RE: Government Compliance

["Todd Towles" <toddtowles () brookshires com>]

I am not going to repeat the words of other posters, most made very good
points.

Most of the people on this list know the difference between a VA (vuln
assessment) test and PT (pen-test), but how much committees know the
difference? If running a VA test fills your credit for a PT test.. Then
something is wrong with the government compliance definitions of both,
it would seem.

VA test  is a subset of PT....IMHO anyways..

-Todd 

> -----Original Message-----
> From: Dave [mailto:dave.anon () gmail com] 
> Sent: Wednesday, June 15, 2005 9:51 AM
> To: pen-test () securityfocus com
> Subject: Government Compliance
>
> Hello everyone. I know some will view this as a rant and 
> other as informative, but I am making this post as a sanity check.
>
> For the purposes here, I currently work as an IT Security 
> professional for the US government. I work at the Department 
> of Government, within a component named AgencyX. Yes, these 
> names are fictional.
>
> To give an outline or basic background, all government 
> computer systems are governed by strict requirements for 
> designing, implementing, maintaining, and securing them. Many 
> of these are mandatory and are not up for negotiation. Some 
> examples include NIST SP's, FISMA, DCID 6/3, etc.....
>
> OK....so I received and email from a "IT Security professional"
> (qualifications and knowledge very questionable) at the 
> Department in response to a question I had. I had asked for 
> the definition the Department was adopting for penetration 
> testing. The response I received was (scrubbed for anonymity):
>
> "... The guidance for penetration testing was reviewed at 
> [department committee] meeting... penetration testing shall 
> consist of [product name deleted] vulnerability scans and 
> running [product name deleted] for cracking passwords... if 
> this has been done AgencyX shall get credit for penetration 
> testing...."
>
>
> Ok, I have big problems with this. There are seperate and 
> distinct requirements for maintaining password complexity, 
> performing vuln scans, AND performing penetration testing. 
> Any industry guideline or resource would never allow this 
> "definition". Am I wrong? Am I over reacting?
>
> When I brought this up to my chain of command I was told 
> "don't rock the boat". They fully admitted that they knew the 
> definition to be incorrect in that it was not meeting the 
> intent of the requirement, but that I should not say anything 
> to rock the boat and just accept this.
>
> Obviously, for ethical reasons, I am leaving the agency and 
> the department.
>
> Feedback? Thoughts?
>
> -- Dave