Sister CISA CISSP:

SAS 70

1

December 24, 2008  7:14 PM

Getting What You Pay For…..2008



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Database security, HIPAA, IT audit, SAS 70, Security, Tearing My Hair Out

In my travels as an auditor this year, I've visited 15 states and seen approximately 20 different networks, both LAN and WAN. I've audited hospitals, lotteries, racetracks, banks, small businesses, large online retailers, metal fabricators, telco service bureaus and health care service...

August 21, 2008  3:48 PM

How to Audit Databases: Part I



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Data Breaches, Database, Database security, DataManagement, Identity theft, IT audit, Oracle, PCI DSS, SAP, SAS 70, Security, SOX, SQL Server

Databases are enormous, powerful repositories of data. They can hold payroll, HR personnel data (think social security numbers) stock prices, Accounts Receivable, Client Relationship Management, and customer information. Banks can't live without them. Most medium and many small sized businesses...


August 19, 2008  1:20 PM

I Can Make Your Database Lie to You



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Data Breaches, Database, Database security, DataManagement, Identity theft, IT audit, Oracle, PCI DSS, SAP, SAS 70, Security, SOX, SQL Server

So many financial auditors, CEOs, CFOs and others rely on electronic data to understand the complexities of General Ledger, Accounts Payable, etc. In this era of SAP, ADP, electronic time clocks, etc., the one common denominator is the database underlying each application. Applications...


July 29, 2008  11:16 AM

What NOT to call SAS 70 Reports



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, DataCenter, SAS 70, Security, SOX, Start Laughing Now

I ran across the new website "securityidiot.com" in my travels, and was reminded that it is so important to be able to laugh at yourself (and others!). It's so easy to turn a Bad Idea into Bad Technology, these days. Or worse, another new acronym. You should especially check out the rant on


July 24, 2008  8:37 PM

SAS 70 Report: Section 2 – What to Look For in This Section



Posted by: Arian Eigen Heald
Admins and Auditors, SAS 70, Security

In this section of the report, it is common to find it titled "Description of Controls Provided by (Company Name)." The company being audited provides a narrative description of itself, their critical applications (usually the ones providing a service to clients) and general controls. Often, the...


July 17, 2008  6:56 PM

SAS 70 Reports – Section One



Posted by: Arian Eigen Heald
Compliance, IT audit, SAS 70, Security, SOX

Commonly, a SAS 70 Type 1 report contains three sections, and a Type 2 has five sections. That because a Type 2 tests the effectiveness of the controls that a Type 1 says are there. The first section, the "Independent Service Auditors' Report," is basically a letter by the service auditor (the...


July 15, 2008  6:34 PM

SAS 70 Reports – Reading What You’re Getting – From The First Page On



Posted by: Arian Eigen Heald
Admins and Auditors, IT audit, SAS 70, Security

So you have this report from the company you've outsourced a critical financial service to, and it looks like a lot of boilerplate with a chart of sorts at the end. What are all those sections for, and why should you care? First, determine that the company performing the report is a certified...


July 11, 2008  1:46 AM

“SAS 70″ – It Pays to Actually READ What You’re Getting



Posted by: Arian Eigen Heald
Compliance, IT audit, SAS 70, Security, SOX

When I do an audit and request that my client give me SAS 70 reports from his/her critical financial vendors, I am often amazed (or appalled) at what I get to read. My team performs about 20-25 SAS 70 Type IIs every year, and maybe 2 SAS 70 Type I exams. Why the big difference? Type II exams...


July 7, 2008  11:38 PM

SAS 70 Reports – Why Should You Want One?



Posted by: Arian Eigen Heald
Compliance, DataCenter, IT audit, SAS 70, Security, Security Metrics, SOX

There seems to be a lot of mis-information about what a SAS 70 report is - just today I came across a post that referenced being "SAS 70 - compliant." There is no such thing. There is no pass/fail aspect to a SAS 70 because the Control Objectives and Control Procedures are designed by...


June 12, 2008  7:18 PM

SAS 70 Reports – Are They Worthwhile?



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, IT audit, SAS 70

I noticed a recent post on the boards questioning the value of SAS 70 Reports. Given that I do about 15 a year, I thought I'd venture an answer to that question. First, it's important to understand what a SAS 70 is NOT: It's not a checklist; It's not a certification; It's not a...


1