pen-test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SAS 70

from [Paul Melson] [Permanent Link][Original]
To: p1g <killfactory@gmail.com>
Subject: Re: SAS 70
From: "Paul Melson" <pmelson@gmail.com>
Date: Fri, 27 Jul 2007 21:20:46 -0400
Cc: Pen-Tests <pen-test@securityfocus.com>
Delivered-to: sp-com-lists@consult.net
Delivered-to: pentest-list2@consult.net
Delivered-to: mailing list pen-test@securityfocus.com
Delivered-to: moderator for pen-test@securityfocus.com
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=l41g5YESBXH/0HiZnEkJ9XgwQkXmppaVTPfYaJ3abvUdjeW962XoYHG8V8kKItyjUv/jFfIa88szVWiOSQ8cxY+F4hC4RnrxZ3/vEOTaGynBGuFaTNRdgudFDF4I9VwB7oszPebMEzTyLN2DqdZyNSiL3Lxl9OSHsqbt7BMZkyg=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Xsfw/Y+HVgiT0Rd7GU0jbeT37u9ixfYNOBJw5j5AmFh1Mll+aZDy+kQ3OugGnRfru10Dnc2qoqmeXPl0phWTkyKopmtsw48aAwc0hbOoZLDxseVqgQ+jBmcDis9XH57WOzi3+DvQPsUVhY0392Y0siz2Z4rLJXrY7NP6vSKn7c4=
In-reply-to: <9c43c6dd0707270742p7d9f3707md573b862587169cd@mail.gmail.com>
List-help: <mailto:pen-test-help@securityfocus.com>
List-id: <pen-test.list-id.securityfocus.com>
List-post: <mailto:pen-test@securityfocus.com>
List-subscribe: <mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list: contact pen-test-help@securityfocus.com; run by ezmlm
References: <9c43c6dd0707270742p7d9f3707md573b862587169cd@mail.gmail.com>
Resent-date: Sat, 28 Jul 2007 12:21:55 -0600 (MDT)
Resent-from: pen-test-return-1078484718@securityfocus.com
Resent-message-id: <20070728182155.D268514396E@outgoing2.securityfocus.com>
Resent-sender: listbounce@securityfocus.com
Sender: listbounce@securityfocus.com 
On 7/27/07, p1g <killfactory@gmail.com> wrote:
> Hi,
>
> Can anyone provide me with some pointers on SAS 70 auditing?

On auditing or on being audit-ready?  Those are very different things.


> I am interested in the technical controls that would be assessed by
> this type of audit.

It will depend a lot on your environment.  At a high level, SAS 70 is
essentially an implementation of COSO[1].  If you already have an IT
control framework in place (like CObIT or ISO 17799), then a SAS70
audit will rely heavily on showing conformity to procedures and
adherence to policies already in place. If no framework is in place,
expect to put something (based on the 5 concepts of COSO) into effect
before you pass a Type II audit.  If you don't have anything in place
already, your two big tasks will to be building a set of controls for
documenting changes to business apps (bonus points if you are
automatically detecting changes), and performing a risk assessment of
your IT systems complete with action plan to reduce risk for the next
go-round.

> I will on the receiving end of such an audit in the near future and I
> would like to go ahead and assess my stuation before hand.

Start by putting together your IT policy and procedure documentation
and then determine how you can demonstrate that you do those things
that your docs say you do.  Focus on your core business apps and their
platforms, administrators and admin account usage, remote access to IT
resources, and access control procedures.

One thing to keep in mind is that SAS 70 certification is an annual
process.  Build your docs and your technical controls to be flexible
and lasting.  Otherwise the panic and chaos will visit you year after
year.

Good luck!

PaulM

1)http://en.wikipedia.org/wiki/COSO#COSO_Internal_Control_Framework:_the_five_components

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • SAS 70, p1g
    • Re: SAS 70, Paul Melson <=
Previous by Date:  Re: Cross testing exploit with vulnerability scan results, John M. Martinelli
Next by Date:  Re: Penetration Testing on Mac OS X, lists73
Previous by Thread:  SAS 70, p1g
Next by Thread:  Re: Re: Penetration test report - your comments please?, scott
Indexes:  [Date] [Thread] [Top] [All Lists]