Penetration Testing and Sarbanes Oxley 729

  • Sometimes, in order to assess risks, discover weaknesses, and decide which countermeasures to put into place (and where to put them), we decide to do a pen test.

    1. Pen test is not needed for Sarbanes Oxley. A risk assessment is much more appropriate.
    2. If you decide to do a pen test, be careful: Do not hire a cracker. Some days before, I heard the excuse ‘To protect yourself from a hacker you need a hacker’.
    • You will never be able to document the results of the pen test for Sarbanes Oxley.
    • You will never be able to justify that you knowingly hired a criminal and gave him access to the most sensitive information in your organization.

  • Pen tests are also only representative of the aqequacy of your controls at a given point in time. Penetration tests are very complicated and, unless you have a top rate tester, you are prone to a less than thorough test.
    I work for an Internet security provider, and I can completely agree on your statement about not using a cracker for a test. There are plenty of highly intelligent people who have decided to stay on the right side of the law.
    I do believe risk assessments and proper security controls and ongoing management is more valuable than penetration tests, but if you do have those well established, pen tests can expose areas for improvement. For most companies, that will mean as much process and education as technology.

Log in to reply