Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: SAS70

from [Steve Fletcher] Network Security [Permanent Link]
Subject: RE: SAS70
Date: Mon, 23 May 2005 01:21:18 -0500 
Hi Harlan,

You seem to be right.  The consensus appears to be that what the audit
covers depends on the situation.  But, I have at least been able to get some
useful information to point me in the right direction.

I totally agree on the documentation point.  In fact, that is going to be
one of the major recommendations.  I am amazed about how many people have
not documented anything on their network.  I will admit that I am not
perfect, but I try to help ensure things are well documented.

Thanks for the help.

Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
safletcher@insightbb.com

-----Original Message-----
From: H Carvey [mailto:keydet89@yahoo.com] 
Sent: Tuesday, May 17, 2005 2:55 PM
To: security-basics@securityfocus.com
Subject: Re: SAS70

In-Reply-To: <20050516213837.8981.qmail@mail.securityfocus.com>

Steve,


Recently, I have been tasked with assisting a company with preparing their
network for a SAS70 audit.  Unfortunately, I am not very familiar with the
requirements for SAS70.  I have done some searching, but have found very
limited information on what this audit covers.  I know that it is primarily
a financial audit including information systems, but other than that, I

have

not been able to find any useful information.

I am sure that the network currently has security issues, but I am

concerned

with whether the issues I see are critical to fix prior to the SAS70 audit.
Any information on what this covers would be greatly appreciated.


Unfortunately, I don't think you'll find any.  I've dealt with SAS-70
audits, and the exact nature of the examination of "controls" as they apply
to the IT infrastructure vary based on the auditor or auditing organization.
In addition, it will also vary based on the IT infrastructure itself...host
data center, internal network, etc.

I would suggest to you that it would be better in the eyes of the auditors
if you had a process for security/vulnerability management in place, rather
than saying that "we scanned our network and fixed the problems we found." 

Also, I know that this is going to like someone running fingernails down a
chalkboard to many, but the key to these things is documentation.  If you
don't have the documentation, you can't say (a) "we do that", or (b) "we did
that".

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  XP native encryption, Fernando Serto
Next by Date:  Re: [ISW] AOL mail issues, Shawn Duffy
Previous by Thread:  Re: SAS70, Diego Kellner
Next by Thread:  Re: SAS70, John Blackley
Indexes:  [Date] [Thread] [Top] [All Lists]