Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] SAS70; the process and merit thereof?
From: Tom Litney <Tom.Litney () NET-RELIANCE COM>
Date: Wed, 27 Sep 2000 09:30:57 -0700

Craig,

   Ok I'll take a stab at this though I'm no expert.  A SAS70 is a public
statement by an independent third party audit firm that states that the
controls someone claims are in place actually are in place.  This gives the
public (or customers) who will never have access to an internal audit the
warm and fuzzies that controls are as they claim.  Therefore, you should
required a SAS70 of anyone you may be planning on doing business with who
has access or control of some of your sensitive data.  But because it is a
public audit, it tends to be high level.  You probably would not want the
results of a pentest to be made public so that is usually never included in
a SAS70 audit.

   Tom

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Craig Anderson
Sent: Tuesday, September 26, 2000 8:32 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] SAS70; the process and merit thereof?


Helu,

  This is a little off the subject of general penetration testing, but I
think it still falls under the general awareness of the pen-testing crowd.

  Is anyone familiar with the process of attaining SAS70 certification
( Statements and Accounting Standards ) that is used to 'label' an
infrastructure sufficiently secure to perform online financial
transactions?

  More importantly, is this just another semi-worthless 'stamp' of
approval, ala ICSA ( not to offend anyone.. my opinion though )?

  Also, has anyone been asked to verify the set of requirements this
entails in addition to a penetration test?



Thanks in advance,

-- Craig


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]