RE: SAS 70 and software policies

["Rosado, Rafael (Rafael)" <rarosado () lucent com>]

James,

Having been an ex-auditor (internal and external) that has performed SAS70
Audits in the past and currently serving as a consultant in assisting other
companies prepare for SAS70 Audits, I can tell you that the auditors will be
concentrating on those systems/applications that can directly or indirectly
impact the preparation of financial statements of the customers that use the
service you provide which is within the scope of the audit (aka, the service
for with the SAS70 is being performed).

With that said, auditors will expect proper segregation of duties within the
Change Control process (separation of production and test/development
environments, different individuals involved in the
development/test/production migration of changes, properly documented
approval of changes), security over development/test/production libraries,
and the overall system development/software life cycle ONLY IF THE USER
MACROS ARE CONSIDERED TO HAVE A DIRECT OR INDIRECT AFFECT IN THE PREPARATION
(OR CONTENT) OF INFORMATION USED TO PREPARE THE FINANCIAL STATEMENTS OF YOUR
CUSTOMERS THAT USE THE SERVICE BEING AUDITED (the CAPS are the caveat and
the response to your question).

If these user-developed macros can modify information in production
databases or systems that directly or indirectly affect the service being
audited, the auditors might question why these do not go through a formal
change process and why it's not managed by IT (meaning, if it has a direct
impact on how the systems behave, why aren't these under the control of IT ?
).  

I hope this gives you an idea.  If you have any questions, you should ask
your internal auditors or the external auditors that are performing the
SAS70 audit.  Your internal auditors should be working with in the
preparation for the audit.  Most companies will either use an internal audit
group, or an external consulting firm to help prepare them for the
audit(some companies use a consulting firm which is independent from the Big
4/CPA firm performing the SAS70 audit while others will us the same firm
that is performing the audit).

This is as much direction I can provide you without having to send you a
bill for my services (JUST KIDDING)....

Good Luck,

Rafael Rosado, CISSP, CISA
Security Consultant
Lucent Worldwide Services
Business Consulting
Reliability and Security Services
Voice: 954-885-2176 

Mobile: 954-609-5414
Email: rarosado () lucent com
http://www.lucent.com/security/
http://www.lucent.com/solutions/sec_sol_sp.html

This e-mail message and any attachment(s) to it are intended only for the
use of the addressee(s).  The information in this e-mail message is
confidential and proprietary and may be subject to legal privilege.  The
reading or dissemination of this email by anyone other than the intended
recipient is strictly prohibited.  If you believe you have received this
e-mail in error, please notify the sender immediately and permanently delete
this e-mail, any attachments and all copies thereof from any drives or
storage media and destroy any printouts. 


-----Original Message-----
From: James Strassburg [mailto:JStrassburg () directs com]
Sent: Friday, September 30, 2005 10:45 AM
To: webappsec () securityfocus com
Subject: SAS 70 and software policies

My organization is currently preparing for a SAS 70 audit.  We started
writing web application security standards a while ago.  That got extended
to a software engineering security policy and that got extended to a full
software engineering policy covering our entire SDLC.  My question is not
about web app sec, however, but rather user developed macros.  Should user
(and by user I mean non-software developer) developed macros be subject to
the same software lifecycle that our production apps would?  If not what
about if the macros hit production databases or other production network
resources?

This is the best channel I can think of for this question so I apologize if
it is inappropriate.  If anyone knows of a better channel please let me
know.  thanks.

James A. Strassburg Jr.
Software Security Architect
Direct Supply, Inc.