August 21, 2008 3:48 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
Data Breaches,
Database,
Database security,
DataManagement,
Identity theft,
IT audit,
Oracle,
PCI DSS,
SAP,
SAS 70,
Security,
SOX,
SQL ServerDatabases are enormous, powerful repositories of data. They can hold payroll, HR personnel data (think social security numbers) stock prices, Accounts Receivable, Client Relationship Management, and customer information. Banks can't live without them. Most medium and many small sized businesses...
August 19, 2008 1:20 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
Data Breaches,
Database,
Database security,
DataManagement,
Identity theft,
IT audit,
Oracle,
PCI DSS,
SAP,
SAS 70,
Security,
SOX,
SQL ServerSo many financial auditors, CEOs, CFOs and others rely on electronic data to understand the complexities of General Ledger, Accounts Payable, etc. In this era of SAP, ADP, electronic time clocks, etc., the one common denominator is the database underlying each application.
Applications...
July 29, 2008 11:16 AM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
DataCenter,
SAS 70,
Security,
SOX,
Start Laughing NowI ran across the new website "securityidiot.com" in my travels, and was reminded that it is so important to be able to laugh at yourself (and others!). It's so easy to turn a Bad Idea into Bad Technology, these days. Or worse, another new acronym.
You should especially check out the rant on
July 17, 2008 6:56 PM
Posted by: Arian Eigen Heald
Compliance,
IT audit,
SAS 70,
Security,
SOXCommonly, a SAS 70 Type 1 report contains three sections, and a Type 2 has five sections. That because a Type 2 tests the effectiveness of the controls that a Type 1 says are there.
The first section, the "Independent Service Auditors' Report," is basically a letter by the service auditor (the...
July 11, 2008 1:46 AM
Posted by: Arian Eigen Heald
Compliance,
IT audit,
SAS 70,
Security,
SOXWhen I do an audit and request that my client give me SAS 70 reports from his/her critical financial vendors, I am often amazed (or appalled) at what I get to read.
My team performs about 20-25 SAS 70 Type IIs every year, and maybe 2 SAS 70 Type I exams. Why the big difference? Type II exams...
July 7, 2008 11:38 PM
Posted by: Arian Eigen Heald
Compliance,
DataCenter,
IT audit,
SAS 70,
Security,
Security Metrics,
SOXThere seems to be a lot of mis-information about what a SAS 70 report is - just today I came across a post that referenced being "SAS 70 - compliant." There is no such thing. There is no pass/fail aspect to a SAS 70 because the Control Objectives and Control Procedures are designed by...
May 15, 2008 5:54 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
Database security,
IT audit,
PCI DSS,
Security,
SOX,
Steps to an Easy Audit,
Tools & Tricks of the Trade,
Tools for Auditing and SecurityThese two magic words should be in every network manager and system engineer's lexicon. It's your get-out-of-jail (not necessarily free) card with an IT Auditor.
Every IT shop has an application, a device, a configuration that breaks good security rules and usually corporate policy, as well. ...
March 6, 2008 1:42 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
IT audit,
Security,
SOXI finished an IT audit not too long ago with an organization that did not have any policies. They had an employee handbook, that had some declarative statements that employees signed off on during their first week on the job. They are a small company growing into a medium-sized one, and part of...
March 4, 2008 9:17 PM
Posted by: Arian Eigen Heald
Admins and Auditors,
Compliance,
Security,
SOX,
Tools for Auditing and SecurityA comment from Dr Chuvakin reminded me of how long I've been thinking about "checkbox security." As an auditor, I am certainly familiar with checkboxes, in fact, for my firm, I've written a number of them.
When I am going...
