mailing list archives
Re: [PEN-TEST] SAS70; the process and merit thereof?
From: Frederick Budd <Frederick_Budd () MASTERCARD COM>
Date: Wed, 27 Sep 2000 15:33:49 -0500
Three things to keep in mind:
1) There are two levels of SAS 70 reports.
A type I SAS 70 is simply a statement of the controls that were in place at the
time of the evaluation. It does not necessarily validate that those controls
were/are enforced at any point in time other than during the SAS 70 review. A
type II SAS 70 covers an extended period of time (6+ months I believe) and will
contain the auditors tests and the results of those tests during that time
period. My experience has been that significant testing of the controls really
only occurs during type II reviews.
2) The audited organization provides the description of control objectives and
There are no standards that you are required to measure against for a SAS 70,
although there are 5 general areas of control that should be addressed in some
fashion (as defined in SAS no. 55 - Consideration of Internal Control in a
Financial Statement Audit).
3) A SAS 70 is based on American standards. While it can (and is) done outside
the USA, there are equivalent and slightly different control reviews established
by other nations.
It is entirely possible that a penetration attempt would be part of the SAS 70
testing, depending on how the organization defined it's control objectives and
activities. I would be impressed if an organization requested that level of
testing be done since the results would be available to customers in a type II
This is a little off the subject of general penetration testing, but I
think it still falls under the general awareness of the pen-testing crowd.
Is anyone familiar with the process of attaining SAS70 certification
( Statements and Accounting Standards ) that is used to 'label' an
infrastructure sufficiently secure to perform online financial
More importantly, is this just another semi-worthless 'stamp' of
approval, ala ICSA ( not to offend anyone.. my opinion though )?
Also, has anyone been asked to verify the set of requirements this
entails in addition to a penetration test?
Thanks in advance,