Re: Pen Test and Sec Org

[DaKahuna <da.kahuna () gmail com>]

On May 5, 2008, at 5:26 AM, Soso Aboso wrote:

> In the organization I work for there are two security team, one with  
> enterprise role “Information Security” and their mean focus on  
> governance, awareness, and risk assessment. The second team is for  
> IT “IT Security” and their mean focus on IT security projects and  
> managing the security Devices.  The question I have, did any of you  
> came through such organization structure, is it recommended, what  
> standards support such security organization, who should be the  
> owner of penetration tests in such organization?

 I work in an organization that is organized in this fashion.

 The Information Security (IS) component in our organization owns the  
penetration test as it is essentially an evaluation of how well IT  
Security is doing their job.
That does not necessarily mean that the IS organization conducts the  
test, in our case we have an independent 3rd party do it under  
contract to the IS group.

We have a number of standards and I would suggest you check the the  
Web for best practices regarding standards but at a minimum there  
should be Acceptable Use, Malware, Patching, Configuration Management,  
Password, Data Protection, Remote Access, Network Access, and  
Application / Server Hardening standards.  That is not a comprehensive  
list but should give you an idea to get your started.

DK


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------