Security review for SOX 91
-
As part of the Security of IT review for a Sox project, do you simply review documentation that proves that tests have taken place, or do you also carry out tests such as Penetration testing, Password crack testing, Port scanning etc.
Usually when I do a security audit I do all these tests myself. The client is telling me that these tests have been carried out and I just need to document that this has occurred. Seems bizarre to me.
Michelle
-
This post is deleted!
-
This post is deleted!
-
Hello:
I suggest you take a look at Cobit P09 Access the Risks. The Cobit Audit Guidelines might also help you with Cobit P09 too.
This details what is really required of a comprehensive security review. One of the requirments is an INDEPENDANT security assessment at least once a year.
Lets face it… You manage the same system you are trying to break, therefore, you probably blocked everything you can think of. However its the things you didn’t think of that can haunt you.
Detailed documenation of your own tests of course helps you show you have a comprehensive security assessement but is only one step on the long path.
I hope this helps… and take a look at P09 both in the full Cobit Objectives and in the Audit Guidelines.