From: Lyal Collins (lyal.collins@key2it.com.au)
Date: Fri Jul 15 2005 - 21:54:08 EDT
To date under AIS (Visa AP and presumably CISP) anyone, even internally
carrying out an existing program/cycle of vulnerability scans appears to
have been accepted as well. Just a matter of filling in a form. No one so
far has even asked for a copy of reports, except from the auditor seeking
evidence that Vuln scans do occur.
Lyal
-----Original Message-----
From: Mike Klingler [mailto:mike@securitymetrics.com]
Sent: Friday, 15 July 2005 12:09 PM
To: Paul Fields
Cc: pen-test@securityfocus.com
Subject: Re: Pentest Letter of Achievement/Certificate
Paul Fields wrote:
> Payment Card Industry data security standards specifically ask for
> quarterly vulnerability scans and annual pen testing.
>
> Gramm-Leach-Bliley Act also asks for periodic testing of systems.
>
> Now that they ask for it, how do you prove what you've done?
Well they do have a list of companies that can do the VA scanning that they
accept. Anyone can try to get on the list to do scanning for it.
>
> One of the reasons we use repeatable methodologies in audits is the
> assumption that someone else using the same knowledge, tools, and
> techniques could easily come up with the same results.
>
They evaluate the different companies scanning with a baseline set of
systems that have weaknesses on them. If you do well enough for them you
get accepted.
Michael Klingler
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:35 EDT