Penetration Testing mailing list archives
Re: SAS 70
From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 27 Jul 2007 21:20:46 -0400
On 7/27/07, p1g <killfactory () gmail com> wrote:
Hi, Can anyone provide me with some pointers on SAS 70 auditing?
On auditing or on being audit-ready? Those are very different things.
I am interested in the technical controls that would be assessed by this type of audit.
It will depend a lot on your environment. At a high level, SAS 70 is essentially an implementation of COSO[1]. If you already have an IT control framework in place (like CObIT or ISO 17799), then a SAS70 audit will rely heavily on showing conformity to procedures and adherence to policies already in place. If no framework is in place, expect to put something (based on the 5 concepts of COSO) into effect before you pass a Type II audit. If you don't have anything in place already, your two big tasks will to be building a set of controls for documenting changes to business apps (bonus points if you are automatically detecting changes), and performing a risk assessment of your IT systems complete with action plan to reduce risk for the next go-round.
I will on the receiving end of such an audit in the near future and I would like to go ahead and assess my stuation before hand.
Start by putting together your IT policy and procedure documentation and then determine how you can demonstrate that you do those things that your docs say you do. Focus on your core business apps and their platforms, administrators and admin account usage, remote access to IT resources, and access control procedures. One thing to keep in mind is that SAS 70 certification is an annual process. Build your docs and your technical controls to be flexible and lasting. Otherwise the panic and chaos will visit you year after year. Good luck! PaulM 1)http://en.wikipedia.org/wiki/COSO#COSO_Internal_Control_Framework:_the_five_components ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- SAS 70 p1g (Jul 27)
- Re: SAS 70 Paul Melson (Jul 28)