March 11, 2009 at 10:19 am
Guys, my boss is asking me to come up with a simple document where we have SQL Server 2005 standards SAS70 complaint. I am not a new to SQL Server but I never wrote anything like that. I know you will say, "it depends on..." or "everyone's different".. but not in this case I can assure you. There are many DBAs out there who never had to face SAS, SOX, C2, etc.. I, personally, don't even now where to begin such a document.. I think other people will benefit too if you will post such a document or at least show how to build one. Specifically, I am interested in Security and Configuration. I appreciate your help, very much,
Boris.
if one wants it.. one will justify it.
March 11, 2009 at 10:30 am
did anyone ever did a paper on that? i can't believe that no one ever did..
if one wants it.. one will justify it.
March 11, 2009 at 11:19 am
SAS70 compliance is hard to document for because it is based on the opinion (and the standard actually says opinion) of the independent auditor.
SAS No. 70 provides guidance to enable an independent auditor ("service auditor") to issue an opinion on a service organization's description of controls through a Service Auditor's Report (see below). SAS 70 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve. Service auditors are required to follow the AICPA's standards for fieldwork, quality control, and reporting. A SAS 70 Audit is not a "checklist" audit.
More here: About SAS70
And I have seen two different auditing firms look at the exact same application and completely differ on standards. That's why you won't find much on how to meet SAS70 compliance.
What you should do is document your standard build process, what you require to secure the server (both OS and SQL Server), what controls are in place with respect to administrators, and what processes are used to modify configuration, permissions, and data. Then work with your independent auditor to see if this is sufficient.
K. Brian Kelley
@kbriankelley
March 11, 2009 at 11:23 am
well.. this firm has no build standards to say the least.. so any sample or template is greatly appreciated.
if one wants it.. one will justify it.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply