||Home Security Guides Library
Thursday, 29 March 2007
Security risk assessment, risk management assessment, security risk management, security audit, security compliance, security management, vulnerability assessment, security policy, policy assessment, vulnerability assessments, security analysis, management assessment, security consulting, security policies, security consultants, risk security, security plan, security systems, assessment evaluation, assessment standards, security monitoring, security testing, network security, risks security, information security, application security, assessment development, ethical hacking, sample assessment, it security, threat security, security report, security scan, security protection, security test, assessment report, security auditing, security solutions, network audit, security services, vulnerability, management threat assessment, network assessment, security vulnerability, risk management, data security, security risk, business security, intrusion detection, computer security, internet security, risk assessments, web security.
|Essential Tips to Ensure Your
A critical step to ensure that your project is a success is in choosing which supplier to use.
As an absolute fundamental when choosing a security partner, first eliminate the supplier who provided the systems that will be tested. To use them will create a conflict of interest (will they really tell you that they deployed the systems insecurely, or quietly ignore some issues).
Detailed below are some questions that you might want to ask your potential security partner:
- Is security assessment their core business?
- How long have they been providing security assessment services?
- Do they offer a range of services that can be tailored to your specific needs?
- Are they vendor independent (do they have NDAs with vendors that prevent them passing information to you)?
- Do they perform their own research, or are they dependent on out-of-date information that is placed in the public domain by others?
- What are their consultantís credentials?
- How experienced are the proposed testing team (how long have they been testing,
and what is their background and age)?
- Do they hold professional certifications, such as PCI, CISSP, CISA,
- Are they recognised contributors within the security industry (white papers, advisories, public speakers etc)?
- Are the CVs available for the team that will be working on your project?
- How would the supplier approach the project?
- Do they have a standardised methodology that meets and exceeds the common
ones, such as OSSTMM, CHECK and OWASP?
- Can you get access to a sample report to assess the output (is it something you could give to your executives; do they communicate the business issues in a non-technical manner)?
- What is their policy on confidentiality?
- Do they outsource or use contractors?
- Are references available from satisfied customers in the same industry sector?
- Is there a legal agreement that will protect you from negligence on behalf of the supplier?
- Does the supplier maintain sufficient insurance cover to protect your organisation?
There are a number of good standards and guidelines in relation to information security in general, for penetration tests in particular, and for the storage of certain types of data. Any provider chosen should at least have a working knowledge of these standards and would ideally be exceeding their recommendations.
Notable organisations and standards include:
The Payment Card Industry (PCI) Data Security Requirements were established in December 2004, and apply to all Members, merchants, and service providers that store, process or transmit cardholder data. As well as a requirement to comply with this standard, there is a requirement to independently prove verification.
ISACA was established in 1967 and has become a pace-setting global organization
for information governance, control, security and audit professionals. Its IS Auditing and IS Control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security and has grown to be globally recognized and adopted worldwide as a symbol of achievement.
The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT
system. In the absence of other standards, CHECK has become the de-facto standard for penetration testing in the UK. This is mainly on account of its rigorous certification process. Whilst good it only concentrates on infrastructure testing and not application. However, open source methodologies such as the following are providing viable and comprehensive alternatives, without UK Government association. It must also be noted that
CHECK consultants are only required when the assessment is for HMG or related parties, and meets the requirements above. If you want a CHECK test you will need to surrender your penetration testing results to CESG.
The aim of The Open Source Security Testing Methodology Manual (OSSTMM) is to set forth a standard for Internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organisation concerns, such as the corporate profile of the penetration-testing provider.
The Open Web Application Security Project (OWASP) is an Open Source community project developing software tools and knowledge based documentation that helps people secure web applications and web services. It is an open source reference point for system architects, developers, vendors, consumers and security professionals involved in designing, developing, deploying and testing the security of web applications and Web Services.
The key areas of relevance are the forthcoming Guide to Testing Security of Web Applications and Web Services and the testing tools under the development projects. The
Guide to Building Secure Web Applications not only covers design principals, but also is a useful document for setting out criteria by which to assess vendors and test systems.