Regulatory Compliance, Governance and Security


December 30, 2008  3:21 PM

SAS 70 | PCI DSS | 2009 Regulatory Compliance Checklist



Posted by: Charles Denyer
audits, payment card industry, payment card industry data security standards, PCI, pci assessment, pci compliance, PCI DSS, pci dss qsa, regulatory compliance, SAS 70, sas 70 audit report, SAS 70 checklist, sas 70 control objectives, SAS 70 readiness questionnaire, sas 70 sample report, SAS 70 Type I, sas 70 type ii, sas70, sas70 sample reports, Security, SOX, What is SAS 70?

When ushering in the new year festivities, keep in mind that a number of regulatory compliance issues will be facing your organization also as 2009 looms just around the corner. No, they’re not stocking stuffers, rather, they can be considered expensive, time-consuming, and arduous, to say the least. Here’s your list of 2009 Regulatory Compliance mandates that may very well find there way into your organization.

SAS 70
SAS 70 Type I and SAS 70 Type II audits have become increasingly popular since the advent of Sarbanes Oxely in 2002. Service organizations, third party outsourcing entities, and a slew of other companies have had to grapple with the time and costs associated with this widely recognized auditing standard. If your organization needs to become SAS 70 Type I or SAS 70 Type II compliant for 2009 and beyond, then take time to learn about this specialized auditing standard via the most comprehensive website available on SAS 70 audits, sas70.us.com. You can even obtain a free sample SAS 70 Type II report along with downloading numerous white papers and other expert subject matte on SAS 70 Type I and SAS 70 Type II audits.

PCI Compliance
Payment Card Industry Data Security Standards (PCI DSS) compliance is fast becoming a hot regulatory compliance issue. The major payments brands, such as Visa, Mastercard, American Express, Discover and JCB, have unilaterally agreed on a number of security provisions for the protection of cardholder data. In summary, any entity directly involved in the processing, storage, or transmission of transaction data or cardholder data should be looked upon as a PCI DSS candidate. But what really is PCI and where can you learn more about compliance and what your organization needs to do? Visit pciassessment.org, a comprhensive guide to understanding what PCI DSS compliance is and who is affected.

December 30, 2008  2:37 PM

SAS 70 Audit Reports | Obtain a Sample SAS 70 Type II Audit



Posted by: Charles Denyer
SAS 70, sas 70 audit report, sas 70 control objectives, SAS 70 download, SAS 70 overview presentation, sas 70 sample report, SAS 70 Type I, sas 70 type ii, sas70, sas70 pricing, sas70 sample reports, What is SAS 70?

If you are seeking to learn more about SAS 70 Type I and SAS 70 Type II audits, then one of the most effective ways for truly gaining an understanding of the auditing standard is to see what the finished product looks like-that is, a final SAS 70 audit report. Many people voice great frustration when going through their first SAS 70 audit because they truly don’t know what the SAS 70 audit report “looks and feels” like, that is, what is the actual content, format, and layout of the report.

Having a sample SAS 70 audit report prior to commencement of the audit who greatly benefit service organizations as they can visually see the important components of what lies in the report itself. sas70.us.com provides sample SAS 70 Type II audit reports for organizations and individuals looking to learn more about Statement on Auditing Standards No. 70, commonly known as SAS 70.

This report will give you an in-depth layout of what a SAS 70 audit report is, what are the critical components and content that make up the report, and it will also allow you to gain a true conceptual understanding of what the audit is actually undertaken and performed by auditors.

Remember, knowledge is power, so the more you know and learn about SAS 70 audits, the more prepared you and your organization will be in undertaking a SAS 70 Type I or SAS 70 Type II audit.


December 30, 2008  2:19 PM

SAS 70 Type II Audits | Become SAS 70 Compliant in a Cost Effective Manner



Posted by: Charles Denyer
Auditing, audits, SAS 70, sas 70 audit report, SAS 70 overview presentation, SAS 70 readiness questionnaire, SAS 70 Type I, sas 70 type ii, sas70, sas70 pricing, sas70 readiness assessment questionnaires

If your organization is seeking to become SAS 70 Type I or SAS 70 Type II compliant for 2009, then its time to roll up your sleeves and learn all you can about what a SAS 70 audit actually is along with many of its inner workings? And why? Knowledge is power. The more information you have about what a SAS 70 audit truly is, then the more informed you are about issues for the audit, such as scope, pricing, testing of controls, just to name a few. Think all SAS 70 audits are alike? Not quite. Does every CPA firm follow the same roadmap when conducting auditing and test procedures for SAS 70 audits? Hardly.

With that said, visit sas70.us.com and learn all you will ever need to know about Statement on Auditing Standards No. 70, simply known as SAS 70. You will be able to obtain critical information regarding SAS 70 audits, such as the history of the auditing standard, pricing considerations and factors to be taken into consideration for a SAS 70 audit, a SAS 70 roadmap for compliance checklist, just to name a few. It’s all part of being able to provide interested readers with a comprehensive guide to one of the most widely used and recognized audits in today’s business world.

So before you accept any proposals from any number of CPA firms that specialize in SAS 70 audits, take the time to educate yourself on the inner workings of what a SAS 70 audit actually is.

Today’s regulatory compliance mandates are here to say, and so are SAS 70 audits.


December 30, 2008  2:08 PM

PCI Payment Card Industry Compliance | PCI DSS | Important Tips



Posted by: Charles Denyer
payment card industry, payment card industry data security standards, PCI, pci assessment, pci compliance, PCI DSS, pci dss qsa, pci dss requirement 1.1.1, pci dss requirement 1.1.2

Is your organization seeking to become Payment Card Industry (PCI) Data Security Standards (DSS) compliant for 2009? Are you a merchant or service provider that is directly involved in the processing, storage, or transmission of transaction data or cardholder data? If you answered yes to these questions, then its time you learn more about PCI DSS compliance and what the road ahead holds for your organization.

First and foremost, PCI DSS compliance is spreading like wildfire, to say the least. From small start up, locally owned companies to large e-commerce entities, PCI DSS compliance is becoming mandatory for every conceivable organization that conducts commerce with payment cards.

To be fair, regulation for PCI DSS compliance was somewhat lax and disjointed in the beginning, but much has changed in the last six months as the major payment brands are starting to push PCI DSS compliance much deeper and in a more transparent way then ever before.

If you want to learn more about Payment Card Industry Data Security Standards (PCI DSS) compliance, then visit pciassessment.org, one of the most in-depth sites currently available for PCI DSS news and information.

2009 is just around the corner, so properly plan for having your organization become PCI DSS compliant.


November 29, 2008  5:30 PM

SAS 70 Type II Audits | An Auditor’s Expert Opinion on Pricing



Posted by: Charles Denyer
Compliance, SAS 70, sas 70 audit report, sas 70 control objectives, SAS 70 readiness questionnaire, SAS 70 Type I, sas 70 type ii, sas70, sas70 pricing, sas70 readiness assessment questionnaires, sas70 sample reports

People often ask me what the price of a SAS 70 Type I or SAS 70 Type II audit is. My response? That depends, I say, on many, many factors. Here is what needs to be understood when considering pricing factors for SAS 70 Type I and Type II audits:

1. The CPA firm-Are you looking for brand recognition or are you looking for a cost-effective provider which can simply help you “check the box” for SAS 70 compliance.

2. Scope-What is being examined and tested from a control perspective for SAS 70 audits? Are you looking for just a general controls audit or an audit that also includes specific business processes?

3. Testing period: For SAS 70 Type II audits, what is the testing period going to be? The longer the test period, the more the audit will cost as auditors have to pull larger samples, do more testing, etc.

4. Location of testing: How many physical areas does your organization have that will fall under the scope of the SAS 70 audit? Having more than one means that auditors will ultimately have to travel to numerous locations to conduct more testing. Again, more locations, more time, money, and expenses out of your pocket for the audit itself.

5. Are you confident you can obtain SAS 70 compliance without conducting a SAS 70 readiness assessment? If not and you need assistance identifying weaknesses and gaps within your control environment, then expect to spend more time, money, and resources on the front end of a SAS 70 audit for preparing in an adequate manner.

As you can see, there is no quick, easy, black and white answer to the cost of a SAS 70 Type I or Type II audit.

To learn more about statement of auditing standards no. 70, visit the official sas 70 resource guide, where you can obtain a wealth of information on sas 70 audits.


November 28, 2008  10:43 PM

SAS 70 Audit Reports | Start with a SAS 70 Readiness Assessment



Posted by: Charles Denyer
audits, SAS 70, sas 70 audit report, sas 70 control objectives, SAS 70 readiness questionnaire, sas 70 sample report, SAS 70 Type I, sas 70 type ii, sas70, sas70 readiness assessment questionnaires

Successful completion of SAS 70 Type I or SAS 70 Type II audit reports should start with undertaking a SAS 70 Readiness Assessment. A readiness assessment is an important part of the audit process in that it helps identify weaknesses, gaps, and deficiencies within your organization’s control environment. Many organizations unfortunately rush into a SAS 70 Type I or Type II audit, and as a result, suffer the consequences of ill-planning and mismanagement. The result? More time, fees, and man hours are put into the audit, which in all actuality, really shouldn’t of been if they had started off with a readiness assessment.

Furthermore, some firms even offer free SAS 70 Readiness Assessment questionnaires for helping your organization prepare and undertake the audit itself. What’s more, quality CPA firms can develop templates that are highly customized to your specific industry, thus adding even more value to the SAS 70 Readiness Assessment phase. As the old saying goes, you crawl before you walk, it’s wise to conduct a SAS 70 Readiness Assessment before embarking on the actual audit process.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide, where you can obtain a wealth of information on SAS 70 audits.


November 23, 2008  7:46 PM

SAS 70 Type II Audit Reports | Why SAS 70 is Here to Stay



Posted by: Charles Denyer
GLBA, HIPAA, regulatory compliance, Sarbanes-Oxley, SAS 70, sas 70 audit report, sas 70 control objectives, sas 70 type ii, sas70, section 404 sox, SOX, What is SAS 70?

We live in a world of heightened regulatory compliance and corporate governance. From the passage of the 2002 Sarbanes-Oxley Act to numerous other pieces of legislation (HIPAA, GLBA, just to name a few), “comply, comply, comply” is the new mantra being pushed throughout organizations and at all levels. SAS 70 audits, originally introduced as the 70th auditing standard in April of 1992, has stood the test of time as the main “go to” compliance audit for many of these regulatory requirements that have ushered from the halls of Congress.

Okay, so, why is it here to stay? Well, for a number of reasons. First and foremost, it will always be used as an audit tool for evaluating service organization’s that could have a material impact to a company’s “information system”-This term, “information system” is used to describe the user organization’s “information system”, that is, what services are being performed by the service organization that are considered a part of the user organization’s “information system”. Transactions, procedures (be it manual or automated), supporting information, the capturing of events and conditions-are all considered traits and activities that relate to, have an effect, and impact the user organization’s “information system”.

Second, the SAS 70 auditing standard has been quite flexible, adapting to the needs of service organizations that must have their control environment examined. Witness the numerous times the SAS 70 auditing standard has been amended over the last 16 years to keep “pace” with the changes of business.

Third, the SAS 70 auditing standard has become very quickly recognized as the global de facto audit for internal controls on service organizations. In short, it has built up quite a following that is simply very hard to ignore.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.


November 23, 2008  7:24 PM

Payment Card Industry (PCI DSS) Compliance | Requirement 1.1.2



Posted by: Charles Denyer
payment card industry, payment card industry data security standards, PCI, pci assessment, pci compliance, PCI DSS, pci dss qsa, pci dss requirement 1.1.2, policies and procedures, qsa, regulatory compliance, SAS 70, sas 70 audit report

Payment Card Industry (PCI) Data Security Standards (DSS) compliance for PCI DSS requirement 1.1.2 calls for “Current network diagram with all connections to cardholder data, including any wireless networks” Thus, testing for validating 1.1.2 requires verification “that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data, including any wireless networks.”

Okay, once again here, the key phrase is “current network diagrams”. What does this essentially mean? It means having a subject matter expert within your I.T. department developing a current network diagram and topology documents showing all critical connection points along with a visual of all critical hardware and network components that make up the network topology. More importantly, these diagrams and network topology documents should be current and updated on a quarterly basis to reflect overall changes in the network layout of the organization. Keep in mind that these documents will also be valuable for other regulatory compliance mandates, such as a SAS 70 Type II audit, which many merchants and service providers have to have at some point in their business lifecycle.

And though the requirement for PCI DSS 1.1.2 calls for these network diagrams for only “connections to cardholder data” its a very good and wise idea to draw and map out your organization’s entire network topology. Why? Because it just makes good business sense and again, it helps with other regulatory compliance mandates that your organization may have to endure.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide
To learn more about PCI DSS compliance, visit pciassessment.org


November 23, 2008  7:14 PM

Payment Card Industry (PCI DSS) Compliance | Requirement 1.1.1



Posted by: Charles Denyer
payment card industry, payment card industry data security standards, PCI, pci assessment, pci compliance, PCI DSS, pci dss qsa, pci dss requirement 1.1.1, policies and procedures, qsa

PCI DSS Requirement 1.1.1 calls for “A formal process for approving and testing all network connections and changes to the firewall and router configurations”. Thus, the test to validate this, in accordance with PCI DSS 1.2 standards is to “Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations”. Thus, network connections, firewall rulesets/configurations and settings to routers must be placed in a proactive mode for ensuring continuous protection for the organization. As threats become known and as business needs change, this formal process needs to be documented to address this specifically.

The key phrase here my friends is “formal process”. What does that really mean? It means having documented policies and procedures in place for approving and testing connections/changes to these critical devices. Easier said than done as most organizations do not have the time or resources to formally write out documented policies and procedures. Beware, as this is a very large part of ensuring PCI DSS compliance. To learn more about PCI DSS and documented policies and procedures for PCI DSS compliance, visit pciassessment.org.


November 23, 2008  7:03 PM

Payment Card Industry (PCI DSS) Compliance | Requirement 1.1



Posted by: Charles Denyer
configurations, firewalls, payment card industry, PCI, pci assessment, pci compliance, PCI DSS, pci dss qsa, ports, qsa, regulatory compliance, requirement 1.0, requirement 1.1

Payment Card Industry (PCI) Data Security Standards (DSS) for Requirement 1.1 require organizations to “Establish firewall and router configuration standards”. This requirement falls under the functional area of the overall Requirement 1.0, which states that organizations must “Install and maintain a firewall configuration to protect cardholder data”. So, what does this requirement 1.1 specifically mean and what do merchants, service providers and other supporting organizations need to be aware of? In short, PCI DSS requirements for 1.1 call for organizations to “Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete”. In essence, its a rather straightforward testing approach that requires that configuration standards are commensurate and in line with the business needs of the organization for ensuring that no unwanted or malicious traffic is kept out and that only the traffic designated is allowed through. A PCI QSA can verify this requirement by consulting and inspecting the current firewall settings and configurations. Take note, as all unnecessary ports and configurations should be closed if they are not suitable or conducive to the cardholder environment. To learn more about PCI DSS, visit pciassessment.org


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: