Penetration Testing and Sarbanes Oxley 729

  • Sometimes, in order to assess risks, discover weaknesses, and decide which countermeasures to put into place (and where to put them), we decide to do a pen test.

    1. Pen test is not needed for Sarbanes Oxley. A risk assessment is much more appropriate.
    2. If you decide to do a pen test, be careful: Do not hire a cracker. Some days before, I heard the excuse ‘To protect yourself from a hacker you need a hacker’.
    • You will never be able to document the results of the pen test for Sarbanes Oxley.
    • You will never be able to justify that you knowingly hired a criminal and gave him access to the most sensitive information in your organization.

Log in to reply