Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

pen-test logo Penetration Testing mailing list archives

RE: Business justification for pentesting
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 1 Sep 2005 06:37:59 +1000
A pen test does not and by nature cover the requirements for SOX or any of the other areas.
 
A Pen test can be used as a part of an audit but is not an audit. This is a common misconception, but it is definately 
wrong.
 
I see this a lot (being a manager in a chartered firm). The audit requirements can not be satisfied by a pen test and 
any firm that believes this is deluding themself
 
Craig

        -----Original Message----- 
        From: Kevin Reiter [mailto:tux () penguinnetwerx net] 
        Sent: Wed 31/08/2005 3:18 PM 
        To: 
        Cc: sectraq () gmail com; pen-test () securityfocus com 
        Subject: Re: Business justification for pentesting
        
        
        Don't forget about federal regulatory compliance issues, if your business
        falls under those categories (SOX, GLBA, etc.)
        
        Your company may even be *required* to have a third-party audit/test done
        periodically (i.e. once per year) in order to be "certified" to meet those
        federal requirements, as well as other items put in place (IDS,
        monitoring, etc.)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]