Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Canned audits

from [Dotzero] Network Security [Permanent Link]
Subject: Re: Canned audits
Date: Sat, 25 Mar 2006 18:50:38 -0500 
On 3/24/06, ROB DIXON <rdixon@workforcewv.org> wrote:

Hi All,

We have had many audits in the past by 3 party vendors. My company is finally 
interested in performing some of these audits in house and a little more 
frequently than the annual 3rd party audits.



The first question would be, what are you currently being audited for
and to what standard? If you don't know this and have annual audits
that you have been through I have to scratch my head. The audit report
should clearly state the standard to which you are being held. The
standard should generally be publicly available. For example you can
go to Visa, Mastercard, (I assume other major card companies) and
download the form and (methodology) that all authorized 3rd party
auditors must use.


My question is, is there a software package, a "canned" audit that can be 
performed? Basic info gathering questions regarding authentication controls, 
network documentation(how and where it is stored), question that should be 
asked regarding wireless AP and other basic security questions?



You will definately get some interesting wireless questions on the
PCI-CISP assessment audit form.

It is what I would call pretty transparent. It doesn't get down to
some of the details but certainly forces self-examination. I'm sure
you can find stuff for SOX, HIPPAA or GLBA out there.

Audit is a pretty generic term (about meaningless) unless a 3rd party
can have confidence in the methodology and results.

Dotzero

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
As attacks through web applications continue to rise, you need to proactively 
protect your applications from hackers. Cenzic has the most comprehensive 
solutions to meet your application security penetration testing and 
vulnerability management needs. You have an option to go with a managed 
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/forms/ec.php?pubid=10025
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com
------------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Canned audits, Gareth Davies
Next by Date:  Swivel Authentication Evaluation, V1N0D
Previous by Thread:  Re: Canned audits, Gareth Davies
Next by Thread:  Re: Canned audits, imariot@gmail.com
Indexes:  [Date] [Thread] [Top] [All Lists]