Technology Neutral Healthcheck

[cribbar <crib.bar () hotmail co uk>]

Can I ask if any of you have roles as security admins or managers if you have
a sort of baseline checklist you use for when departments in your company
come calling saying they need a new payroll system, or a new procurement
system or whatever. I am in a very jnr role in a risk section but I thought
it wouldnt do any harm to see the kind of checks or questions you'll ask any
3rd party offering a solution/application for you that will give you a
degree of assurance that this is a system that can be utilsied for
processing (maybe only internally) medium sensitive data. I just wondered if
you have such a "checklist" that you'd want of assurance before engaging
further with the 3rd party application provider? I know a lot of more
deailed assurance would need technology specific auditing/pen testing - but
as a technology neutral "top 20" checks -would you be willing to share - or
perhaps if you dont have a list put some suggestions on a top 20 checks
you'll run before even contemplating such an application could be utilised
in your environment. 
-- 
View this message in context: http://old.nabble.com/Technology-Neutral-Healthcheck-tp33168384p33168384.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------