Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

What does a Network Administrator need to know about SAS70

Posted on 2009-05-18
2
Medium Priority
?
306 Views
Last Modified: 2012-05-07
I have just found out that we may need to become SAS70 compliant.  

I have tried to research on the interent, but find long drawn out explanations on the history and assorted blah, blah...

What do I as a Network Administrator need to know about SAS70?  What types of documentation will I need to Supply, what types of restrictsions will I need to put in place?
0
Comment
Question by:brittonv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 24415383
I worked for 13 years at a financial institution, so here is some advice to get you started:

 - Most of the IT stuff is really common sense, security 101.   Password change policy, lockout policy, dual control on sensitive items, classification of critical data, etc...   It really covers the control of transactions and is meant to be a report to provide to customers to raise their level of confidence in your company standards because it meets certain guidelines.

 - If you've never been audited before, think about getting a 3rd party service to come in and help you prepare.    I had internal audit assist me with various GLBA, SOX compliance stuff before the real audit happened.    

-  Everything must be documented.   If its not on paper and on file, it doesn't exist.   Even if you can show a control is in place by opening the console and clicking around, it doesn't matter.   Auditors love paper.  

- Depending on the type of systems you are protecting, there are different base line practices you would need.   For example, a banking host system would need documented controls on password changes, dual control for access grants, etc...      

- Once the sas70 auditor does his thing, you'll get a list of items that the auditor thinks "needs improvement".   Expect things like password complexity enforcement, longer lockout periods, better access control for admins, review of admin activity, review of firewall logs, etc....  

Most of the stuff will be security 101
- Enable passwords of 7 characters with complex passwords enforced.
- Have no open data shares, every share must be secure.
- Have an application owner/grantor to review and approve changes to application access
- HAve a system to review application access changes
- Review perimeter defence, log attempts, dual external firewall control


Hope that gets you started.    If you really need help, hire a 3rd party to come in and give you a SAS-70 checkup before the real audit.  They will help you identify and plug any holes that would result in an unfavorable review.  

0
 
LVL 8

Author Closing Comment

by:brittonv
ID: 31582719
Outstading response!  Exactly what I was looking for.  Thanks!
0

Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question