RE: SAS70

["Robinson, Sonja" <SRobinson () HIPUSA com>]

I would evaluate your organization based on ISO 17799/BS7799.  Those are
the general practices that are audited against and that most auditors
use as criteria.  You can also try looking at isaca.org website.  They
might have something.   Also ref SAS No. 94


The worst that you do I "over" audit your organization.  Better that
then under.  You may be suprised at what you find under general IT
controls.

Sonja L. Robinson, CISSP, CIFI, CISA, CISM
Forensic Specialist, Digital Investigations
HIP Information Security Group
Tel: 212-806-4125
srobinson () hipusa com
 

-----Original Message-----
From: Steve Fletcher [mailto:safletcher () insightbb com] 
Sent: Monday, May 16, 2005 6:05 PM
To: 'Security-Basics'
Subject: SAS70

I am not sure if this is the correct list for this or not, but I thought
I would try this list first.  

Recently, I have been tasked with assisting a company with preparing
their network for a SAS70 audit.  Unfortunately, I am not very familiar
with the requirements for SAS70.  I have done some searching, but have
found very limited information on what this audit covers.  I know that
it is primarily a financial audit including information systems, but
other than that, I have not been able to find any useful information.

I am sure that the network currently has security issues, but I am
concerned with whether the issues I see are critical to fix prior to the
SAS70 audit.
Any information on what this covers would be greatly appreciated.

Thanks,

Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
safletcher () insightbb com