RE: Where to get recognizable, 3rd party security audits?

From: Craig Wright (cwright@bdosyd.com.au)
Date: Sat Mar 04 2006 - 15:34:58 EST


Hello Pigeon,
For all the likely flames this will result in... For the most part this is the wrong list to post for advice on an audit.
 
You are looking at something as a service provider or similar I would assume? In this case you are looking to SAS70p2. This is a certificate that basically adds a level of assurance to a 3rd party. The time to plan and implent will vary. This is soimething that needs to be discussed in detail - it may be a month it may be longer.
 
SAS70 needs to be completed by a registered/licensed etc (whatever it is in your juristiction) auditor. From an auditors point of view this is an audit under law. This means that the lead auditor/partner etc can be help criminally liable if the work is not completed with all due care etc. SAS 70 is not as common as it should be as it allows you to just hand over a certificate rather than having each client conduct an indepentant audit.
 
The issues are that not many people can conduct a SAS70. Most "security companies" are not legally able to do this. Many audit firms do not have the personel. Hence the difficulty. More information would be required to go into further detail for you.
 
To go through the other examples one by one:
COSO is the governing body associated with finacial audits for Chartered firms (CPA firms in the US) etc. There are COSO provisions for systems audit and there are legal requirements associated with the level of systems based information gathering. This is an external audit of your firms system financial account. IT does not meet your requirements for something to give to another company nor would it be relivant to that purpose. COSO is not an audit in itself. It is a set of control objectives that can be used to create a system that may be audited.
 
ISO17799 could be used for this, but it is more to do with the internal control processes and systems that you have in place. Any external organisation would still have to evaluate the scope of your ISO 17799 implamentation and policies. This is a possibility but as you just want to hand over the ceretificate and not the set of polices etc this is not so likely - but correct me if I am wrong and I will go into further detail.
 
HIPPA is an assurance level for the retenion and processing of medical records (simplified). Are you a Hospital or do do process medical records? If yes, than this may be required. If no than forget it.
 
Regards
Craig

        -----Original Message-----
        From: Pigeon [mailto:fredit@charter.net]
        Sent: Sat 4/03/2006 9:40 AM
        To: pen-test@securityfocus.com
        Cc:
        Subject: Where to get recognizable, 3rd party security audits?
        
        

        Hello, I need to find a company that will do security testing on our
        5 or 6 servers to verify their security level. We will need a very
        well recognized certificate from them.. AKA, I couldn't do the
        security audit, and no Joe Blow (granted you might be awesome) can do
        them. The reason for this is to show VERY large corporations our
        credentials.
        
        
        So far, people have mentioned these certs:
        SAS type 2
        FISAAA
        HIPPA
        ISO7799
        COSO
        
        
        but I am unsure on these.. It appears like these could takes months
        to prepare internally and then we submit the information to an
        organization for review. Is this normal?
        
        
        thanks!
        
        

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:36 EDT