Penetration Testing mailing list archives
Re: [PEN-TEST] SAS70; the process and merit thereof?
From: "Shein, Betty (ISS Southfield)" <bshein () ISS NET>
Date: Wed, 27 Sep 2000 15:27:22 -0400
Okay, since I was once a computer auditor for Big 5 and performed quite a few SAS70 reviews, I feel I like I can speak on this topic. I have a few comments. 1. A SAS70 report is semi-public. The only people that should be able to review a company's SAS70 report are those that are using their services. So Joe Blow that just wants to request a copy cannot do so. 2. There are 2 types of SAS70 reviews - the most popular type is where you validate controls over a period of time. Typically, this is a 6-month to 12-month period. The 3rd party auditor will re-validate the same controls many times during the review period. This prevents the obvious fixing something before the auditor comes. The result of positive validation of controls over a period of time is the official "controls are operating effectively during the period of review." 3. The SAS70 review requires hard evidence. If the client controls state that they have something in place, the third party auditor will ask for proof multiple times until they are comfortable that the control does exist and operates effectively. See #2 above. 4. Controls are not based on some industry best practice that the 3rd party auditor brings in. The controls statement/document is the responsibility of the client. The client says "we have these controls in place." This is very important. The third party auditor tests, verifies, and validates. I hope that helps. I can answer any more questions you may have. Betty -----Original Message----- From: Tom Litney [mailto:Tom.Litney () NET-RELIANCE COM] Sent: Wednesday, September 27, 2000 12:31 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] SAS70; the process and merit thereof? Craig, Ok I'll take a stab at this though I'm no expert. A SAS70 is a public statement by an independent third party audit firm that states that the controls someone claims are in place actually are in place. This gives the public (or customers) who will never have access to an internal audit the warm and fuzzies that controls are as they claim. Therefore, you should required a SAS70 of anyone you may be planning on doing business with who has access or control of some of your sensitive data. But because it is a public audit, it tends to be high level. You probably would not want the results of a pentest to be made public so that is usually never included in a SAS70 audit. Tom
-----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Craig Anderson Sent: Tuesday, September 26, 2000 8:32 AM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] SAS70; the process and merit thereof? Helu, This is a little off the subject of general penetration testing, but I think it still falls under the general awareness of the pen-testing crowd. Is anyone familiar with the process of attaining SAS70 certification ( Statements and Accounting Standards ) that is used to 'label' an infrastructure sufficiently secure to perform online financial transactions? More importantly, is this just another semi-worthless 'stamp' of approval, ala ICSA ( not to offend anyone.. my opinion though )? Also, has anyone been asked to verify the set of requirements this entails in addition to a penetration test? Thanks in advance, -- Craig
Current thread:
- Re: [PEN-TEST] SAS70; the process and merit thereof? Shein, Betty (ISS Southfield) (Sep 27)
- <Possible follow-ups>
- Re: [PEN-TEST] SAS70; the process and merit thereof? Kevin Flynn (Sep 27)
- Re: [PEN-TEST] SAS70; the process and merit thereof? Frederick Budd (Sep 27)