Questions for prospective pen test consultants
As the information security officer for a financial institution, what questions should I ask prospective penetration testing consultants before I agree to the test?
While this list isn't exhaustive, here are a few that I would ask:
How much experience do you have in performing penetration tests? Can you provide some references of former clients? (Check the references, don't just assume they are valid.)
What steps do you take to ensure that your penetration testers do not maliciously destroy data on our systems should they successfully get in? Have you run background checks of any kind on your employees?
Will you sign an agreement not to disclose any information that you might obtain as the result of a successful penetration?
Describe what you will do for penetration testing. Are you doing anything more than running vulnerability scanners?
Also, a good paper to read on this subject is, "Penetration Testing -- Is it right for you?", by Jimmy Braden, available on the SANS Institute site.
For more info on this topic, please visit these SearchSecurity.com resources:
On-demand webcast: Audits, assessments and penetration tests
Best Web Links: Infrastructure and network security
This was first published in December 2003