Ivan Arce is correct.
"The original author (Mr. Nasty) equated defining the scope of a penetration
test to committing (or attempting to commit) fraud on the basis that if you
define a precise scope then you are purposely leaving out things that may be
important to the general public (I am assuming that he intended to apply that
rational to government,public service organization and public companies).
So you are talking about a different thing: Fraud (or is it phraud?) ommitted
by the penetration tester because she exceed the scope of what she
was allowed to do, whereas Mr. Nasty proposed that having a scope defined by
the organization subject to the test is somehow equivalent to fraud (if the
results of the test are not made public)"
The only rational that I can see from what Ivan's written is that he has been
there. Most others have not. That's why there is a complete disconnect between
logic and reason.
Omar Huerra (wrote)
"I've been an auditor myself for one of the remaining big 4 (doing security
assessments in support of financial audits, started as consultant, then Sr.
consultant and finally as manager) and I'm not convinced that you perception is
at all correct.
If you are referring to information security people that do assessments during
a financial audit (brought in by the auditors) then their job is definitely not
what you say. They are there to support the financial auditors, not to find the
low hanging fruit. If you want this then simply
hire a pentest team for this specific purpose. "
Hence my point that the pen test is in support of the financial statements. In
a perfect world you might be able to establish ROE on a pen-test and feel
confident to rely on the results. As the commercial states, ?we don?t live in
Perfect?.
I don't want to deliberate on this too much more.
Since I receive information on specific audit requirements here is the most
recent from ISACA;
The Standards Board has issued the following IS Auditing Standards, which
become effective for IS audits commencing after 1 July 2006:
· S12 Audit Materiality
· S13 Using the Work of Other Experts *****
· S14 Audit Evidence
My concerns with ROE's are defined within S13. Any big 4 or maybe big 3 now,
manager should know this. Audit Managers are brought to the back room by the
CFO or CEO presented a pentest within the past 12 months that covered dialup
issues. The Everyone smiles and the Audit Manager is lead out of the room with
the cover letter stating that the pen-test performed was in conformance with
all ROE. The Audit Manager, knowing he has to cut costs or it's coming out of
his budget, will accept the pen-test as support and reduce the confidence
sample.
REALITY? Yes. FRAUD? With a good attorney like Ken Lay's or if your a cute
Florida school teacher you just clean up your resume and work for the big 2.
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
