Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IT Audit vs Pen-Test

From: vito.nozza () gmail com
Date: Fri, 25 Mar 2011 17:22:03 +0000
Crib, this is a question that does not have a simple answer.  Since both are encomassed in the what the client 
requires...I will try to answer both in general terms.


When I am asked to perform a pen test, I start by examining the systems that the client has.  I start from external 
sources, ie FW, Routers, etc.  Perform port testing ot check for vulnerabilities.  Then move to systems internally.

An IT audit encompasses the entire IT domain, ie. physical, operational and technical.  Where a pen test is primarily 
tech to find vulnerabilities, an audit provides a look into a security domain to ensure the policy is being upheld.  
I find an IT audit is much more complex and encompasses more detail of the overall company.  Although it could include 
a pen test, it primarily ensures proper guards and procedures are in place.

Hope this helps.

V
------Original Message------
From: cribbar
Sender: listbounce () securityfocus com
To: pen-test () securityfocus com
Subject: IT Audit vs Pen-Test
Sent: Mar 25, 2011 9:26 AM


Hi All, 

Excuse my ignorance, but what is the difference between an IT Audit and a
Pen-test? Say if the scope of the review was to look at public facing
infrastructure, what would an IT Audit look for that a Pen-Test would not,
and vice versa? Theres another concept I keep hearing about that is an "IT
Healthcheck", how does that differ from the IT Audit or Pen-Test, which does
it more closely resemble, as IT Audit or a Healthcheck? What are the
benefits/limitations of each of these 3? 

With Regards
-- 
View this message in context: http://old.nabble.com/IT-Audit-vs-Pen-Test-tp31237881p31237881.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------



Sent from my BlackBerry device on the Rogers Wireless Network
Previous By Date Next
Previous By Thread Next

Current thread: