July 29, 2008 11:16 AM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
DataCenter,
SAS 70,
Security,
SOX,
Start Laughing NowI ran across the new website "securityidiot.com" in my travels, and was reminded that it is so important to be able to laugh at yourself (and others!). It's so easy to turn a Bad Idea into Bad Technology, these days. Or worse, another new acronym.
You should especially check out the rant on
July 24, 2008 8:37 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
SAS 70,
SecurityIn this section of the report, it is common to find it titled "Description of Controls Provided by (Company Name)." The company being audited provides a narrative description of itself, their critical applications (usually the ones providing a service to clients) and general controls. Often, the...
July 15, 2008 6:34 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
IT audit,
SAS 70,
SecuritySo you have this report from the company you've outsourced a critical financial service to, and it looks like a lot of boilerplate with a chart of sorts at the end. What are all those sections for, and why should you care?
First, determine that the company performing the report is a certified...
July 1, 2008 3:08 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
Data Breaches,
Database,
Database security,
Development,
IT audit,
Security,
Tools & Tricks of the TradeIn the course of many audits and pentests, I can't tell you how many times I have found flaws and openings based on bad development practices. It's downright painful. And yet software keeps coming out with the same problems. I know WHY this is happening, but I can't stop it. YOU can.
Have...
June 12, 2008 7:18 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
IT audit,
SAS 70I noticed a recent post on the boards questioning the value of SAS 70 Reports. Given that I do about 15 a year, I thought I'd venture an answer to that question.
First, it's important to understand what a SAS 70 is NOT:
It's not a checklist;
It's not a certification;
It's not a...
May 29, 2008 1:44 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
IT audit,
Security,
Security Devices,
Steps to an Easy Audit,
Tools & Tricks of the TradeWho guards the guardians? Good IT governance mandates oversight of all IT functions. The firewall tends to be neglected, because it appears to be such a back-office function that only engineers or admins actually see and work on.
However, it is one of the most critical pieces of the IT...
May 26, 2008 12:05 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
IT audit,
Security,
Security Devices,
Steps to an Easy AuditWhen all is said and done, a configuring a firewall comes down to creating a set of rules. Firewalls are bi-directional - they control traffic going out (outbound) to the Internet (or the DMZ) and they control traffic coming in (inbound) to the network or the DMZ. You are configuring for WHO,...
May 23, 2008 6:55 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
IT audit,
Networking,
SecurityThere are some amazing firewall appliances out there - application-level firewalls that monitor for web attacks, intrusion prevention features where the...
May 15, 2008 5:54 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
Database security,
IT audit,
PCI DSS,
Security,
SOX,
Steps to an Easy Audit,
Tools & Tricks of the Trade,
Tools for Auditing and SecurityThese two magic words should be in every network manager and system engineer's lexicon. It's your get-out-of-jail (not necessarily free) card with an IT Auditor.
Every IT shop has an application, a device, a configuration that breaks good security rules and usually corporate policy, as well. ...
