Thursday, January 15, 2009

Pen testing is dead? Part two

There aren't that many IT security literate people in organisations so when they need some assurance they are doing the right thing they ask a 3rd party with specialist experience for testing . The reality of the situation is that if someone is looking for assurance that they are doing a good job security wise they probably aren't . Some questions that security people often dont dare to ask or ask pretty much knowing the answers when approached to conduct a pen test include
% do you have a security policy
% do you have up to date technical security standards for the kit in use ?
%has someone been tasked with applying the standards ?
%has someone checked that the standards have been applied?
%is someone monitoring for intrusion?
%is there a risk assessment for this project ?
%there any security requirements for this project ?
%is there a security architecture document and detailed design docs for the key security controls ?
% has functional testing of the key controls been undertaken to check they work in the intended manner ?


---- 
Sent using a Sony Ericsson videophone
Posted by Matthew Hackling at 9:07 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Infamous Agenda © 2008. Design by :Yanku Templates Sponsored by: Tutorial87 Commentcute
This template is brought to you by : allblogtools.com Blogger Templates