Solved

What does a Network Administrator need to know about SAS70

Posted on 2009-05-18
2
260 Views
Last Modified: 2012-05-07
I have just found out that we may need to become SAS70 compliant.  

I have tried to research on the interent, but find long drawn out explanations on the history and assorted blah, blah...

What do I as a Network Administrator need to know about SAS70?  What types of documentation will I need to Supply, what types of restrictsions will I need to put in place?
0
Comment
Question by:brittonv
2 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
Comment Utility
I worked for 13 years at a financial institution, so here is some advice to get you started:

 - Most of the IT stuff is really common sense, security 101.   Password change policy, lockout policy, dual control on sensitive items, classification of critical data, etc...   It really covers the control of transactions and is meant to be a report to provide to customers to raise their level of confidence in your company standards because it meets certain guidelines.

 - If you've never been audited before, think about getting a 3rd party service to come in and help you prepare.    I had internal audit assist me with various GLBA, SOX compliance stuff before the real audit happened.    

-  Everything must be documented.   If its not on paper and on file, it doesn't exist.   Even if you can show a control is in place by opening the console and clicking around, it doesn't matter.   Auditors love paper.  

- Depending on the type of systems you are protecting, there are different base line practices you would need.   For example, a banking host system would need documented controls on password changes, dual control for access grants, etc...      

- Once the sas70 auditor does his thing, you'll get a list of items that the auditor thinks "needs improvement".   Expect things like password complexity enforcement, longer lockout periods, better access control for admins, review of admin activity, review of firewall logs, etc....  

Most of the stuff will be security 101
- Enable passwords of 7 characters with complex passwords enforced.
- Have no open data shares, every share must be secure.
- Have an application owner/grantor to review and approve changes to application access
- HAve a system to review application access changes
- Review perimeter defence, log attempts, dual external firewall control


Hope that gets you started.    If you really need help, hire a 3rd party to come in and give you a SAS-70 checkup before the real audit.  They will help you identify and plug any holes that would result in an unfavorable review.  

0
 
LVL 8

Author Closing Comment

by:brittonv
Comment Utility
Outstading response!  Exactly what I was looking for.  Thanks!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
MOVING OFFICE / SERVER 22 71
svg file 10 30
Adding a secondary DC Server 2008R2 10 39
EIGRP Full Mesh 2 31
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now