Re: SAS70

[Diego Kellner <dkepler () gmail com>]

I've been involved in some SAS70 audits, and as H. Carvey says, the
nature of the controls to be audited depends on what has been agreed
the controls should be by the auditor or the one requesting the audit.
It is also true that most of the audit relies (heavily) on
documentation and infosec. proceses... so no matter what you do on a
regular basis, did in the past, or plan to do in the future, if
there's no evidence, you do nothing.
Regards,
Kepler

On 17 May 2005 19:54:39 -0000, H Carvey <keydet89 () yahoo com> wrote:
> In-Reply-To: <20050516213837.8981.qmail () mail securityfocus com>
>
> Steve,
>
> > Recently, I have been tasked with assisting a company with preparing their
> > network for a SAS70 audit.
>
> I would suggest to you that it would be better in the eyes of the auditors if you had a process for 
> security/vulnerability management in place, rather than saying that "we scanned our network and fixed the problems we 
> found."
>
> Also, I know that this is going to like someone running fingernails down a chalkboard to many, but the key to these 
> things is documentation.  If you don't have the documentation, you can't say (a) "we do that", or (b) "we did that".
>
> H. Carvey