Penetration Testing mailing list archives
Re: IT Audit vs Pen-Test
From: vito.nozza () gmail com
Date: Fri, 25 Mar 2011 17:22:03 +0000
Crib, this is a question that does not have a simple answer. Since both are encomassed in the what the client requires...I will try to answer both in general terms. When I am asked to perform a pen test, I start by examining the systems that the client has. I start from external sources, ie FW, Routers, etc. Perform port testing ot check for vulnerabilities. Then move to systems internally. An IT audit encompasses the entire IT domain, ie. physical, operational and technical. Where a pen test is primarily tech to find vulnerabilities, an audit provides a look into a security domain to ensure the policy is being upheld. I find an IT audit is much more complex and encompasses more detail of the overall company. Although it could include a pen test, it primarily ensures proper guards and procedures are in place. Hope this helps. V ------Original Message------ From: cribbar Sender: listbounce () securityfocus com To: pen-test () securityfocus com Subject: IT Audit vs Pen-Test Sent: Mar 25, 2011 9:26 AM Hi All, Excuse my ignorance, but what is the difference between an IT Audit and a Pen-test? Say if the scope of the review was to look at public facing infrastructure, what would an IT Audit look for that a Pen-Test would not, and vice versa? Theres another concept I keep hearing about that is an "IT Healthcheck", how does that differ from the IT Audit or Pen-Test, which does it more closely resemble, as IT Audit or a Healthcheck? What are the benefits/limitations of each of these 3? With Regards -- View this message in context: http://old.nabble.com/IT-Audit-vs-Pen-Test-tp31237881p31237881.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ Sent from my BlackBerry device on the Rogers Wireless Network
Current thread:
- IT Audit vs Pen-Test cribbar (Mar 25)
- Re: IT Audit vs Pen-Test Jovon Itwaru (Mar 26)
- Re: IT Audit vs Pen-Test JiPi DiNi (Mar 26)
- <Possible follow-ups>
- Re: IT Audit vs Pen-Test vito . nozza (Mar 26)