Home page logo

pen-test logo Penetration Testing mailing list archives

Re: CoBIT a Security Audit Framework?
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 9 Dec 2008 17:32:15 -0500 (EST)

Hash: SHA1

you seem to give too much credit to headhunters and contract agency staff as well as common HR folks for knowledge base and facts. These folks are clueless, and so you will get this misinformation all the time and not just related to security. Same with issue surrounding credentials and certifications. Just get used to it and learn to personally drown out the noise of misinformation you will be facing <smile>. It's all part of the game.


Ron DuFresne

On Mon, 1 Dec 2008, Jon Kibler wrote:



I just received my 3rd request in as many weeks, from a job shop agency
looking for someone to do a "Pen Test using the CoBIT framework" or to
"Audit an organization's security using the CoBIT framework."

I have looked at the latest CoBIT (and had used 2.x in the past for
non-security audits), and I still do not see ANYTHING about CoBIT that
has to do with IT Security at a practical security level. However, it
appears to be the popular perception in industry that CoBIT is *THE*
security audit framework, and if you pass a CoBIT audit, then "you are

Where did this perception come from that CoBIT has anything to do with
security? It is simply an IT *GOVERNANCE* audit framework -- so why is
it perceived to be a SECURITY audit framework? I cannot believe that
anyone that is an IT professional could have such a serious misperception!

And what REALLY gets me is that organizations expect you to be able to
do a PEN TEST using CoBIT! When I explain that something like OSSTMM is
a more correct framework for a PEN TEST (or even NIST 800-115 or
800-53A), they don't want to hear it -- its gotta be CoBIT! They have so
many misunderstandings as to what CoBIT is and is not useful for, it is
incredible -- and they are not interested in learning anything different.

Who / what is driving this "CoBIT is the only acceptable IT Security
audit framework" mentality and what can we do to change it?

Also, is ISACA pushing CoBIT as a security framework? Looking at their
web site, they do not seem to be. Anyone know what their position is on
CoBIT being used as an IT Security audit framework?



Jon Kibler
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

gpg: Signature made Mon 01 Dec 2008 12:53:33 PM EST using DSA key ID CF394253
gpg: Good signature from "Jon Kibler <Jon.Kibler () aset com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BAA2 1F2C 5543 5D25 4636  A392 515C 5045 CF39 4253

- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
Version: GnuPG v1.4.5 (GNU/Linux)


This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]