Educause Security Discussion mailing list archives
Re: Penetration Testing Results, who gets them?
From: Carlos Lobato <clobato () NMSU EDU>
Date: Fri, 6 Mar 2015 18:28:38 +0000
Dan, It depends on the purpose. Executives at the Audit Committee level could take the outcome of the external pen tests out of context. In my opinion, that is very risky. Here at NMSU we have comprehensive external pen tests conducted by external independent parties on a regular basis, but we lead those efforts proactively internally and the specific outcomes stay within IT and used as a way to proactively enhance our information security controls. We tell executive administration and our Office of Audit Services of these pen tests, but the outcome is used as a proactive measure and the specifics stay internal. Our auditors (both internal & external) are happy as long as we are doing them proactively and on a regular basis. If wanted, auditors can lead their own external penetration tests and the outcome would be provided to the Audit Committee, but the purpose of those pen tests would be different and they would be serving a different purpose. Here at NMSU, we lead these pen tests internally withing IT and sell that process to the auditors that we have a proactive way of identifying vulnerabilities and reactifying them. Auditors focus their efforts on risk and they communicate that to Audit Committees. In our case, by having this process in place, we minimize risk and auditors try not to duplicate effort. Carlos, Carlos S. Lobato, CISA, CISSP, CPA IT Compliance Officer New Mexico State University Information and Communication Technologies MSC 3AT PO Box 30001 Las Cruces, NM 88003-8001 Phone: 575-646-5902 Fax: 575-646-5278 Email: clobato () nmsu edu<mailto:clobato () nmsu edu> IT Compliance at NMSU - http://compliance.ict.nmsu.edu/ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan Sarazen Sent: Friday, March 06, 2015 10:51 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Penetration Testing Results, who gets them? Hi All, For the schools who conduct external pen testing through a vendor, who do you share the results with? Does Audit Committee see them? Do any of you have the vendor present the results to Audit Committee? Many Thanks
Current thread:
- Penetration Testing Results, who gets them? Dan Sarazen (Mar 06)
- <Possible follow-ups>
- Re: Penetration Testing Results, who gets them? Carlos Lobato (Mar 06)