Home page logo

pen-test logo Penetration Testing mailing list archives

CoBIT a Security Audit Framework?
From: Jon Kibler <Jon.Kibler () aset com>
Date: Mon, 01 Dec 2008 12:53:33 -0500

Hash: SHA1



I just received my 3rd request in as many weeks, from a job shop agency
looking for someone to do a "Pen Test using the CoBIT framework" or to
"Audit an organization's security using the CoBIT framework."

I have looked at the latest CoBIT (and had used 2.x in the past for
non-security audits), and I still do not see ANYTHING about CoBIT that
has to do with IT Security at a practical security level. However, it
appears to be the popular perception in industry that CoBIT is *THE*
security audit framework, and if you pass a CoBIT audit, then "you are

Where did this perception come from that CoBIT has anything to do with
security? It is simply an IT *GOVERNANCE* audit framework -- so why is
it perceived to be a SECURITY audit framework? I cannot believe that
anyone that is an IT professional could have such a serious misperception!

And what REALLY gets me is that organizations expect you to be able to
do a PEN TEST using CoBIT! When I explain that something like OSSTMM is
a more correct framework for a PEN TEST (or even NIST 800-115 or
800-53A), they don't want to hear it -- its gotta be CoBIT! They have so
many misunderstandings as to what CoBIT is and is not useful for, it is
incredible -- and they are not interested in learning anything different.

Who / what is driving this "CoBIT is the only acceptable IT Security
audit framework" mentality and what can we do to change it?

Also, is ISACA pushing CoBIT as a security framework? Looking at their
web site, they do not seem to be. Anyone know what their position is on
CoBIT being used as an IT Security audit framework?



Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]