You can find the booklets here: http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html Cheers --- Osiokegbhai Ojior <oojiorat_private> wrote: > In-Reply-To: <1047256692.1211.29.camel@localhost> > > I did a search on Google for FFIEC Information > Security booklet and I'm > coming up short on this item. Could you please > provide a link to a pdf or > information on how to get a copy of this booklet? > > This topic is right on the money and I am in the > process of re-documenting > a formal understanding of what this all is for my > company so that we're > all on the same page. > > Thanks. > > -Osioke > > > > >I like the explanation in the new FFIEC Information > Security booklet: > > > >"Penetration tests, audits, and assessments can use > the same set of > >tools in their methodologies. The nature of the > tests, however, is > >decidedly different. Additionally, the definitions > of penetration test > >and assessment, in particular, are not universally > held and have changed > >over time. > > > >Penetration Tests. A penetration test subjects a > system to the > >real-world attacks selected and conducted by the > testing personnel. The > >benefit of a penetration test is to identify the > extent to which a > >system can be compromised before the attack is > identified and assess the > >response mechanism=92s effectiveness. Penetration > tests generally are not > >a comprehensive test of the system=92s security and > should be combined > >with other independent diagnostic tests to validate > the effectiveness of > >the security process. > > > >Audits. Auditing compares current practices against > a set of standards. > >Industry groups or institution management may > create those standards. > >Institution management is responsible for > demonstrating that the > >standards they adopt are appropriate for their > institution. > > > >Assessments. An assessment is a study to locate > security vulnerabilities > >and identify corrective actions. An assessment > differs from an audit by > >not having a set of standards to test against. It > differs from a > >penetration test by providing the tester with full > access to the systems > >being tested. Assessments may be focused on the > security process or the > >information system. They may also focus on > different aspects of the > >information system, such as one or more hosts or > networks." > > > >-- Doug > > > > --------------------------------------------------------------------------- > Latest attack techniques. > > You're a pen tester, but is google.com still your > R&D team? Now you can get > trustworthy commercial-grade exploits and the latest > techniques from a > world-class research group. > > Visit us at: www.coresecurity.com/promos/sf_ept1 > or call 617-399-6980 > ---------------------------------------------------------------------------- > __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com --------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jul 04 2003 - 07:57:31 PDT