Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Penetration Testing: Re: Pen Test and Sec Org

Re: Pen Test and Sec Org

From: Joey Peloquin <joeyp_at_cotse.net>
Date: Mon, 05 May 2008 17:43:54 -0500

Soso Aboso wrote:
> Greetings,
>
> In the organization I work for there are two security team, one with enterprise role “Information Security” and their mean focus on governance, awareness, and risk assessment. The second team is for IT “IT Security” and their mean focus on IT security projects and managing the security Devices. The question I have, did any of you came through such organization structure, is it recommended, what standards support such security organization, who should be the owner of penetration tests in such organization?
>
> Thanks you in advance for your feedback
[snip]
Sup, Soso.

There were three teams at my former company, but we were all under the IT
Risk Mgmt umbrella. My team (I was the team lead, not the manager) was the
technical team, performing assessments and pen-tests, handling incidents,
evaluating new technology, managing IPS alerts, etc.

One of the other teams handled compliance, and managed the security-portion
of "the business'" projects. They'd call us in when they needed a technical
"air strike".

The final team was operational security, but primarily handled the "big
iron", and projects involving the big iron. They also handled user
administration and were the first level helpdesk. Sadly, they were sitting
in a different part of the building, so most of the time, there was pretty
much only two teams - us and compliance.

We weren't necessarily following any specific standard. When I joined the
team, I was the 10th member, and possessed a technical skill level above the
couple other "tech dudes" - which is why I was hired. When I left the
company, there were over 20 people in the organization, and we had only
added a couple more (highly) technical folks - who landed on my team.
Consequently, lines of responsibility naturally gravitated toward the group
where it made the most sense.

When there was doubt where a responsibility should lie, team leads and
managers got together, discussed it, and made a unified decision.

HTH

-jp 

-- 
"Companies will say, "We can Web 2.0ify your existing applications in 15 
minutes - we've got a wrapper".  These people are charlatans, and you should 
punch them in the face.  They are taking your back-end database tiers and 
moving them to the perimeter." - Billy Hoffman, HPSW Security Labs
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
Received on May 06 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]