Re: SAS70

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <20050516213837.8981.qmail () mail securityfocus com>

Steve,

> Recently, I have been tasked with assisting a company with preparing their
> network for a SAS70 audit.  Unfortunately, I am not very familiar with the
> requirements for SAS70.  I have done some searching, but have found very
> limited information on what this audit covers.  I know that it is primarily
> a financial audit including information systems, but other than that, I have
> not been able to find any useful information.
>
> I am sure that the network currently has security issues, but I am concerned
> with whether the issues I see are critical to fix prior to the SAS70 audit.
> Any information on what this covers would be greatly appreciated.

Unfortunately, I don't think you'll find any.  I've dealt with SAS-70 audits, and the exact nature of the examination 
of "controls" as they apply to the IT infrastructure vary based on the auditor or auditing organization.  In addition, 
it will also vary based on the IT infrastructure itself...host data center, internal network, etc.

I would suggest to you that it would be better in the eyes of the auditors if you had a process for 
security/vulnerability management in place, rather than saying that "we scanned our network and fixed the problems we 
found." 

Also, I know that this is going to like someone running fingernails down a chalkboard to many, but the key to these 
things is documentation.  If you don't have the documentation, you can't say (a) "we do that", or (b) "we did that".

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com