mailing list archives
Re: Business justification for pentesting
From: Kevin Reiter <tux () penguinnetwerx net>
Date: Wed, 31 Aug 2005 01:18:36 -0400
a few classic question that i would appriciate any answers for.
1- i would like to briefly know how to quantify information assets. In
other words, i hear a pentester say: if a hacker breaks in ur network, u
will loose up to 40000$ for example. how can he come up with such
2- are there any other means to justify pentesting for management except
3- are there any official statistics, figures etc. for justifying
pentesting. ther more official it is the better.
4- any other information you guys might find helpful in justifying a
pentest would be appriciated.
Don't forget about federal regulatory compliance issues, if your business
falls under those categories (SOX, GLBA, etc.)
Your company may even be *required* to have a third-party audit/test done
periodically (i.e. once per year) in order to be "certified" to meet those
federal requirements, as well as other items put in place (IDS,
Best to understand which (if any) federal requirements you fall under,
then find out what needs to be done to become compliant (if that applies
at all) and move on from there.