Questions for prospective pen test consultants
As the information security officer for a financial institution, what questions should I ask prospective penetration testing consultants before I agree to the test?
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
While this list isn't exhaustive, here are a few that I would ask:
How much experience do you have in performing penetration tests? Can you provide some references of former clients? (Check the references, don't just assume they are valid.)
What steps do you take to ensure that your penetration testers do not maliciously destroy data on our systems should they successfully get in? Have you run background checks of any kind on your employees?
Will you sign an agreement not to disclose any information that you might obtain as the result of a successful penetration?
Describe what you will do for penetration testing. Are you doing anything more than running vulnerability scanners?
Also, a good paper to read on this subject is, "Penetration Testing -- Is it right for you?", by Jimmy Braden, available on the SANS Institute site.
For more info on this topic, please visit these SearchSecurity.com resources:
On-demand webcast: Audits, assessments and penetration tests
Best Web Links: Infrastructure and network security
Dig Deeper
-
People who read this also read...
This was first published in December 2003