Regarding a pen-test as an audit of security is simply foolish -- a
pen-test is merely an indication of conditions at the time of the test,
nothing more. A pen-test does not provide any indicate that there are
ongoing and consistent processes in place to ensure the conditions
tested are maintained.
Also, in the US (and most countries with CA, CPA, or similar
designations) you cannot legally attest to an audit unless you hold an
appropriate accounting designation.
Louie wrote:
Keenen,
I was in a IT security consulting firm that conduct pent-test and
etc for external clients. From my experience...technically, u can be
sued. What my ex-company did was....include a "clause" in the contract
saying that you or your company should not be held responsible if the
company that you audited been hacked in the future. The arguement
is....hackers always find new ways/ideas to hack. So, after an audit
exercise doesnt mean that the company that you audited is 100% bullet
proof. It is just to "minimized the risk". Hope that answer your
questions.
Regards,
Louie Low
----- Original Message ----- From: "Keenen Milner" <kmilner@ghcllc.com>
To: "Coreappsecurity Mailing List"
<CoreAppSecurity@bankinfosecurity.com>;
<security-management@securityfocus.com>
Sent: Sunday, October 30, 2005 12:03 AM
Subject: bank audit pen test
I have a different twist on the bank audit question.
If as part of the audit, you perform a pen test and the bank gets hack
the day after you deliver your results, can you be sued? I know anyone
can sue anyone for anything but how can you realistically reduce the
chance you get sued.
Best Regards,
Keenen
____________________________________________________
Keenen Milner
Lead Partner - Computer Forensics and Technology Consulting
GHC Information Systems, LLC
Grobstein Horwath and Company, LLP
15233 Ventura Boulevard, 9th Floor
Sherman Oaks, California 91403
(818) 325-8466 - voice
(818) 325-8566 - fax
____________________________________________________
