Penetration Testing mailing list archives
Re: [PEN-TEST] SAS70; the process and merit thereof?
From: Frederick Budd <Frederick_Budd () MASTERCARD COM>
Date: Wed, 27 Sep 2000 15:33:49 -0500
Three things to keep in mind: 1) There are two levels of SAS 70 reports. A type I SAS 70 is simply a statement of the controls that were in place at the time of the evaluation. It does not necessarily validate that those controls were/are enforced at any point in time other than during the SAS 70 review. A type II SAS 70 covers an extended period of time (6+ months I believe) and will contain the auditors tests and the results of those tests during that time period. My experience has been that significant testing of the controls really only occurs during type II reviews. 2) The audited organization provides the description of control objectives and control activities. There are no standards that you are required to measure against for a SAS 70, although there are 5 general areas of control that should be addressed in some fashion (as defined in SAS no. 55 - Consideration of Internal Control in a Financial Statement Audit). 3) A SAS 70 is based on American standards. While it can (and is) done outside the USA, there are equivalent and slightly different control reviews established by other nations. It is entirely possible that a penetration attempt would be part of the SAS 70 testing, depending on how the organization defined it's control objectives and activities. I would be impressed if an organization requested that level of testing be done since the results would be available to customers in a type II report. -FB Helu, This is a little off the subject of general penetration testing, but I think it still falls under the general awareness of the pen-testing crowd. Is anyone familiar with the process of attaining SAS70 certification ( Statements and Accounting Standards ) that is used to 'label' an infrastructure sufficiently secure to perform online financial transactions? More importantly, is this just another semi-worthless 'stamp' of approval, ala ICSA ( not to offend anyone.. my opinion though )? Also, has anyone been asked to verify the set of requirements this entails in addition to a penetration test? Thanks in advance, -- Craig
Current thread:
- Re: [PEN-TEST] SAS70; the process and merit thereof? Shein, Betty (ISS Southfield) (Sep 27)
- <Possible follow-ups>
- Re: [PEN-TEST] SAS70; the process and merit thereof? Kevin Flynn (Sep 27)
- Re: [PEN-TEST] SAS70; the process and merit thereof? Frederick Budd (Sep 27)