WebApp Sec mailing list archives
RE: SAS 70 and software policies
From: "Rosado, Rafael (Rafael)" <rarosado () lucent com>
Date: Sun, 2 Oct 2005 13:28:43 -0600
James, Having been an ex-auditor (internal and external) that has performed SAS70 Audits in the past and currently serving as a consultant in assisting other companies prepare for SAS70 Audits, I can tell you that the auditors will be concentrating on those systems/applications that can directly or indirectly impact the preparation of financial statements of the customers that use the service you provide which is within the scope of the audit (aka, the service for with the SAS70 is being performed). With that said, auditors will expect proper segregation of duties within the Change Control process (separation of production and test/development environments, different individuals involved in the development/test/production migration of changes, properly documented approval of changes), security over development/test/production libraries, and the overall system development/software life cycle ONLY IF THE USER MACROS ARE CONSIDERED TO HAVE A DIRECT OR INDIRECT AFFECT IN THE PREPARATION (OR CONTENT) OF INFORMATION USED TO PREPARE THE FINANCIAL STATEMENTS OF YOUR CUSTOMERS THAT USE THE SERVICE BEING AUDITED (the CAPS are the caveat and the response to your question). If these user-developed macros can modify information in production databases or systems that directly or indirectly affect the service being audited, the auditors might question why these do not go through a formal change process and why it's not managed by IT (meaning, if it has a direct impact on how the systems behave, why aren't these under the control of IT ? ). I hope this gives you an idea. If you have any questions, you should ask your internal auditors or the external auditors that are performing the SAS70 audit. Your internal auditors should be working with in the preparation for the audit. Most companies will either use an internal audit group, or an external consulting firm to help prepare them for the audit(some companies use a consulting firm which is independent from the Big 4/CPA firm performing the SAS70 audit while others will us the same firm that is performing the audit). This is as much direction I can provide you without having to send you a bill for my services (JUST KIDDING).... Good Luck, Rafael Rosado, CISSP, CISA Security Consultant Lucent Worldwide Services Business Consulting Reliability and Security Services Voice: 954-885-2176 Mobile: 954-609-5414 Email: rarosado () lucent com http://www.lucent.com/security/ http://www.lucent.com/solutions/sec_sol_sp.html This e-mail message and any attachment(s) to it are intended only for the use of the addressee(s). The information in this e-mail message is confidential and proprietary and may be subject to legal privilege. The reading or dissemination of this email by anyone other than the intended recipient is strictly prohibited. If you believe you have received this e-mail in error, please notify the sender immediately and permanently delete this e-mail, any attachments and all copies thereof from any drives or storage media and destroy any printouts. -----Original Message----- From: James Strassburg [mailto:JStrassburg () directs com] Sent: Friday, September 30, 2005 10:45 AM To: webappsec () securityfocus com Subject: SAS 70 and software policies My organization is currently preparing for a SAS 70 audit. We started writing web application security standards a while ago. That got extended to a software engineering security policy and that got extended to a full software engineering policy covering our entire SDLC. My question is not about web app sec, however, but rather user developed macros. Should user (and by user I mean non-software developer) developed macros be subject to the same software lifecycle that our production apps would? If not what about if the macros hit production databases or other production network resources? This is the best channel I can think of for this question so I apologize if it is inappropriate. If anyone knows of a better channel please let me know. thanks. James A. Strassburg Jr. Software Security Architect Direct Supply, Inc.
Current thread:
- Re: SAS 70 and software policies jcglover (Oct 02)
- <Possible follow-ups>
- RE: SAS 70 and software policies Rosado, Rafael (Rafael) (Oct 02)