Useful summary article and do's and don'ts regarding penetration testing by law firms.
Pen Testing: The Good, the Bad and the Agreement
Although conducting pen testing is prudent and becoming common, it is also fraught with potential pitfalls. When embarking on such a project, a company should fully understand its scope and include certain contractual protections with the pen tester.
By Ian G. DiBernardo and Jeffrey Mann | March 02, 2018; New York Law Journal
Conclusion
Penetration testing is an important tool in a company’s cybersecurity arsenal, and in some cases it is even required by regulators. However, to ensure the full benefit of pen testing, while avoiding additional risk, companies need to manage the project, including through diligence and thoughtful and robust contractual protections.
https://www.law.com/newyorklawjournal/2018/03/02/pen-testing-the-good-the-bad-and-the-agreement/
Cloud and Data Security Assessments
Cloud Security Alliance (CSA) would like to present the next version of the Consensus Assessments Initiative Questionnaire (CAIQ) v3.1.
The CAIQ offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix (CCM). Therefore, it helps cloud customers to gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably secure.
CAIQ v3.1 represents a minor update to the previous CAIQ v3.0.1. In addition to improving the clarity and accuracy, it also supports better auditability of the CCM controls. The new updated version aims to not only correct errors but also appropriately align and improve the semantics of
unclear questions for corresponding CCM v3.0.1 controls. In total, 49 new questions were added, and 25 existing ones were revised.
Attachments: