Re: SAS70

[routerg <routerg () gmail com>]

Having been involved in a SAS70, I have to agree that there isn't
~that~ much information out there.  It isn't specific to any deparment
such as finance though.  The general premise is to ensure that you are
doing what you say you're doing.

Typically you'll sit down with the auditors and work out the scope,
control objectives, and tests.  Then you'll do a pre-assessment which
is a first run through the tests.  You may find things that aren't
right.  Like if you have a standard that says to use Solaris 8 and you
have a box with Solaris 7 that could be identified in the
pre-assessment as a gap, and you would have time before the actual
audit to fix it.  After the audit, the auditor will give you a pass or
fail.  You don't necessarily have to be doing everything you said you
would do, as long as you provide some sort of remediation (revice
policy, upgrade etc).

hth

On 5/16/05, Steve Fletcher <safletcher () insightbb com> wrote:
> I am not sure if this is the correct list for this or not, but I thought I
> would try this list first.
>
> Recently, I have been tasked with assisting a company with preparing their
> network for a SAS70 audit.  Unfortunately, I am not very familiar with the
> requirements for SAS70.  I have done some searching, but have found very
> limited information on what this audit covers.  I know that it is primarily
> a financial audit including information systems, but other than that, I have
> not been able to find any useful information.
>
> I am sure that the network currently has security issues, but I am concerned
> with whether the issues I see are critical to fix prior to the SAS70 audit.
> Any information on what this covers would be greatly appreciated.
>
> Thanks,
>
> Steve Fletcher
> MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
> safletcher () insightbb com