Penetration Testing mailing list archives
Re: Where to get recognizable, 3rd party security audits?
From: v b <r0cketgrl () yahoo com>
Date: Sat, 4 Mar 2006 16:04:48 -0800 (PST)
I really have to laugh when I read things like this... You have not mentioned what business silo in which your company participates. You cannot be "certified" against HIPAA. There is no recognized certification body for this type of assessment. Nor for COSO; nor for FISAAA, nor for ISO17799. These are all guidelines, not standards, therefore, your company cannot be "certified" as being in compliance; the auditor can only comment that your operations appear to comply with the guidelines. HIPAA is the US federal regulation for healthcare. Whil e it is called a "standard" the guidance ennumerated in the Act is so nebulous, it can hardly be called a standard. ISO17799 is the guideline, based upon BS7799, directed primarily toward companies involved in international trade. COSO is the guideline directed toward financial operations. But, they are NOT by any means, standards. You may, however, have a firm perform a BS7799 or SAS70 audit, which your organization may be "certified" against (though again, these are guidelines and there doesn't seem to be any cohesion in the "certification" process). Many companies have a SAS70 performed on an annual basis prior to an attestation audit to comment on their internal controls associated with the organizations business processes. The organizations performing these audits themselves must be recognized to perform either of those two audits. These are commonly financial statement attestation organizations (read, accounting firms). Regards. --- Pigeon <fredit () charter net> wrote:
Hello, I need to find a company that will do security testing on our 5 or 6 servers to verify their security level. We will need a very well recognized certificate from them.. AKA, I couldn't do the security audit, and no Joe Blow (granted you might be awesome) can do them. The reason for this is to show VERY large corporations our credentials. So far, people have mentioned these certs: SAS type 2 FISAAA HIPPA ISO7799 COSO but I am unsure on these.. It appears like these could takes months to prepare internally and then we submit the information to an organization for review. Is this normal? thanks!
------------------------------------------------------------------------------
This List Sponsored by: Lancope "Discover the Security Benefits of Cisco NetFlow" Learn how Cisco NetFlow enables cost-effective security across distributed enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) and Response solution, leverages Cisco NetFlow to provide scalable, internal network security. Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response Systems in the Enterprise." http://www.lancope.com/resource/
------------------------------------------------------------------------------
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------------ This List Sponsored by: Lancope "Discover the Security Benefits of Cisco NetFlow" Learn how Cisco NetFlow enables cost-effective security across distributed enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) and Response solution, leverages Cisco NetFlow to provide scalable, internal network security. Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response Systems in the Enterprise." http://www.lancope.com/resource/ ------------------------------------------------------------------------------
Current thread:
- Where to get recognizable, 3rd party security audits? Pigeon (Mar 04)
- Re: Where to get recognizable, 3rd party security audits? v b (Mar 06)
- <Possible follow-ups>
- RE: Where to get recognizable, 3rd party security audits? Craig Wright (Mar 04)
- Re: Where to get recognizable, 3rd party security audits? Pete Herzog (Mar 06)