Re: SAS 70

From: Paul Melson (pmelson@gmail.com)
Date: Fri Jul 27 2007 - 21:20:46 EDT

• Next message: lists73@skilltube.com: "Re: Penetration Testing on Mac OS X"
• Previous message: John M. Martinelli: "Re: Cross testing exploit with vulnerability scan results"
• In reply to: p1g: "SAS 70"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 7/27/07, p1g <killfactory@gmail.com> wrote:
> Hi,
>
> Can anyone provide me with some pointers on SAS 70 auditing?

On auditing or on being audit-ready? Those are very different things.

> I am interested in the technical controls that would be assessed by
> this type of audit.

It will depend a lot on your environment. At a high level, SAS 70 is
essentially an implementation of COSO[1]. If you already have an IT
control framework in place (like CObIT or ISO 17799), then a SAS70
audit will rely heavily on showing conformity to procedures and
adherence to policies already in place. If no framework is in place,
expect to put something (based on the 5 concepts of COSO) into effect
before you pass a Type II audit. If you don't have anything in place
already, your two big tasks will to be building a set of controls for
documenting changes to business apps (bonus points if you are
automatically detecting changes), and performing a risk assessment of
your IT systems complete with action plan to reduce risk for the next
go-round.

> I will on the receiving end of such an audit in the near future and I
> would like to go ahead and assess my stuation before hand.

Start by putting together your IT policy and procedure documentation
and then determine how you can demonstrate that you do those things
that your docs say you do. Focus on your core business apps and their
platforms, administrators and admin account usage, remote access to IT
resources, and access control procedures.

One thing to keep in mind is that SAS 70 certification is an annual
process. Build your docs and your technical controls to be flexible
and lasting. Otherwise the panic and chaos will visit you year after
year.

Good luck!

PaulM

1)http://en.wikipedia.org/wiki/COSO#COSO_Internal_Control_Framework:_the_five_components

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: lists73@skilltube.com: "Re: Penetration Testing on Mac OS X"
• Previous message: John M. Martinelli: "Re: Cross testing exploit with vulnerability scan results"
• In reply to: p1g: "SAS 70"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:59 EDT