Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SAS 70

from [Paul Melson] Network Security [Permanent Link]
Subject: Re: SAS 70
Date: Fri, 27 Jul 2007 21:20:46 -0400 
On 7/27/07, p1g <killfactory@gmail.com> wrote:

Hi,

Can anyone provide me with some pointers on SAS 70 auditing?


On auditing or on being audit-ready?  Those are very different things.



I am interested in the technical controls that would be assessed by
this type of audit.


It will depend a lot on your environment.  At a high level, SAS 70 is
essentially an implementation of COSO[1].  If you already have an IT
control framework in place (like CObIT or ISO 17799), then a SAS70
audit will rely heavily on showing conformity to procedures and
adherence to policies already in place. If no framework is in place,
expect to put something (based on the 5 concepts of COSO) into effect
before you pass a Type II audit.  If you don't have anything in place
already, your two big tasks will to be building a set of controls for
documenting changes to business apps (bonus points if you are
automatically detecting changes), and performing a risk assessment of
your IT systems complete with action plan to reduce risk for the next
go-round.


I will on the receiving end of such an audit in the near future and I
would like to go ahead and assess my stuation before hand.


Start by putting together your IT policy and procedure documentation
and then determine how you can demonstrate that you do those things
that your docs say you do.  Focus on your core business apps and their
platforms, administrators and admin account usage, remote access to IT
resources, and access control procedures.

One thing to keep in mind is that SAS 70 certification is an annual
process.  Build your docs and your technical controls to be flexible
and lasting.  Otherwise the panic and chaos will visit you year after
year.

Good luck!

PaulM

1)http://en.wikipedia.org/wiki/COSO#COSO_Internal_Control_Framework:_the_five_components

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • SAS 70, p1g
    • Re: SAS 70, Paul Melson <=
Previous by Date:  SV: Brute-forcing cached Windows login password hashes, Per Thorsheim
Next by Date:  Re: Cross testing exploit with vulnerability scan results, John M. Martinelli
Previous by Thread:  SAS 70, p1g
Next by Thread:  Re: Re: Penetration test report - your comments please?, scott
Indexes:  [Date] [Thread] [Top] [All Lists]