From: Jorge Lozano (lozano_jorge@yahoo.com)
Date: Thu Jul 03 2003 - 23:04:14 EDT
You can find the booklets here:
http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html
Cheers
--- Osiokegbhai Ojior <oojior@worldspan.com> wrote:
> In-Reply-To: <1047256692.1211.29.camel@localhost>
>
> I did a search on Google for FFIEC Information
> Security booklet and I'm
> coming up short on this item. Could you please
> provide a link to a pdf or
> information on how to get a copy of this booklet?
>
> This topic is right on the money and I am in the
> process of re-documenting
> a formal understanding of what this all is for my
> company so that we're
> all on the same page.
>
> Thanks.
>
> -Osioke
>
> >
> >I like the explanation in the new FFIEC Information
> Security booklet:
> >
> >"Penetration tests, audits, and assessments can use
> the same set of
> >tools in their methodologies. The nature of the
> tests, however, is
> >decidedly different. Additionally, the definitions
> of penetration test
> >and assessment, in particular, are not universally
> held and have changed
> >over time.
> >
> >Penetration Tests. A penetration test subjects a
> system to the
> >real-world attacks selected and conducted by the
> testing personnel. The
> >benefit of a penetration test is to identify the
> extent to which a
> >system can be compromised before the attack is
> identified and assess the
> >response mechanism=92s effectiveness. Penetration
> tests generally are not
> >a comprehensive test of the system=92s security and
> should be combined
> >with other independent diagnostic tests to validate
> the effectiveness of
> >the security process.
> >
> >Audits. Auditing compares current practices against
> a set of standards.
> >Industry groups or institution management may
> create those standards.
> >Institution management is responsible for
> demonstrating that the
> >standards they adopt are appropriate for their
> institution.
> >
> >Assessments. An assessment is a study to locate
> security vulnerabilities
> >and identify corrective actions. An assessment
> differs from an audit by
> >not having a set of standards to test against. It
> differs from a
> >penetration test by providing the tester with full
> access to the systems
> >being tested. Assessments may be focused on the
> security process or the
> >information system. They may also focus on
> different aspects of the
> >information system, such as one or more hosts or
> networks."
> >
> >-- Doug
> >
>
>
---------------------------------------------------------------------------
> Latest attack techniques.
>
> You're a pen tester, but is google.com still your
> R&D team? Now you can get
> trustworthy commercial-grade exploits and the latest
> techniques from a
> world-class research group.
>
> Visit us at: www.coresecurity.com/promos/sf_ept1
> or call 617-399-6980
>
----------------------------------------------------------------------------
>
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
---------------------------------------------------------------------------
Latest attack techniques.
You're a pen tester, but is google.com still your R&D team? Now you can get
trustworthy commercial-grade exploits and the latest techniques from a
world-class research group.
Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT