Statements and Accounting Standards ) that is used
to 'label' an
infrastructure sufficiently secure to perform online
financial
transactions?

  More importantly, is this just another
semi-worthless 'stamp' of
approval, ala ICSA ( not to offend anyone.. my
opinion though )?

  Also, has anyone been asked to verify the set of
requirements this
entails in addition to a penetration test?



Thanks in advance,

-- Craig



__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/

Current thread:

Re: [PEN-TEST] SAS70; the process and merit thereof? Shein, Betty (ISS Southfield) (Sep 27)
- <Possible follow-ups>
- Re: [PEN-TEST] SAS70; the process and merit thereof? Kevin Flynn (Sep 27)
- Re: [PEN-TEST] SAS70; the process and merit thereof? Frederick Budd (Sep 27)