Sister CISA CISSP:

IT audit


June 21, 2010  7:56 PM

SAS 70, SSAE 16, What’s in a Website Name?



Posted by: Arian Eigen Heald
Admins and Auditors, IT audit

Some dozen websites have the words "SAS 70" as part, or all of, their domain name on the web. Given the departure of the SAS 70 audit by 2011, I commented recently that they must not be having any fun. An anonymous reader ("CPA") wrote in to chastise me, to wit: Does anyone think that......

June 18, 2010  9:16 PM

The SAS 70 is Going Away – But…



Posted by: Arian Eigen Heald
Admins and Auditors, IT audit

It is being replaced (of course!) by the ever-so-easy to say acronym: SSAE 16. (Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization.) What a mouthful! In April of this year, the AICPA (American Institute of Certified Public...


May 23, 2009  10:25 AM

When a Control is NOT a Control or, “It’s Good Enough”



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, IT audit, Steps to an Easy Audit

I run into an awful lot of engineers who hate paperwork (I feel the same way.) They are busy fixing problems, building new application support and dealing with upper managers who have no idea what they're asking for, clueless users and now I come along to top it off asking for a bunch of...


January 13, 2009  3:34 PM

The Purpose of Audit



Posted by: Arian Eigen Heald
Admins and Auditors, Data Breaches, Database security, IT audit

Bruce Schneier's last cryptogram contained a discussion about the purpose of audit. He was commenting on the fact that Barack Obama's phone records, passport file and aunt's immigration status was inappropriately accessed by employees...


December 28, 2008  3:14 PM

Securing the Security Devices



Posted by: Arian Eigen Heald
"How Do You Know?", Admins and Auditors, Compliance, Hardware & InfoSec, IT audit, Security Devices, TCM (Truly Clueless Management), Tools & Tricks of the Trade, Tools for Auditing and Security

OK, so you've bought the glow-in-the-dark, meets all the compliance requirements and looks really shiny "security solution" from a vendor (one or many). Or maybe your management has bought it and presented it to you as a fait accompli. (Hope I'm spelling that fancy French right!) And of course...


December 24, 2008  7:14 PM

Getting What You Pay For…..2008



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Database security, HIPAA, IT audit, SAS 70, Security, Tearing My Hair Out

In my travels as an auditor this year, I've visited 15 states and seen approximately 20 different networks, both LAN and WAN. I've audited hospitals, lotteries, racetracks, banks, small businesses, large online retailers, metal fabricators, telco service bureaus and health care service...


November 25, 2008  2:57 PM

Data Breaches and Business Liability Part I



Posted by: Arian Eigen Heald
Compliance, Data Breaches, HIPAA, Identity theft, IT audit, PCI DSS, Security

The most significant financial impact of identity theft has yet to be examined. I believe that the risks to business and other institutions now include legal, reputation, financial and compliance risks that cannot be transferred. Victims of identity theft are looking to recoup their financial...


November 17, 2008  9:42 PM

Educating Users (Yes, I Know….)



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Data Breaches, IT audit, Security

I can hear the collective eye-rolling from here. But guess what! New federal regulations are requiring security education from organizations as part of compliance: SEC regulations for financial institutions http://www.sec.gov/index.htm...

Bookmark and Share     1 Comment     RSS Feed     Email a friend


October 20, 2008  1:06 AM

Let’s Get Physical



Posted by: Arian Eigen Heald
Admins and Auditors, DataCenter, IT audit, Security, Tools & Tricks of the Trade

When I do an audit, or a penetration test, I start by walking around the building, both inside, outside, and sometimes even on the roof. In my travels, I'll leave my business card where I can gain unauthorized access. How often am I successful? 95% of the time. I mentally catalog the exterior...


October 6, 2008  8:19 PM

Auditing iSeries



Posted by: Arian Eigen Heald
Admins and Auditors, AS/400, Compliance, IT audit, Security, Tools & Tricks of the Trade, Tools for Auditing and Security

IBM's system iSeries are some of the most solid server systems around. Formerly (and by some, still called) the AS400, those servers are at the top of the food chain for reliability and stability. DB2, the native database system for iSeries, is as solid as a rock, and powers many of the banking,...


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: