RE: Pentest Letter of Achievement/Certificate

["Lyal Collins" <lyal.collins () key2it com au>]

To date under AIS (Visa AP and presumably CISP) anyone, even internally
carrying out an existing program/cycle of vulnerability scans appears to
have been accepted as well.  Just a matter of filling in a form.  No one so
far has even asked for a copy of reports, except from the auditor seeking
evidence that Vuln scans do occur.

Lyal 

-----Original Message-----
From: Mike Klingler [mailto:mike () securitymetrics com] 
Sent: Friday, 15 July 2005 12:09 PM
To: Paul Fields
Cc: pen-test () securityfocus com
Subject: Re: Pentest Letter of Achievement/Certificate


Paul Fields wrote:
> Payment Card Industry data security standards specifically ask for 
> quarterly vulnerability scans and annual pen testing.
>
> Gramm-Leach-Bliley Act also asks for periodic testing of systems.
>
> Now that they ask for it, how do you prove what you've done?

Well they do have a list of companies that can do the VA scanning that they
accept.  Anyone can try to get on the list to do scanning for it.

> One of the reasons we use repeatable methodologies in audits is the 
> assumption that someone else using the same knowledge, tools, and 
> techniques could easily come up with the same results.

They evaluate the different companies scanning with a baseline set of
systems that have weaknesses on them.  If you do well enough for them you
get accepted.

Michael Klingler