Educause Security Discussion mailing list archives

Re: Penetration Testing Results, who gets them?

From: Carlos Lobato <clobato () NMSU EDU>
Date: Fri, 6 Mar 2015 18:28:38 +0000

Dan,

It depends on the purpose.  Executives at the Audit Committee level could take the outcome of the external pen tests 
out of context.  In my opinion, that is very risky.

Here at NMSU we have comprehensive external pen tests conducted by external independent parties on a regular basis, but 
we lead those efforts proactively internally and the specific outcomes stay within IT and used as a way to proactively 
enhance our information security controls.  We tell executive administration and our Office of Audit Services of these 
pen tests, but the outcome is used as a proactive measure and the specifics stay internal.

Our auditors (both internal & external) are happy as long as we are doing them proactively and on a regular basis.  If 
wanted, auditors can lead their own external penetration tests and the outcome would be provided to the Audit 
Committee, but the purpose of those pen tests would be different and they would be serving a different purpose.

Here at NMSU, we lead these pen tests internally withing IT and sell that process to the auditors that we have a 
proactive way of identifying vulnerabilities and reactifying them.  Auditors focus their efforts on risk and they 
communicate that to Audit Committees.  In our case, by having this process in place, we minimize risk and auditors try 
not to duplicate effort.

Carlos,

Carlos S. Lobato, CISA, CISSP, CPA
IT Compliance Officer

New Mexico State University
Information and Communication Technologies
MSC 3AT PO Box 30001
Las Cruces, NM  88003-8001

Phone: 575-646-5902
Fax: 575-646-5278

Email: clobato () nmsu edu<mailto:clobato () nmsu edu>
IT Compliance at NMSU - http://compliance.ict.nmsu.edu/




From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan 
Sarazen
Sent: Friday, March 06, 2015 10:51 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Penetration Testing Results, who gets them?

Hi All,

For the schools who conduct external pen testing through a vendor, who do you share the results with? Does Audit 
Committee see them? Do any of you have the vendor present the results to Audit Committee?

Many Thanks

Current thread:

Penetration Testing Results, who gets them? Dan Sarazen (Mar 06)
- <Possible follow-ups>
- Re: Penetration Testing Results, who gets them? Carlos Lobato (Mar 06)