Former ISACA Head: SAS 70 Changes Coming
Marios Damianides, a partner in Ernst & Young's technology and security risk services group and past president of ISACA's board of directors, expects changes for SAS 70 and more collaboration between security and non-security management groups.
» View Article
Former ISACA Head: SAS 70 Changes Coming
Marios Damianides, a partner in Ernst & Young's technology and security risk services group and past president of ISACA's board of directors, expects changes for SAS 70 and more collaboration between security and non-security management groups.
» View Article
I like the direction being proposed; the current SAS70 framework is deficient in providing relying parties substance they can rely on. The focus should not be to replace ISO27001:2005, but rather, it should build on it. For example, an organization could adopt and achive ISO27001:2005 certification and then an inexpensive SAS70 could then be of value to document that the controls implemented within that framework meet the specidic requirements of a regulation, such as HIPAA. This ensures that a continuous improving ISMS is in place and that the controls sufficiently meet the regulatory requirements. This could then be relied upon by both the customers, as well as recognized by the Insurance industry, for reducing the risks associated with information.
Well said and implied.
Aligning Governance, Risk Management and Compliance with business operations will rightfully place both functions together where they have all along belonged. I had contemplated the idea only three days ago behind the wheels and my conclusions align with yours.
Should CEOs then begin to bring CISOs to COOs level or even a bit higher? Should the CISO be on top of the CEO's right hand men; a sort of a personal bastion protecting the organization by delivering real-time data as to risks to assets, and keeping these minimally low as possible by implementing the right controls to support the very top executive to the best of abilities? If not, why not?
Pascal
This article is terrible. It is titled "SAS 70 Changes Coming" and barely discusses SAS 70 audits. 2 of 3 pages don't even mention the word "SAS 70". Is the interviewee a CPA? It doesn't appear so. Wouldn't it make sense to interview a CPA about an audit that only a CPA can issue? Also, what is the interviewee's SAS 70 audit experience? Please cite a source for the claim that "An update on SAS 70 is brewing" and "Talks are happening around the idea of creating general-purpose SAS 70s where you could define to some extent the environment you'll be auditing against and then design and test that environment." Who is having these talks? I am one of the world's leading experts on SAS 70 audits and have no idea what this refers to. ISACA and ASIS have no sway in writing audit standards. Furthermore, how could you write this article and not even mention the pending adoption of the SAS 70 standard as an international standard?? The exposure drafts of the new standard make very little changes to the language of the existing standard. So if any changes are "brewing", they forgot to describe them in the ISAE draft that is anticipated to be adopted as early as April of 2009.
Dittoe...as a CPA and CISSP the SAS 70 has to be the most misunderstood standard in existance. It is created so that auditors can rely on the work of other auditors. The client chooses the controls to be tested. Nothing more, nothing less. It is not a security certification despite what vendors claim. It is for service organizations that perform critical functions for another entity. So only if I am in the business of running processes for another entity would a SAS 70 be relevant anyway. A SAS 70 can be geared to IT security but more likely as not it is used for other functions such as giving an entity and auditors a warm and fuzzy feeling about outsourced payroll or investment processes handled by a third party. I have not heard anything about a SAS 70 becoming more than what it is now. Now if an organization trots out that its controls are ISO 17799 compliant then it is conceivable that a SAS 70 may test that assertion. That said though that does not mean that all SAS 70s would now test for ISO 17799 compliance.....
Dirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK