From: xelerated (xelerated@gmail.com)
Date: Thu Jan 10 2008 - 12:36:46 EST
I wanted to ask here, since in my experience many pen testers have
atleast some audit
experience.
My question has to do with DISA STIG's. Now, it is my understanding,
and that of everyone that
I have asked so far that the DISA STIG's are only requirements for DoD
IA systems.
So, who out there would give a company a finding for not having A/V on
a Unix system
based on DISA STIG's when the STIG's do not apply to the company nor
the systems in question.
And, the actual policy's and requirements that DO apply to said
company and systems
(NIST included) do not have any hard requirements for doing this.
Also, as a side note, does it make any sence to go through a company
and try to apply
ALL STIG's possible and the ones that don't leave a system unusable
then write a justification
for those?
I thank you all for your input, Its an important issue to me right now
and I greatly
appreciate your feedback.
Thanks
Chris
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:19 EDT