Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 313
  • Last Modified:

What does a Network Administrator need to know about SAS70

I have just found out that we may need to become SAS70 compliant.  

I have tried to research on the interent, but find long drawn out explanations on the history and assorted blah, blah...

What do I as a Network Administrator need to know about SAS70?  What types of documentation will I need to Supply, what types of restrictsions will I need to put in place?
0
brittonv
Asked:
brittonv
1 Solution
 
MikeKaneCommented:
I worked for 13 years at a financial institution, so here is some advice to get you started:

 - Most of the IT stuff is really common sense, security 101.   Password change policy, lockout policy, dual control on sensitive items, classification of critical data, etc...   It really covers the control of transactions and is meant to be a report to provide to customers to raise their level of confidence in your company standards because it meets certain guidelines.

 - If you've never been audited before, think about getting a 3rd party service to come in and help you prepare.    I had internal audit assist me with various GLBA, SOX compliance stuff before the real audit happened.    

-  Everything must be documented.   If its not on paper and on file, it doesn't exist.   Even if you can show a control is in place by opening the console and clicking around, it doesn't matter.   Auditors love paper.  

- Depending on the type of systems you are protecting, there are different base line practices you would need.   For example, a banking host system would need documented controls on password changes, dual control for access grants, etc...      

- Once the sas70 auditor does his thing, you'll get a list of items that the auditor thinks "needs improvement".   Expect things like password complexity enforcement, longer lockout periods, better access control for admins, review of admin activity, review of firewall logs, etc....  

Most of the stuff will be security 101
- Enable passwords of 7 characters with complex passwords enforced.
- Have no open data shares, every share must be secure.
- Have an application owner/grantor to review and approve changes to application access
- HAve a system to review application access changes
- Review perimeter defence, log attempts, dual external firewall control


Hope that gets you started.    If you really need help, hire a 3rd party to come in and give you a SAS-70 checkup before the real audit.  They will help you identify and plug any holes that would result in an unfavorable review.  

0
 
brittonvAuthor Commented:
Outstading response!  Exactly what I was looking for.  Thanks!
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now