Penetration Testing mailing list archives
CoBIT a Security Audit Framework?
From: Jon Kibler <Jon.Kibler () aset com>
Date: Mon, 01 Dec 2008 12:53:33 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, <rant> I just received my 3rd request in as many weeks, from a job shop agency looking for someone to do a "Pen Test using the CoBIT framework" or to "Audit an organization's security using the CoBIT framework." I have looked at the latest CoBIT (and had used 2.x in the past for non-security audits), and I still do not see ANYTHING about CoBIT that has to do with IT Security at a practical security level. However, it appears to be the popular perception in industry that CoBIT is *THE* security audit framework, and if you pass a CoBIT audit, then "you are secure." Where did this perception come from that CoBIT has anything to do with security? It is simply an IT *GOVERNANCE* audit framework -- so why is it perceived to be a SECURITY audit framework? I cannot believe that anyone that is an IT professional could have such a serious misperception! And what REALLY gets me is that organizations expect you to be able to do a PEN TEST using CoBIT! When I explain that something like OSSTMM is a more correct framework for a PEN TEST (or even NIST 800-115 or 800-53A), they don't want to hear it -- its gotta be CoBIT! They have so many misunderstandings as to what CoBIT is and is not useful for, it is incredible -- and they are not interested in learning anything different. Who / what is driving this "CoBIT is the only acceptable IT Security audit framework" mentality and what can we do to change it? Also, is ISACA pushing CoBIT as a security framework? Looking at their web site, they do not seem to be. Anyone know what their position is on CoBIT being used as an IT Security audit framework? </rant> THANKS! Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk0JJ0ACgkQUVxQRc85QlPAYwCfV2+x9xvRCcwHb5IJP4BSn16i pHoAn04tnOYE8iw6boid+HamX6rg1XHq =Z4i8 -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- CoBIT a Security Audit Framework? Jon Kibler (Dec 01)
- Re: CoBIT a Security Audit Framework? J. Oquendo (Dec 01)
- Re: CoBIT a Security Audit Framework? Jon Kibler (Dec 01)
- Re: CoBIT a Security Audit Framework? J. Oquendo (Dec 01)
- Re: CoBIT a Security Audit Framework? Andre Gironda (Dec 02)
- Re: CoBIT a Security Audit Framework? Jon Kibler (Dec 01)
- Re: CoBIT a Security Audit Framework? J. Oquendo (Dec 01)
- Re: CoBIT a Security Audit Framework? SD List (Dec 02)
- Re: CoBIT a Security Audit Framework? hightch0 (Dec 02)
- Re: CoBIT a Security Audit Framework? R. DuFresne (Dec 10)
- <Possible follow-ups>
- RE: CoBIT a Security Audit Framework? Katuruza, Patrick (Dec 02)
- Re: CoBIT a Security Audit Framework? J. Oquendo (Dec 01)