?
Solved

What does a Network Administrator need to know about SAS70

Posted on 2009-05-18
2
Medium Priority
?
315 Views
Last Modified: 2012-05-07
I have just found out that we may need to become SAS70 compliant.  

I have tried to research on the interent, but find long drawn out explanations on the history and assorted blah, blah...

What do I as a Network Administrator need to know about SAS70?  What types of documentation will I need to Supply, what types of restrictsions will I need to put in place?
0
Comment
Question by:brittonv
2 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 24415383
I worked for 13 years at a financial institution, so here is some advice to get you started:

 - Most of the IT stuff is really common sense, security 101.   Password change policy, lockout policy, dual control on sensitive items, classification of critical data, etc...   It really covers the control of transactions and is meant to be a report to provide to customers to raise their level of confidence in your company standards because it meets certain guidelines.

 - If you've never been audited before, think about getting a 3rd party service to come in and help you prepare.    I had internal audit assist me with various GLBA, SOX compliance stuff before the real audit happened.    

-  Everything must be documented.   If its not on paper and on file, it doesn't exist.   Even if you can show a control is in place by opening the console and clicking around, it doesn't matter.   Auditors love paper.  

- Depending on the type of systems you are protecting, there are different base line practices you would need.   For example, a banking host system would need documented controls on password changes, dual control for access grants, etc...      

- Once the sas70 auditor does his thing, you'll get a list of items that the auditor thinks "needs improvement".   Expect things like password complexity enforcement, longer lockout periods, better access control for admins, review of admin activity, review of firewall logs, etc....  

Most of the stuff will be security 101
- Enable passwords of 7 characters with complex passwords enforced.
- Have no open data shares, every share must be secure.
- Have an application owner/grantor to review and approve changes to application access
- HAve a system to review application access changes
- Review perimeter defence, log attempts, dual external firewall control


Hope that gets you started.    If you really need help, hire a 3rd party to come in and give you a SAS-70 checkup before the real audit.  They will help you identify and plug any holes that would result in an unfavorable review.  

0
 
LVL 8

Author Closing Comment

by:brittonv
ID: 31582719
Outstading response!  Exactly what I was looking for.  Thanks!
0

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In computing, Vulnerability assessment and penetration testing are used to assess systems in light of the organization's security posture, but they have different purposes.
Fix RPC Server is unavailable Error in Exchange 2013, 2010, 2007, and 2003 Server. Different reason can such as network connectivity issue, name resolution issue, firewall, registry corruption that lead to RPC Server Unavailable error.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question