Security Basics mailing list archives

RE: SAS70

From: "Steve Fletcher" <safletcher () insightbb com>
Date: Mon, 23 May 2005 01:21:18 -0500

Hi Harlan,

You seem to be right.  The consensus appears to be that what the audit
covers depends on the situation.  But, I have at least been able to get some
useful information to point me in the right direction.

I totally agree on the documentation point.  In fact, that is going to be
one of the major recommendations.  I am amazed about how many people have
not documented anything on their network.  I will admit that I am not
perfect, but I try to help ensure things are well documented.

Thanks for the help.

Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
safletcher () insightbb com

-----Original Message-----
From: H Carvey [mailto:keydet89 () yahoo com] 
Sent: Tuesday, May 17, 2005 2:55 PM
To: security-basics () securityfocus com
Subject: Re: SAS70

In-Reply-To: <20050516213837.8981.qmail () mail securityfocus com>

Steve,

Recently, I have been tasked with assisting a company with preparing their
network for a SAS70 audit.  Unfortunately, I am not very familiar with the
requirements for SAS70.  I have done some searching, but have found very
limited information on what this audit covers.  I know that it is primarily
a financial audit including information systems, but other than that, I

have

not been able to find any useful information.

I am sure that the network currently has security issues, but I am

concerned

with whether the issues I see are critical to fix prior to the SAS70 audit.
Any information on what this covers would be greatly appreciated.


Unfortunately, I don't think you'll find any.  I've dealt with SAS-70
audits, and the exact nature of the examination of "controls" as they apply
to the IT infrastructure vary based on the auditor or auditing organization.
In addition, it will also vary based on the IT infrastructure itself...host
data center, internal network, etc.

I would suggest to you that it would be better in the eyes of the auditors
if you had a process for security/vulnerability management in place, rather
than saying that "we scanned our network and fixed the problems we found." 

Also, I know that this is going to like someone running fingernails down a
chalkboard to many, but the key to these things is documentation.  If you
don't have the documentation, you can't say (a) "we do that", or (b) "we did
that".

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Current thread:

SAS70 Steve Fletcher (May 16)
- Re: SAS70 routerg (May 18)
- <Possible follow-ups>
- Re: SAS70 H Carvey (May 17)
  - Re: SAS70 Diego Kellner (May 18)
  - RE: SAS70 Steve Fletcher (May 23)
- Re: SAS70 John Blackley (May 18)
- RE: SAS70 Robinson, Sonja (May 18)
- RE: SAS70 Steve Fletcher (May 18)
- RE: SAS70 Rosado, Rafael (Rafael) (May 19)
- Re: SAS70 John Blackley (May 19)
- RE: SAS70 Steve Fletcher (May 23)