Re: Pen Test and Sec Org




On May 5, 2008, at 5:26 AM, Soso Aboso wrote:

In the organization I work for there are two security team, one with enterprise role “Information Security” and their mean focus on governance, awareness, and risk assessment. The second team is for IT “IT Security” and their mean focus on IT security projects and managing the security Devices. The question I have, did any of you came through such organization structure, is it recommended, what standards support such security organization, who should be the owner of penetration tests in such organization?

I work in an organization that is organized in this fashion.

The Information Security (IS) component in our organization owns the penetration test as it is essentially an evaluation of how well IT Security is doing their job.
That does not necessarily mean that the IS organization conducts the test, in our case we have an independent 3rd party do it under contract to the IS group.

We have a number of standards and I would suggest you check the the Web for best practices regarding standards but at a minimum there should be Acceptable Use, Malware, Patching, Configuration Management, Password, Data Protection, Remote Access, Network Access, and Application / Server Hardening standards. That is not a comprehensive list but should give you an idea to get your started.

DK


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



Relevant Pages

  • Re: The New ISO Hacking Standard
    ... will you need to pay to get copies of it like you do for other ISO ... talks about the Open Source Security Testing Methodology Manual. ... So why is the International Standards ... Italy have had their eye on the OSSTMM for years. ...
    (Bugtraq)
  • RE: OSSTMM how good is it?
    ... I believe the OSSTMM is a good framework, in an industry with few public ... it is probably one of the few standards the customer can get for ... It is good because it challenges the perception that many IT Security ... Download FREE whitepaper on how a managed service ...
    (Pen-Test)
  • RE: How to determine if the latest securiy updates are installed (
    ... ' RQScript.vbs - Remote Access Quarantine Script ... The script verifies the security configuration of the client computer. ... is there no solution without any installation ...
    (microsoft.public.scripting.vbscript)
  • Re: [fw-wiz] iso 17799
    ... I think if we don't share now the marketing droids will win ... > have to battle the standards where they don't make sense (remember ... Though it hasn't been updated in sometime, I bet the firewalls-faq is ... There are tons of books on firewalling and basic security techniques, ...
    (Firewall-Wizards)
  • Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
    ... Compliance Is Wasted Money, ... How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? ... Lastly, that is where you are wrong, there is no "base starting point" companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. ... The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC!!! ...
    (Full-Disclosure)