Re: [PEN-TEST] SAS70; the process and merit thereof?

["Shein, Betty (ISS Southfield)" <bshein () ISS NET>]

Okay, since I was once a computer auditor for Big 5 and performed quite a
few SAS70 reviews, I feel I like I can speak on this topic.  I have a few
comments.

1. A SAS70 report is semi-public.  The only people that should be able to
review a company's SAS70 report are those that are using their services.  So
Joe Blow that just wants to request a copy cannot do so.

2. There are 2 types of SAS70 reviews - the most popular type is where you
validate controls over a period of time.  Typically, this is a 6-month to
12-month period.  The 3rd party auditor will re-validate the same controls
many times during the review period.  This prevents the obvious fixing
something before the auditor comes.  The result of positive validation of
controls over a period of time is the official "controls are operating
effectively during the period of review."

3. The SAS70 review requires hard evidence.  If the client controls state
that they have something in place, the third party auditor will ask for
proof multiple times until they are comfortable that the control does exist
and operates effectively.  See #2 above.

4. Controls are not based on some industry best practice that the 3rd party
auditor brings in.  The controls statement/document is the responsibility of
the client.  The client says "we have these controls in place."  This is
very important.  The third party auditor tests, verifies, and validates.

I hope that helps.  I can answer any more questions you may have.

Betty


-----Original Message-----
From: Tom Litney [mailto:Tom.Litney () NET-RELIANCE COM]
Sent: Wednesday, September 27, 2000 12:31 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] SAS70; the process and merit thereof?


Craig,

   Ok I'll take a stab at this though I'm no expert.  A SAS70 is a public
statement by an independent third party audit firm that states that the
controls someone claims are in place actually are in place.  This gives the
public (or customers) who will never have access to an internal audit the
warm and fuzzies that controls are as they claim.  Therefore, you should
required a SAS70 of anyone you may be planning on doing business with who
has access or control of some of your sensitive data.  But because it is a
public audit, it tends to be high level.  You probably would not want the
results of a pentest to be made public so that is usually never included in
a SAS70 audit.

   Tom

> -----Original Message-----
> From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
> Of Craig Anderson
> Sent: Tuesday, September 26, 2000 8:32 AM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: [PEN-TEST] SAS70; the process and merit thereof?
>
>
> Helu,
>
>   This is a little off the subject of general penetration testing, but I
> think it still falls under the general awareness of the pen-testing crowd.
>
>   Is anyone familiar with the process of attaining SAS70 certification
> ( Statements and Accounting Standards ) that is used to 'label' an
> infrastructure sufficiently secure to perform online financial
> transactions?
>
>   More importantly, is this just another semi-worthless 'stamp' of
> approval, ala ICSA ( not to offend anyone.. my opinion though )?
>
>   Also, has anyone been asked to verify the set of requirements this
> entails in addition to a penetration test?
>
>
>
> Thanks in advance,
>
> -- Craig