Security Basics mailing list archives
Re: SAS70
From: H Carvey <keydet89 () yahoo com>
Date: 17 May 2005 19:54:39 -0000
In-Reply-To: <20050516213837.8981.qmail () mail securityfocus com> Steve,
Recently, I have been tasked with assisting a company with preparing their network for a SAS70 audit. Unfortunately, I am not very familiar with the requirements for SAS70. I have done some searching, but have found very limited information on what this audit covers. I know that it is primarily a financial audit including information systems, but other than that, I have not been able to find any useful information. I am sure that the network currently has security issues, but I am concerned with whether the issues I see are critical to fix prior to the SAS70 audit. Any information on what this covers would be greatly appreciated.
Unfortunately, I don't think you'll find any. I've dealt with SAS-70 audits, and the exact nature of the examination of "controls" as they apply to the IT infrastructure vary based on the auditor or auditing organization. In addition, it will also vary based on the IT infrastructure itself...host data center, internal network, etc. I would suggest to you that it would be better in the eyes of the auditors if you had a process for security/vulnerability management in place, rather than saying that "we scanned our network and fixed the problems we found." Also, I know that this is going to like someone running fingernails down a chalkboard to many, but the key to these things is documentation. If you don't have the documentation, you can't say (a) "we do that", or (b) "we did that". H. Carvey "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com
Current thread:
- SAS70 Steve Fletcher (May 16)
- Re: SAS70 routerg (May 18)