This is a little off the subject of general penetration testing, but I
think it still falls under the general awareness of the pen-testing crowd.
Is anyone familiar with the process of attaining SAS70 certification
( Statements and Accounting Standards ) that is used to 'label' an
infrastructure sufficiently secure to perform online financial
More importantly, is this just another semi-worthless 'stamp' of
approval, ala ICSA ( not to offend anyone.. my opinion though )?
Also, has anyone been asked to verify the set of requirements this
entails in addition to a penetration test?
Thanks in advance,