From: Craig Wright (cwright@bdosyd.com.au)
Date: Wed Aug 31 2005 - 16:37:59 EDT
A pen test does not and by nature cover the requirements for SOX or any of the other areas.
A Pen test can be used as a part of an audit but is not an audit. This is a common misconception, but it is definately wrong.
I see this a lot (being a manager in a chartered firm). The audit requirements can not be satisfied by a pen test and any firm that believes this is deluding themself
Craig
-----Original Message-----
From: Kevin Reiter [mailto:tux@penguinnetwerx.net]
Sent: Wed 31/08/2005 3:18 PM
To:
Cc: sectraq@gmail.com; pen-test@securityfocus.com
Subject: Re: Business justification for pentesting
Don't forget about federal regulatory compliance issues, if your business
falls under those categories (SOX, GLBA, etc.)
Your company may even be *required* to have a third-party audit/test done
periodically (i.e. once per year) in order to be "certified" to meet those
federal requirements, as well as other items put in place (IDS,
monitoring, etc.)
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:48 EDT