Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Business justification for pentesting
From: Kevin Reiter <tux () penguinnetwerx net>
Date: Wed, 31 Aug 2005 01:18:36 -0400

hi all,

a few classic question that i would appriciate any answers for. 1- i would like to briefly know how to quantify information assets. In
other words, i hear a pentester say: if a hacker breaks in ur network, u
will loose up to 40000$ for example. how can he come up with such

2- are there any other means to justify pentesting for management except
for $$$?

3- are there any official statistics, figures etc. for justifying
pentesting. ther more official it is the better.

4- any other information you guys might find helpful in justifying a
pentest would be appriciated.

Don't forget about federal regulatory compliance issues, if your business falls under those categories (SOX, GLBA, etc.)

Your company may even be *required* to have a third-party audit/test done periodically (i.e. once per year) in order to be "certified" to meet those federal requirements, as well as other items put in place (IDS, monitoring, etc.)

Best to understand which (if any) federal requirements you fall under, then find out what needs to be done to become compliant (if that applies at all) and move on from there.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]