Penetration Testing and Sarbanes Oxley 729
-
Sometimes, in order to assess risks, discover weaknesses, and decide which countermeasures to put into place (and where to put them), we decide to do a pen test.
- Pen test is not needed for Sarbanes Oxley. A risk assessment is much more appropriate.
- If you decide to do a pen test, be careful: Do not hire a cracker. Some days before, I heard the excuse ‘To protect yourself from a hacker you need a hacker’.
- You will never be able to document the results of the pen test for Sarbanes Oxley.
- You will never be able to justify that you knowingly hired a criminal and gave him access to the most sensitive information in your organization.