Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: RE: Pen Test and Sec Org

RE: Pen Test and Sec Org

From: Justin Townsend <justin.townsend_at_i-assure.com>
Date: Tue, 6 May 2008 10:52:37 -0500

I work for many customers that are set up in a similar manner, and would heartily recommend it. The core concept is to have a separation of duties, with one party performing the engineering/operation, and the other party providing the security requirements and assessing the system to determine any gap between implementation and requirements. This helps to avoid a conflict of interest where an engineer is assessing their own work. This is a pretty standard setup in mature security organizations. As for standards (United States federal, at least,) I would check out the NIST Special Publications series, specifically "SP 800-100 Information Security Handbook: A Guide for Managers." It's a solid overview of an entire security organization. It's tailored for US federal systems, but most of the theory applies to any larger organization.

All that said, I would put the pen tests under the "Information Security" group in your model.

Justin Townsend

I-Assure, LLC | Defense In Depth Solutions
justin.townsend_at_i-assure.com
________________________________________
From: listbounce_at_securityfocus.com [listbounce_at_securityfocus.com] On Behalf Of Soso Aboso [sosokkam_at_yahoo.com]
Sent: Monday, May 05, 2008 2:54 AM
To: pen-test_at_securityfocus.com
Subject: Re: Pen Test and Sec Org

I am also very interseting on how to split the rsponsibilities

----- Original Message ----
From: Soso Aboso <sosokkam_at_yahoo.com>
To: pen-test_at_securityfocus.com
Sent: Monday, May 5, 2008 12:26:01 PM
Subject: Pen Test and Sec Org

Greetings,

In the organization I work for there are two security team, one with enterprise role “Information Security” and their mean focus on governance, awareness, and risk assessment. The second team is for IT “IT Security” and their mean focus on IT security projects and managing the security Devices. The question I have, did any of you came through such organization structure, is it recommended, what standards support such security organization, who should be the owner of penetration tests in such organization?

Thanks you in advance for your feedback

Regards

      ____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

      ____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Received on May 06 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos