Penetration tests and vulnerability assessments are becoming more common across the whole industry as organizations found that it is necessary to prove a certain level of security for infrastructure/application. The need to exchange test result information is also increasing substantially. External parties ranging from business partners, clients to regulators may ask for prove of tests being done and also results of the test (aka. Clean bill of health). |
Jason 93 Posts ISC Handler Nov 19th 2010 |
Thread locked Subscribe |
Nov 19th 2010 1 decade ago |
My take has always been to not volunteer anything to auditors/regulators. Give them exactly what they ask for and no more. Your concept of giving them an executive summary is a good idea. But I would not worry about whether I have given them enough. If they want more, they will ask for it, and I will give it to them. The only downside with this tack is your extra work in manually giving them extra information. One solution then would be to give them the entire technical report. I think that after you have given them those 250 pages of single-spaced text, they will never ask you for anything more again ;)
Curt |
Anonymous |
Quote |
Nov 19th 2010 1 decade ago |
I'd like to highlight another point:
If you're using an external company to perform the assessment, be sure to discuss your report sharing options in advance, and incorporate the shared understanding into the contract. Providers of penetration testing services may be careful about how their brand is used to "vouch" for security, and may restrict the client from revealing the name of the assessment company when sharing the report. -- Lenny (http://blog.zeltser.com) |
Lenny 216 Posts |
Quote |
Nov 19th 2010 1 decade ago |
A scheme exists in a related area; BITS (http://www.bitsinfo.org/ ) enables members to share security-related information on suppliers. RFI / RFP responses, customer audits, that sort of thing. This seems an excellent development. Ideally, all such information will ultimately be freely available to all. (Disclosure - my employer has customers who participate in BITS. I don't speak for my employer of course, yadda yadda blah blah personal opinion only.)
http://www.bankinfosecurity.com/articles.php?art_id=969 |
Lenny 4 Posts |
Quote |
Nov 20th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!