Re: Business justification for pentesting

[Kevin Reiter <tux () penguinnetwerx net>]

> hi all,
>
> a few classic question that i would appriciate any answers for. 
> 1- i would like to briefly know how to quantify information assets. In
> other words, i hear a pentester say: if a hacker breaks in ur network, u
> will loose up to 40000$ for example. how can he come up with such
> figures?
>
> 2- are there any other means to justify pentesting for management except
> for $$$?
>
> 3- are there any official statistics, figures etc. for justifying
> pentesting. ther more official it is the better.
>
> 4- any other information you guys might find helpful in justifying a
> pentest would be appriciated.

Don't forget about federal regulatory compliance issues, if your business 
falls under those categories (SOX, GLBA, etc.)

Your company may even be *required* to have a third-party audit/test done 
periodically (i.e. once per year) in order to be "certified" to meet those 
federal requirements, as well as other items put in place (IDS, 
monitoring, etc.)

Best to understand which (if any) federal requirements you fall under, 
then find out what needs to be done to become compliant (if that applies 
at all) and move on from there.

-Kevin