From: DaKahuna (da.kahuna@gmail.com)
Date: Tue Jan 08 2008 - 19:49:20 EST
On Jan 7, 2008, at 10:48 AM, ahgaber_rehan@yahoo.com wrote:
> I need to know if internal auditor is scanning a system over the LAN
> during audit assignment, who should take the responsibility if the
> scanned system went down/ crashed due to this scan. I am quite sure
> scanning has to be prearranged with IT and IT Security and approved
> on the targeted systems, and it’s important for IT auditor to
> perform such scanning to avoid any scope limitations during the audit.
It depends. In my company, Corporate IT Security has the right, by
policy, to scan the network at any time without notifying anyone. We
make sure that we do not DOS scans but other than that there is no
guarantee. We have a requirement for all systems to be scanned on a
monthly basis using one of a variety of tools and that scanning is
done by IT / IT Security staff supporting the business. Corporate IT
Security is the only group authorized to scan across the WAN with out
prior notification. Internal audit in my company does not do network
scanning. If they want a network scan as part of the audit they are
conducting, they get one of my staff or an SME from the business to
support them.
As to who is responsible, in my opinion it is the application owner.
Why should a nessus or nmap scan bring down a properly configured and
fully patched application?
DK
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:19 EDT