And much like that.
Take a look at http://www.praxiom.com/iso-17799-objectives.htm and tell us how you an your management views something like that for "assessing posture".
I can make a very good case to management, the people who will be supplying the budget for such things and to whom the reports will go, that PenTesting is such an insignificant part of a security assessment and has nothing to do with an organization's security posture that it is misleading for Hollywood and the media to play it up.
Errors and omissions, poor configuration, inadequate training, poorly specified and tested applications; these an other "insider risks" - quite apart from any "malicious" insiders - swamp the external flaws
that a PenTest would uncover by a ratio of many tens of thousands to one.
Note: I saw 'flaws' not 'risks'. A security expert should be focusing on the risks, not the flaws. That's what separates a security expert from a techie who is keen on 'security' and thinks its cool.
A Security Posture is not about holes in the firewall or XSS flaws in the web pages. One can imagine that Bernie Madoff's web page was quite secure, that the IT departments of Enron, Worldcom/MCI and other 'Poster-Boys' had great IT practices and a good ISMS. We KNOW that there were credit card companies that passed the PCI audits and PenTests/scans yet were still compromised.
No, a PenTest, even when of value, is NOT the place to start.
And if a PenTest shows a leaking sieve you can be sure its because the Tone At The Top is wrong.
Have you looked at other models like Cobit - which starts with the question "What is your IT strategy an how does it empower the organization?"
If you view yourself as a technical type and don't want to get involved in things you deem 'management', then there's still stuff like ISM3
Related articles by Zemanta
- Bernie Madoff will take his 150 years, and like it (dailyfinance.com)
- Document Technologies, Inc. Achieves ISO/IEC 27001:2005 Compliance (prweb.com)
- Managing Risks and NIST 800-53 (deurainfosec.com)
- Security controls and ISO 27002 (deurainfosec.com)
- First Madoff Interview: Can't Believe I Got Away with It (huffingtonpost.com)
- What a Culture of Candor Really Takes (blogs.harvardbusiness.org)
- What Don't Corporate Executives Understand About "Thou Shalt Not Steal?" (tpmcafe.talkingpointsmemo.com)