August 21, 2008 3:48 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
Data Breaches,
Database,
Database security,
DataManagement,
Identity theft,
IT audit,
Oracle,
PCI DSS,
SAP,
SAS 70,
Security,
SOX,
SQL ServerDatabases are enormous, powerful repositories of data. They can hold payroll, HR personnel data (think social security numbers) stock prices, Accounts Receivable, Client Relationship Management, and customer information. Banks can't live without them. Most medium and many small sized businesses...
August 19, 2008 1:20 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
Data Breaches,
Database,
Database security,
DataManagement,
Identity theft,
IT audit,
Oracle,
PCI DSS,
SAP,
SAS 70,
Security,
SOX,
SQL ServerSo many financial auditors, CEOs, CFOs and others rely on electronic data to understand the complexities of General Ledger, Accounts Payable, etc. In this era of SAP, ADP, electronic time clocks, etc., the one common denominator is the database underlying each application.
Applications...
July 29, 2008 11:16 AM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
DataCenter,
SAS 70,
Security,
SOX,
Start Laughing NowI ran across the new website "securityidiot.com" in my travels, and was reminded that it is so important to be able to laugh at yourself (and others!). It's so easy to turn a Bad Idea into Bad Technology, these days. Or worse, another new acronym.
You should especially check out the rant on
July 24, 2008 8:37 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
SAS 70,
SecurityIn this section of the report, it is common to find it titled "Description of Controls Provided by (Company Name)." The company being audited provides a narrative description of itself, their critical applications (usually the ones providing a service to clients) and general controls. Often, the...
July 17, 2008 6:56 PM
Posted by: Arian Eigen Heald
Compliance,
IT audit,
SAS 70,
Security,
SOXCommonly, a SAS 70 Type 1 report contains three sections, and a Type 2 has five sections. That because a Type 2 tests the effectiveness of the controls that a Type 1 says are there.
The first section, the "Independent Service Auditors' Report," is basically a letter by the service auditor (the...
July 15, 2008 6:34 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
IT audit,
SAS 70,
SecuritySo you have this report from the company you've outsourced a critical financial service to, and it looks like a lot of boilerplate with a chart of sorts at the end. What are all those sections for, and why should you care?
First, determine that the company performing the report is a certified...
July 11, 2008 1:46 AM
Posted by: Arian Eigen Heald
Compliance,
IT audit,
SAS 70,
Security,
SOXWhen I do an audit and request that my client give me SAS 70 reports from his/her critical financial vendors, I am often amazed (or appalled) at what I get to read.
My team performs about 20-25 SAS 70 Type IIs every year, and maybe 2 SAS 70 Type I exams. Why the big difference? Type II exams...
July 7, 2008 11:38 PM
Posted by: Arian Eigen Heald
Compliance,
DataCenter,
IT audit,
SAS 70,
Security,
Security Metrics,
SOXThere seems to be a lot of mis-information about what a SAS 70 report is - just today I came across a post that referenced being "SAS 70 - compliant." There is no such thing. There is no pass/fail aspect to a SAS 70 because the Control Objectives and Control Procedures are designed by...
June 12, 2008 7:18 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
IT audit,
SAS 70I noticed a recent post on the boards questioning the value of SAS 70 Reports. Given that I do about 15 a year, I thought I'd venture an answer to that question.
First, it's important to understand what a SAS 70 is NOT:
It's not a checklist;
It's not a certification;
It's not a...
