Penetration Testing: CoBIT a Security Audit Framework?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Penetration Testing mailing list archives

CoBIT a Security Audit Framework?

From: Jon Kibler <Jon.Kibler () aset com>
Date: Mon, 01 Dec 2008 12:53:33 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

<rant>

I just received my 3rd request in as many weeks, from a job shop agency
looking for someone to do a "Pen Test using the CoBIT framework" or to
"Audit an organization's security using the CoBIT framework."

I have looked at the latest CoBIT (and had used 2.x in the past for
non-security audits), and I still do not see ANYTHING about CoBIT that
has to do with IT Security at a practical security level. However, it
appears to be the popular perception in industry that CoBIT is *THE*
security audit framework, and if you pass a CoBIT audit, then "you are
secure."

Where did this perception come from that CoBIT has anything to do with
security? It is simply an IT *GOVERNANCE* audit framework -- so why is
it perceived to be a SECURITY audit framework? I cannot believe that
anyone that is an IT professional could have such a serious misperception!

And what REALLY gets me is that organizations expect you to be able to
do a PEN TEST using CoBIT! When I explain that something like OSSTMM is
a more correct framework for a PEN TEST (or even NIST 800-115 or
800-53A), they don't want to hear it -- its gotta be CoBIT! They have so
many misunderstandings as to what CoBIT is and is not useful for, it is
incredible -- and they are not interested in learning anything different.

Who / what is driving this "CoBIT is the only acceptable IT Security
audit framework" mentality and what can we do to change it?

Also, is ISACA pushing CoBIT as a security framework? Looking at their
web site, they do not seem to be. Anyone know what their position is on
CoBIT being used as an IT Security audit framework?

</rant>

THANKS!

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkk0JJ0ACgkQUVxQRc85QlPAYwCfV2+x9xvRCcwHb5IJP4BSn16i
pHoAn04tnOYE8iw6boid+HamX6rg1XHq
=Z4i8
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

By Date By Thread

Current thread:

CoBIT a Security Audit Framework? Jon Kibler (Dec 01)
- Re: CoBIT a Security Audit Framework? J. Oquendo (Dec 01)
  - Re: CoBIT a Security Audit Framework? Jon Kibler (Dec 01)
    - Re: CoBIT a Security Audit Framework? J. Oquendo (Dec 01)
  - Re: CoBIT a Security Audit Framework? Andre Gironda (Dec 02)
- Re: CoBIT a Security Audit Framework? J. Oquendo (Dec 01)