('binary' encoding is not supported, stored as-is) In-Reply-To: <1047256692.1211.29.camel@localhost> I did a search on Google for FFIEC Information Security booklet and I'm coming up short on this item. Could you please provide a link to a pdf or information on how to get a copy of this booklet? This topic is right on the money and I am in the process of re-documenting a formal understanding of what this all is for my company so that we're all on the same page. Thanks. -Osioke > >I like the explanation in the new FFIEC Information Security booklet: > >"Penetration tests, audits, and assessments can use the same set of >tools in their methodologies. The nature of the tests, however, is >decidedly different. Additionally, the definitions of penetration test >and assessment, in particular, are not universally held and have changed >over time. > >Penetration Tests. A penetration test subjects a system to the >real-world attacks selected and conducted by the testing personnel. The >benefit of a penetration test is to identify the extent to which a >system can be compromised before the attack is identified and assess the >response mechanism=92s effectiveness. Penetration tests generally are not >a comprehensive test of the system=92s security and should be combined >with other independent diagnostic tests to validate the effectiveness of >the security process. > >Audits. Auditing compares current practices against a set of standards. >Industry groups or institution management may create those standards. >Institution management is responsible for demonstrating that the >standards they adopt are appropriate for their institution. > >Assessments. An assessment is a study to locate security vulnerabilities >and identify corrective actions. An assessment differs from an audit by >not having a set of standards to test against. It differs from a >penetration test by providing the tester with full access to the systems >being tested. Assessments may be focused on the security process or the >information system. They may also focus on different aspects of the >information system, such as one or more hosts or networks." > >-- Doug > --------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 03 2003 - 15:01:11 PDT