Saturday, May 28, 2005

Security Audit Vs. Penetration Testing

Sometime you may hear the phrase "penetration testing" used interchangeably with the phrase "computer security audit". They are not the same thing. A penetration test (also known as a pen-test) is a very narrowly focused attempt to look for security holes in a critical resource, such as a firewall or Web server. Penetration testers usually operate from outside the firewall with minimal inside information in order to more realistically simulate the means by which a hacker would attack the site.

On the other hand, a computer security audit is a systematic, measurable technical assessment of how the organization's security policy is employed at a specific site. Computer security auditors work with the full knowledge of the organization, at times with considerable inside information, in order to understand the resources to be audited.

Security audits are part of the on-going process of defining and maintaining effective security policies. This is not just a conference room activity. It involves everyone who uses any computer resources throughout the organization. Given the dynamic nature of computer configurations and information storage, some managers may wonder if there is truly any way to check the security ledgers, so to speak. Security audits provide such a tool, a fair and measurable way to examine how secure a site really is.

eCare network solutions provides various security related services in greater Vancouver area. For more information about security audits, please see Vancouver Security Audits.

No comments:

Post a Comment