Penetration Testing and Sarbanes Oxley 729
lekatis last edited by
Sometimes, in order to assess risks, discover weaknesses, and decide which countermeasures to put into place (and where to put them), we decide to do a pen test.
- Pen test is not needed for Sarbanes Oxley. A risk assessment is much more appropriate.
- If you decide to do a pen test, be careful: Do not hire a cracker. Some days before, I heard the excuse ‘To protect yourself from a hacker you need a hacker’.
- You will never be able to document the results of the pen test for Sarbanes Oxley.
- You will never be able to justify that you knowingly hired a criminal and gave him access to the most sensitive information in your organization.