Sister CISA CISSP:

Compliance


September 12, 2008  2:14 PM

Inside the Database Server – MS SQL



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Database, Database security, IT audit, Security, SQL Server, Tools for Auditing and Security

The first question to answer is: "Is the SQL system patched?" You or a DBA can confirm this inside Enterprise Manager (the software client that runs on SQL or from a remote installation of it) by right-clicking the primary database icon and selecting Properties. You can also run a query inside...

August 27, 2008  4:27 PM

“Over-Reacting” to Data Breach Reports



Posted by: Arian Eigen Heald
Compliance, Data Breaches, Security

After Benjamin Wright's comments on my previous post about Best Western, I hopped on over to his blog and took a look at his point of view. Speaking from a consumer point of view, I find cold comfort...


August 21, 2008  3:48 PM

How to Audit Databases: Part I



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Data Breaches, Database, Database security, DataManagement, Identity theft, IT audit, Oracle, PCI DSS, SAP, SAS 70, Security, SOX, SQL Server

Databases are enormous, powerful repositories of data. They can hold payroll, HR personnel data (think social security numbers) stock prices, Accounts Receivable, Client Relationship Management, and customer information. Banks can't live without them. Most medium and many small sized businesses...


August 19, 2008  1:20 PM

I Can Make Your Database Lie to You



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Data Breaches, Database, Database security, DataManagement, Identity theft, IT audit, Oracle, PCI DSS, SAP, SAS 70, Security, SOX, SQL Server

So many financial auditors, CEOs, CFOs and others rely on electronic data to understand the complexities of General Ledger, Accounts Payable, etc. In this era of SAP, ADP, electronic time clocks, etc., the one common denominator is the database underlying each application. Applications...


August 7, 2008  4:39 PM

Kill Your WEP Now



Posted by: Arian Eigen Heald
Compliance, Data Breaches, PCI DSS, Security, Wireless

The announcement on Tuesday that indicted 11 people for "the largest data breach in history" was an interesting read: The indictment returned Tuesday by a federal grand jury in Boston alleges that the suspects hacked into the wireless computer networks of retailers including TJX Cos., BJ's...


July 29, 2008  11:16 AM

What NOT to call SAS 70 Reports



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, DataCenter, SAS 70, Security, SOX, Start Laughing Now

I ran across the new website "securityidiot.com" in my travels, and was reminded that it is so important to be able to laugh at yourself (and others!). It's so easy to turn a Bad Idea into Bad Technology, these days. Or worse, another new acronym. You should especially check out the rant on


July 22, 2008  4:32 PM

Does Your School or University Take Credit Cards?



Posted by: Arian Eigen Heald
Compliance, PCI DSS, Security

The Payment Card Industry (PCI) Data Security Standard (DSS) has taken many educational institutions by surprise. If your College or University accepts payment cards on campus or online, you must comply with this standard designed for safe handling of sensitive consumer information. Examine such...


July 17, 2008  6:56 PM

SAS 70 Reports – Section One



Posted by: Arian Eigen Heald
Compliance, IT audit, SAS 70, Security, SOX

Commonly, a SAS 70 Type 1 report contains three sections, and a Type 2 has five sections. That because a Type 2 tests the effectiveness of the controls that a Type 1 says are there. The first section, the "Independent Service Auditors' Report," is basically a letter by the service auditor (the...


July 11, 2008  1:46 AM

“SAS 70″ – It Pays to Actually READ What You’re Getting



Posted by: Arian Eigen Heald
Compliance, IT audit, SAS 70, Security, SOX

When I do an audit and request that my client give me SAS 70 reports from his/her critical financial vendors, I am often amazed (or appalled) at what I get to read. My team performs about 20-25 SAS 70 Type IIs every year, and maybe 2 SAS 70 Type I exams. Why the big difference? Type II exams...


July 7, 2008  11:38 PM

SAS 70 Reports – Why Should You Want One?



Posted by: Arian Eigen Heald
Compliance, DataCenter, IT audit, SAS 70, Security, Security Metrics, SOX

There seems to be a lot of mis-information about what a SAS 70 report is - just today I came across a post that referenced being "SAS 70 - compliant." There is no such thing. There is no pass/fail aspect to a SAS 70 because the Control Objectives and Control Procedures are designed by...


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: