Re: Pen Test and Sec Org

On May 5, 2008, at 5:26 AM, Soso Aboso wrote:

In the organization I work for there are two security team, one with enterprise role “Information Security” and their mean focus on governance, awareness, and risk assessment. The second team is for IT “IT Security” and their mean focus on IT security projects and managing the security Devices. The question I have, did any of you came through such organization structure, is it recommended, what standards support such security organization, who should be the owner of penetration tests in such organization?

I work in an organization that is organized in this fashion.

The Information Security (IS) component in our organization owns the penetration test as it is essentially an evaluation of how well IT Security is doing their job.
That does not necessarily mean that the IS organization conducts the test, in our case we have an independent 3rd party do it under contract to the IS group.

We have a number of standards and I would suggest you check the the Web for best practices regarding standards but at a minimum there should be Acceptable Use, Malware, Patching, Configuration Management, Password, Data Protection, Remote Access, Network Access, and Application / Server Hardening standards. That is not a comprehensive list but should give you an idea to get your started.


This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!