RE: SAS70

["Steve Fletcher" <safletcher () insightbb com>]

I know exactly what you mean!  The idea that you can “choose” what you are
audited on just seems bizarre to me.  You either follow standard practices
or you don’t.  It’s that simple.  But, that apparently is not how this
works.

Thank you for the information.  It helps a lot.  And, it helps that I have
gotten some more information from the customer, including a preliminary
audit that was done before I came in.  That, combined with the information I
have gained from people such as yourself, has helped IMMENSELY to get a
better idea of what I need to do.

Thanks for the help,


Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
safletcher () insightbb com
________________________________________
From: JOHN FORRISTEL [mailto:counteroffense () sbcglobal net] 
Sent: Tuesday, May 17, 2005 9:42 AM
To: Steve Fletcher; 'Security-Basics'
Subject: Re: SAS70

Steve,
 
The SAS70 audit is all about the controls that you have in place and the
logs that are generated.  This concept was hard for me to wrap my tiny brain
around.  They don't care that you are doing something; they care if there is
a policy/procedure and that you are following it.
 
For example, they know you have a firewall, and that it is properly
configured.  "Do you test it?  When? Show me the logs of you doing this. 
Show me the written procedure that outlines the test."
 
It is very different from any other IT audit I've seen.  They will want
screen shots of your Active Directory Policies to show that users are forced
to change their passwords.  They will want to see any controls you have in
place to keep developers out of production data.  They want to see email
retention policies and proof that you are following it.  
 
They want to see logs of IDS detections, and what the policy is for handling
them.  The policy can say, "Inform the VP and Prez of the company, law
enforcement, etc."  They want to know how you go about checking the IDS
logs, and where the logs are stored.
 
Make sure the site had backup and restore tests logged, and that there is a
procedures for the actual backups and offsite storage.  They may want to
visit the offsite storage place.  
 
Again, it's all about the paper trail that shows proof that you are doing
everything you say you are doing.  
 
Side note:  They didn't do any checking of our network at my site.  I was
thinking that that was coming, but it didn't.  In fact, when I showed then
the Snort filters that i had written, they looked confused.  The UNIX
scripting that loggs users access was beyond them; they just wanted to see
that it was being done and checked.  
 
John


Steve Fletcher <safletcher () insightbb com> wrote:
I am not sure if this is the correct list for this or not, but I thought I
would try this list first. 

Recently, I have been tasked with assisting a company with preparing their
network for a SAS70 audit. Unfortunately, I am not very familiar with the
requirements for SAS70. I have done some searching, but have found very
limited information on what this audit covers. I know that it is primarily
a financial audit including information systems, but other than that, I have
not been able to find any useful information.

I am sure that the network currently has security issues, but I am concerned
with whether the issues I see are critical to fix prior to the SAS70 audit.
Any information on what this covers would be greatly appreciated.

Thanks,

Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
safletcher () insightbb com