Sister CISA CISSP:

SOX

1

September 16, 2008  5:58 PM

FREE Tools for Auditing MS SQL Server



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Database, Database security, free tools, IT audit, Microsoft Windows, PCI DSS, Security, SOX, SQL Server, Steps to an Easy Audit, Tools for Auditing and Security

There's a lot of really nice application tools to audit SQL databases out there. They have lots of bells and whistles and write out a really nice report with professional formatting. If you've got one of those, LUCKY YOU. But most of us Admins and Auditors have to scrounge for what we can find...

August 21, 2008  3:48 PM

How to Audit Databases: Part I



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Data Breaches, Database, Database security, DataManagement, Identity theft, IT audit, Oracle, PCI DSS, SAP, SAS 70, Security, SOX, SQL Server

Databases are enormous, powerful repositories of data. They can hold payroll, HR personnel data (think social security numbers) stock prices, Accounts Receivable, Client Relationship Management, and customer information. Banks can't live without them. Most medium and many small sized businesses...


August 19, 2008  1:20 PM

I Can Make Your Database Lie to You



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Data Breaches, Database, Database security, DataManagement, Identity theft, IT audit, Oracle, PCI DSS, SAP, SAS 70, Security, SOX, SQL Server

So many financial auditors, CEOs, CFOs and others rely on electronic data to understand the complexities of General Ledger, Accounts Payable, etc. In this era of SAP, ADP, electronic time clocks, etc., the one common denominator is the database underlying each application. Applications...


July 29, 2008  11:16 AM

What NOT to call SAS 70 Reports



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, DataCenter, SAS 70, Security, SOX, Start Laughing Now

I ran across the new website "securityidiot.com" in my travels, and was reminded that it is so important to be able to laugh at yourself (and others!). It's so easy to turn a Bad Idea into Bad Technology, these days. Or worse, another new acronym. You should especially check out the rant on


July 17, 2008  6:56 PM

SAS 70 Reports – Section One



Posted by: Arian Eigen Heald
Compliance, IT audit, SAS 70, Security, SOX

Commonly, a SAS 70 Type 1 report contains three sections, and a Type 2 has five sections. That because a Type 2 tests the effectiveness of the controls that a Type 1 says are there. The first section, the "Independent Service Auditors' Report," is basically a letter by the service auditor (the...


July 11, 2008  1:46 AM

“SAS 70″ – It Pays to Actually READ What You’re Getting



Posted by: Arian Eigen Heald
Compliance, IT audit, SAS 70, Security, SOX

When I do an audit and request that my client give me SAS 70 reports from his/her critical financial vendors, I am often amazed (or appalled) at what I get to read. My team performs about 20-25 SAS 70 Type IIs every year, and maybe 2 SAS 70 Type I exams. Why the big difference? Type II exams...


July 7, 2008  11:38 PM

SAS 70 Reports – Why Should You Want One?



Posted by: Arian Eigen Heald
Compliance, DataCenter, IT audit, SAS 70, Security, Security Metrics, SOX

There seems to be a lot of mis-information about what a SAS 70 report is - just today I came across a post that referenced being "SAS 70 - compliant." There is no such thing. There is no pass/fail aspect to a SAS 70 because the Control Objectives and Control Procedures are designed by...


May 15, 2008  5:54 PM

Steps to an Easy Audit (3) – Compensating Controls



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Database security, IT audit, PCI DSS, Security, SOX, Steps to an Easy Audit, Tools & Tricks of the Trade, Tools for Auditing and Security

These two magic words should be in every network manager and system engineer's lexicon. It's your get-out-of-jail (not necessarily free) card with an IT Auditor. Every IT shop has an application, a device, a configuration that breaks good security rules and usually corporate policy, as well. ...


March 6, 2008  1:42 PM

Security Policies: Five Basic Mistakes and Five More



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, IT audit, Security, SOX

I finished an IT audit not too long ago with an organization that did not have any policies. They had an employee handbook, that had some declarative statements that employees signed off on during their first week on the job. They are a small company growing into a medium-sized one, and part of...


March 4, 2008  9:17 PM

Compliance is Only a “Gentleman’s C”



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Security, SOX, Tools for Auditing and Security

A comment from Dr Chuvakin reminded me of how long I've been thinking about "checkbox security." As an auditor, I am certainly familiar with checkboxes, in fact, for my firm, I've written a number of them. When I am going...


1

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: