Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pen Test and Sec Org

From: Joey Peloquin <joeyp () cotse net>
Date: Mon, 05 May 2008 17:43:54 -0500
Soso Aboso wrote:

Greetings,
In the organization I work for there are two security team, one with enterprise role “Information Security” and their mean focus on governance, awareness, and risk assessment. The second team is for IT “IT Security” and their mean focus on IT security projects and managing the security Devices. The question I have, did any of you came through such organization structure, is it recommended, what standards support such security organization, who should be the owner of penetration tests in such organization? Thanks you in advance for your feedback 
[snip]
Sup, Soso.
There were three teams at my former company, but we were all under the IT Risk Mgmt umbrella. My team (I was the team lead, not the manager) was the technical team, performing assessments and pen-tests, handling incidents, evaluating new technology, managing IPS alerts, etc.
One of the other teams handled compliance, and managed the security-portion of "the business'" projects. They'd call us in when they needed a technical "air strike".
The final team was operational security, but primarily handled the "big iron", and projects involving the big iron. They also handled user administration and were the first level helpdesk. Sadly, they were sitting in a different part of the building, so most of the time, there was pretty much only two teams - us and compliance.
We weren't necessarily following any specific standard. When I joined the team, I was the 10th member, and possessed a technical skill level above the couple other "tech dudes" - which is why I was hired. When I left the company, there were over 20 people in the organization, and we had only added a couple more (highly) technical folks - who landed on my team. Consequently, lines of responsibility naturally gravitated toward the group where it made the most sense.
When there was doubt where a responsibility should lie, team leads and managers got together, discussed it, and made a unified decision. 

HTH

-jp

--
"Companies will say, "We can Web 2.0ify your existing applications in 15 minutes - we've got a wrapper". These people are charlatans, and you should punch them in the face. They are taking your back-end database tiers and moving them to the perimeter." - Billy Hoffman, HPSW Security Labs 

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: