July 29, 2008 11:16 AM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
DataCenter,
SAS 70,
Security,
SOX,
Start Laughing NowI ran across the new website "securityidiot.com" in my travels, and was reminded that it is so important to be able to laugh at yourself (and others!). It's so easy to turn a Bad Idea into Bad Technology, these days. Or worse, another new acronym.
You should especially check out the rant on
July 24, 2008 8:37 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
SAS 70,
SecurityIn this section of the report, it is common to find it titled "Description of Controls Provided by (Company Name)." The company being audited provides a narrative description of itself, their critical applications (usually the ones providing a service to clients) and general controls. Often, the...
July 22, 2008 4:32 PM
Posted by: Arian Eigen Heald
Compliance,
PCI DSS,
SecurityThe Payment Card Industry (PCI) Data Security Standard (DSS) has taken many educational institutions by surprise. If your College or University accepts payment cards on campus or online, you must comply with this standard designed for safe handling of sensitive consumer information. Examine such...
July 17, 2008 6:56 PM
Posted by: Arian Eigen Heald
Compliance,
IT audit,
SAS 70,
Security,
SOXCommonly, a SAS 70 Type 1 report contains three sections, and a Type 2 has five sections. That because a Type 2 tests the effectiveness of the controls that a Type 1 says are there.
The first section, the "Independent Service Auditors' Report," is basically a letter by the service auditor (the...
July 15, 2008 6:34 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
IT audit,
SAS 70,
SecuritySo you have this report from the company you've outsourced a critical financial service to, and it looks like a lot of boilerplate with a chart of sorts at the end. What are all those sections for, and why should you care?
First, determine that the company performing the report is a certified...
July 11, 2008 1:46 AM
Posted by: Arian Eigen Heald
Compliance,
IT audit,
SAS 70,
Security,
SOXWhen I do an audit and request that my client give me SAS 70 reports from his/her critical financial vendors, I am often amazed (or appalled) at what I get to read.
My team performs about 20-25 SAS 70 Type IIs every year, and maybe 2 SAS 70 Type I exams. Why the big difference? Type II exams...
July 7, 2008 11:38 PM
Posted by: Arian Eigen Heald
Compliance,
DataCenter,
IT audit,
SAS 70,
Security,
Security Metrics,
SOXThere seems to be a lot of mis-information about what a SAS 70 report is - just today I came across a post that referenced being "SAS 70 - compliant." There is no such thing. There is no pass/fail aspect to a SAS 70 because the Control Objectives and Control Procedures are designed by...
July 1, 2008 3:08 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
Data Breaches,
Database,
Database security,
Development,
IT audit,
Security,
Tools & Tricks of the TradeIn the course of many audits and pentests, I can't tell you how many times I have found flaws and openings based on bad development practices. It's downright painful. And yet software keeps coming out with the same problems. I know WHY this is happening, but I can't stop it. YOU can.
Have...
