Are there any relevant policy, compliance or third-party attestation issues?

About the author
Joel Scambray has held diverse roles in information security over a dozen years, including co-author of Hacking Exposed: Windows and Hacking Exposed: Web Applications, senior director of security at Microsoft, co-founder of security technology and service company Foundstone, senior security consultant for Ernst & Young and internationally recognized speaker in both public and private forums. Listen to the supplemental podcast with Joel for more information on security site assessments.

Identifying relevant policies can greatly help focus the assessment. It may also surface areas that the client has already identified as potential gaps, such as through known policy exceptions or past audit results. Value-added resellers should also always ask if the client is required to demonstrate compliance with any of the numerous security-related regulations and standards (e.g., PCI-DSS, SOX, HIPAA, GLBA, ISO 2700x and so on). This will clarify any synergies and/or impacts to upcoming compliance audits or initiatives. Finally, the customer should be asked if the results of testing will be used for purposes of attestation to third parties, in order to pre-establish clear standards for "pass/fail," any special deliverable content and format requirements, and ownership/reuse rights in the deliverables.

This was first published in May 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: