Security Posture Assessment resources

No, I don’t think this is a good start.
Its ignores such fundamentals as policy, change management, awareness, management reporting, risk assessment and risk tolerance …

And much like that.

Take a look at and tell us how you an your management views something like that for “assessing posture”.

I can make a very good case to management, the people who will be supplying the budget for such things and to whom the reports will go, that PenTesting is such an insignificant part of a security assessment and has nothing to do with an organization’s security posture that it is misleading for Hollywood and the media to play it up.

Errors and omissions, poor configuration, inadequate training, poorly specified and tested applications; these an other “insider risks” – quite apart from any “malicious” insiders – swamp the external flaws
that a PenTest would uncover by a ratio of many tens of thousands to one.

Note: I saw ‘flaws’ not ‘risks’. A security expert should be focusing on the risks, not the flaws. That’s what separates a security expert from a techie who is keen on ‘security’ and thinks its cool.

A Security Posture is not about holes in the firewall or XSS flaws in the web pages. One can imagine that Bernie Madoff‘s web page was quite secure, that the IT departments of Enron, Worldcom/MCI and other ‘Poster-Boys’ had great IT practices and a good ISMS. We KNOW that there were credit card companies that passed the PCI audits and PenTests/scans yet were still compromised.

No, a PenTest, even when of value, is NOT the place to start.

And if a PenTest shows a leaking sieve you can be sure its because the Tone At The Top is wrong.

And if a PenTest shows nothing wrong, it still says nothing about how FUBARed (or FUBBed of you are British) the organization is internally.

Have you looked at other models like Cobit – which starts with the question “What is your IT strategy an how does it empower the organization?

If you view yourself as a technical type and don’t want to get involved in things you deem ‘management’, then there’s still stuff like ISM3

Reblog this post [with Zemanta]

About the author

Leave a Reply