Beruflich Dokumente
Kultur Dokumente
We developed this hand-out to simplify the process of choosing the best approach to attestation.
SAS-70
LeVeL OF INTeRNAL TIme TO
OPTION* COST ASSuRANCe INDuSTRy ACCePTANCe ReSOuRCeS PeRFORm TyPe OF TeSTING
ISO 27002 May be acceptable but Penetration Test more commonly Compliance - Proves the "net" solu-
Compliance vulneRaBility
Assessment assessment used tion is not vulnerable
Widely accepted as validation of overall security level. Can be Substantive - Proves the "net"
penetRatiOn test used independently or in concert with design/compliance tests solution cannot be impacted by a
to provide much higher levels of assurance malicious individual
ISO 27002 Gap Widely used to maintain a relationship with a client who has Design - Likely only acceptable when
Assessment
seCuRity ROaDmap recently enacted a much more stringent set of security coupled with a substantive form of
requirements for its vendors proof as well
BITS Shared Assessment Excellent mechanisms to succinctly demonstrate security. Design - Proves that the design of
seCuRe Data Generally with other forms of assurance or where more formal the environment is reasonable and
flOw DiaGRam documentation of controls are not available. appropriate
Gap Assessments against
Client Standard or Design - High level of assurance
Regulatory Standard system seCuRity plan Widely accepted - many firms request this information in the
that the design of the environment is
or InfoSec Policy Doc form of control questionnaires
(e.g., HIPAA, PCI, etc.) reasonable & appropriate
DesiGn Review Low to High (dependent upon the vendor and ability of critical Design - High level of assurance that
Design Review (e.g. Network, Application, Solution, risks to be mitigated by a small set of controls) solution element reviewed will mitigate
Network, Application, SDLC, Incident Response specific risks to acceptable level
Solution, SDLC,
Incident Response Gap assessments Moderate to high level of acceptance dependent upon the extent/rigor of Design - High level of assurance that
against Client, Regulatory or the assessment, the “relevance” of the standard chosen, and the the design of the controls achieve the
Best Parctices Standards independence of the entity conducting the assessment. reference standards
System Security Plan Widely used/highly regarded in the financial sector. See Gap Design - Assurance that design of
Bits shaReD environment is consistent with Shared
or Information assessment Assessments. This is an ISO 27002 based standard.
assessment (essentially ISO 27002)
Security Policy
Document Design & Compliance - Assurance
isO 27002 Internationally recognized as the leading information security
that design of environment is consistent
Gap assessment “standard” for more than a decade (formerly ISO 17799).
Secure Data with industry best practice (ISO 27002)
Flow Diagram
Design & Compliance -
isO 27002 Validates both the design and operation of 27002 controls
Assurance that the controls are in
COmplianCe assessment providing a very high level of assurance
Security Roadmap place and operating as intended.
Validates that the documented controls are in place and Compliance - Assurance that the
sas-70 operating as intended as well as providing some assurance of controls are in place and operating as
Penetration Test the design. intended.
Internationally recognized certification of the design/operation Design & Compliance -
Vulnerability isO 27001 of the technical controls (27002) AND the Information Security Internationally recognized certification that
Assessment CeRtifiCatiOn Management System that governs them. design&operation of environment are secure.
* see reverse for detailed descriptions of options www.pivotpointsecurity.com - or 1.888.pivOtpOint
A Glossary of Terms
Vulnerability Assessment Gap Assessments (against Client or Regulatory Standard)
Automated Identification of vulnerabilities on one or more of the Detailed review of the controls in place
key components (e.g., network, systems, applications, databas- (management/technical/operational) and determination of
es) supporting your customers’ service whether they are "consistent" with the reference standard