Penetration Testing mailing list archives
Re: Canned audits
From: Dotzero <dotzero () gmail com>
Date: Sat, 25 Mar 2006 18:50:38 -0500
On 3/24/06, ROB DIXON <rdixon () workforcewv org> wrote:
Hi All, We have had many audits in the past by 3 party vendors. My company is finally interested in performing some of these audits in house and a little more frequently than the annual 3rd party audits.
The first question would be, what are you currently being audited for and to what standard? If you don't know this and have annual audits that you have been through I have to scratch my head. The audit report should clearly state the standard to which you are being held. The standard should generally be publicly available. For example you can go to Visa, Mastercard, (I assume other major card companies) and download the form and (methodology) that all authorized 3rd party auditors must use.
My question is, is there a software package, a "canned" audit that can be performed? Basic info gathering questions regarding authentication controls, network documentation(how and where it is stored), question that should be asked regarding wireless AP and other basic security questions?
You will definately get some interesting wireless questions on the PCI-CISP assessment audit form. It is what I would call pretty transparent. It doesn't get down to some of the details but certainly forces self-examination. I'm sure you can find stuff for SOX, HIPPAA or GLBA out there. Audit is a pretty generic term (about meaningless) unless a 3rd party can have confidence in the methodology and results. Dotzero ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/forms/ec.php?pubid=10025 And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com ------------------------------------------------------------------------------
Current thread:
- Canned audits ROB DIXON (Mar 24)
- RE: Canned audits Eyal Udassin (Mar 25)
- Re: Canned audits r@d (Mar 27)
- Re: Canned audits sol (Mar 28)
- Re: Canned audits bf (Mar 27)
- Re: Canned audits Gareth Davies (Mar 28)
- Re: Canned audits Dotzero (Mar 28)
- <Possible follow-ups>
- Re: Canned audits imariot () gmail com (Mar 25)
- Re: Canned audits revnic (Mar 25)
- RE: Canned audits Clemens, Dan (Mar 25)
- RE: Canned audits Clemens, Dan (Mar 28)
- Re: Canned audits Phil Frederick (Mar 29)
- Re: Canned audits US Infosec (Mar 30)