Sister CISA CISSP

Jul 24 2008   8:37PM GMT

SAS 70 Report: Section 2 – What to Look For in This Section



Posted by: Arian Eigen Heald
Tags:
Admins and Auditors
SAS 70
Security

In this section of the report, it is common to find it titled “Description of Controls Provided by (Company Name).” The company being audited provides a narrative description of itself, their critical applications (usually the ones providing a service to clients) and general controls. Often, the service auditor will assist in the write-up of this section, but legally, it is the responsibility of the company to determine that what is in this section is correct.

You will want to review carefully the subsections on their organizational structure, and how they manage new employees. Do they provide annual security training? Are background checks used? How do they add and remove users?

The subsections on critical applications should have processes in place to add and delete users, as well as a periodic review of users to make sure there is no “access creep.” (Where people move departments and keep both their new access and their old access.)

Review their Change Managment/SDLC (Software Development Lifecycle) subsection to see how diligent they are in testing code before it goes into production, and if their testing process is documented. They should have software that acts as a code repository and controls code changes. Programmers should not be moving code into production systems. If they only have off-the-shelf software, they still should be managing updates and patches.

For network management, they should be fairly specific about common practices, such as password controls, patching servers, routers and managing firewalls.

There should be a section on physical and environmental controls. This should include access controls, fire alarm systems and power redundancy. Sometimes this area in the narrative will include backup controls as well. Where are they storing their backup tapes with your information? Is transport of those tapes secured? How about disposal of hardware and paper documentation? This can be really important when the SAS 70 is covering a medical services bureau, for instance.

Make sure the narrative addresses your how the service bureau protects systems that hold your company’s assets. If they only assess the Windows domain, and your data is on a Linux server in the DMZ, how do you know how secure your data is?

In short, look for what isn’t there.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: