On May 5, 2008, at 5:26 AM, Soso Aboso wrote:
> In the organization I work for there are two security team, one with
> enterprise role “Information Security” and their mean focus on
> governance, awareness, and risk assessment. The second team is for
> IT “IT Security” and their mean focus on IT security projects and
> managing the security Devices. The question I have, did any of you
> came through such organization structure, is it recommended, what
> standards support such security organization, who should be the
> owner of penetration tests in such organization?
I work in an organization that is organized in this fashion.
The Information Security (IS) component in our organization owns the
penetration test as it is essentially an evaluation of how well IT
Security is doing their job.
That does not necessarily mean that the IS organization conducts the
test, in our case we have an independent 3rd party do it under
contract to the IS group.
We have a number of standards and I would suggest you check the the
Web for best practices regarding standards but at a minimum there
should be Acceptable Use, Malware, Patching, Configuration Management,
Password, Data Protection, Remote Access, Network Access, and
Application / Server Hardening standards. That is not a comprehensive
list but should give you an idea to get your started.
DK
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
Received on May 06 2008
Intro
