Sister CISA CISSP:

July, 2008

1

July 31, 2008  8:33 PM

Losing Your Credit Card Number at the Airline Check-in Kiosk

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

According to an article on MSNBC.com, there has been a data breach at the Toronto, Canada airport that may have been through the check-in kiosks. Similar to my

  Bookmark and Share     0 Comments     RSS Feed     Email a friend

July 29, 2008  11:16 AM

What NOT to call SAS 70 Reports

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

I ran across the new website "securityidiot.com" in my travels, and was reminded that it is so important to be able to laugh at yourself (and others!). It's so easy to turn a Bad Idea into Bad Technology, these days. Or worse, another new acronym. You should especially check out the rant on

  Bookmark and Share     0 Comments     RSS Feed     Email a friend


July 24, 2008  8:37 PM

SAS 70 Report: Section 2 – What to Look For in This Section

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

In this section of the report, it is common to find it titled "Description of Controls Provided by (Company Name)." The company being audited provides a narrative description of itself, their critical applications (usually the ones providing a service to clients) and general controls. Often, the...


July 22, 2008  4:32 PM

Does Your School or University Take Credit Cards?

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

The Payment Card Industry (PCI) Data Security Standard (DSS) has taken many educational institutions by surprise. If your College or University accepts payment cards on campus or online, you must comply with this standard designed for safe handling of sensitive consumer information. Examine such...


July 17, 2008  6:56 PM

SAS 70 Reports – Section One

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

Commonly, a SAS 70 Type 1 report contains three sections, and a Type 2 has five sections. That because a Type 2 tests the effectiveness of the controls that a Type 1 says are there. The first section, the "Independent Service Auditors' Report," is basically a letter by the service auditor (the...


July 15, 2008  6:34 PM

SAS 70 Reports – Reading What You’re Getting – From The First Page On

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

So you have this report from the company you've outsourced a critical financial service to, and it looks like a lot of boilerplate with a chart of sorts at the end. What are all those sections for, and why should you care? First, determine that the company performing the report is a certified...


July 11, 2008  1:46 AM

“SAS 70″ – It Pays to Actually READ What You’re Getting

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

When I do an audit and request that my client give me SAS 70 reports from his/her critical financial vendors, I am often amazed (or appalled) at what I get to read. My team performs about 20-25 SAS 70 Type IIs every year, and maybe 2 SAS 70 Type I exams. Why the big difference? Type II exams...


July 7, 2008  11:38 PM

SAS 70 Reports – Why Should You Want One?

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

There seems to be a lot of mis-information about what a SAS 70 report is - just today I came across a post that referenced being "SAS 70 - compliant." There is no such thing. There is no pass/fail aspect to a SAS 70 because the Control Objectives and Control Procedures are designed by...


July 1, 2008  3:08 PM

Making Software Developers Clean Up Their Act

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

In the course of many audits and pentests, I can't tell you how many times I have found flaws and openings based on bad development practices. It's downright painful. And yet software keeps coming out with the same problems. I know WHY this is happening, but I can't stop it. YOU can. Have...


1

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: