|
Penetration Testing
mailing list archives
Re: Pen Test and Sec Org
From: DaKahuna <da.kahuna () gmail com>
Date: Tue, 6 May 2008 19:00:29 -0400
On May 5, 2008, at 5:26 AM, Soso Aboso wrote:
In the organization I work for there are two security team, one with
enterprise role “Information Security” and their mean focus on
governance, awareness, and risk assessment. The second team is for
IT “IT Security” and their mean focus on IT security projects and
managing the security Devices. The question I have, did any of you
came through such organization structure, is it recommended, what
standards support such security organization, who should be the
owner of penetration tests in such organization?
I work in an organization that is organized in this fashion.
The Information Security (IS) component in our organization owns the
penetration test as it is essentially an evaluation of how well IT
Security is doing their job.
That does not necessarily mean that the IS organization conducts the
test, in our case we have an independent 3rd party do it under
contract to the IS group.
We have a number of standards and I would suggest you check the the
Web for best practices regarding standards but at a minimum there
should be Acceptable Use, Malware, Patching, Configuration Management,
Password, Data Protection, Remote Access, Network Access, and
Application / Server Hardening standards. That is not a comprehensive
list but should give you an idea to get your started.
DK
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
|
Intro
