TABLE OF CONTENTS Vulnerability assessments (VAs) and penetration tests (pen tests) have long been major components of information security programs. In fact, security managers have historically defined when and how they would conduct these exercises, as well as the scope of such exercises. Nevertheless, a missed assessment or pen test traditionally wasn t a big deal. Considering the resource constraints of most information security departments, missing an assessment period, or even two, was quasi-acceptable.
But that is no longer the case. Today businesses and industries are being besieged by compliance statutes. As security professionals and business leaders, we are no longer left to our own accord regarding how we create and implement our information security programs. In this chapter, we ll discuss the impact that regulations have had on vulnerability assessment and pen testing, as well as how to draft an information security program to meet an ever-changing business environment. See Appendix A for more information on the legal ramifications of regulatory compliance.
Unless we re operating a family diner, have an insignificant number of patrons, don t offer a healthcare plan to our employees, and run our entire business on cash, our organization is probably subject to at least one government/industry regulation. In fact, most organizations today are feeling the compliance burden and are subject to not one, but many compliance statutes. For instance, hospitals and healthcare providers are being besieged by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and many companies are still grappling with the...
