OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Roberta Bragg (freouwebbe_at_msn.com)
Date: Mon Nov 04 2002 - 12:02:39 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Some good thoughts here, but, a small correction.

    the SANS gold standard training is in understanding and applying the recent
    composite security standard for Microsoft Windows 2000 Professional (not
    server). (the composite is a NSA, NIST, SANS, Microsoft etc, etc,
    consensus) and there is a certificate available. (not certification).

    Roberta Bragg
    Have Computer Will Travel, Inc.

    > -----Original Message-----
    > From: disciple [mailto:marcusnwnc.net]
    > Sent: Friday, November 01, 2002 4:50 PM
    > To: Matt Hodge; focus-mssecurityfocus.com
    > Subject: RE: Certification for Win2k Web Servers
    >
    >
    > SANS institute has a Windows 2000 "Gold Standard", which is
    > basically a
    > collection of the industry best practices for Windows 2000
    > server security.
    > However, they don't offer any auditing to certify that you've met the
    > standard.
    >
    > When it comes to actual auditing, there are a number of large, well
    > respected organizations which offer penetration testing and security
    > auditing (PWC, Lucent, Foundstone - don't know how large
    > foundstone is).
    > The issue really is whether you can convince all of your
    > customers to accept
    > the audit results from the single third party auditor. The
    > NSA also offers
    > certifications in their Infosec Assessment Methodology. If
    > you can find a
    > reputable vendor which has NSA certified analysts, that may
    > be enough for
    > your customers.
    >
    > Just my 2c.
    >
    >
    >
    > -----Original Message-----
    > From: Matt Hodge [mailto:securityhodgefamily.org]
    > Sent: Friday, November 01, 2002 2:44 PM
    > To: focus-mssecurityfocus.com
    > Subject: Certification for Win2k Web Servers
    >
    >
    >
    >
    > I work at a company that offers web services to industries
    > that are fairly
    > paranoid about security. With each customer we encounter they seem to
    > wince at hosting their data through our servers instead of hosting it
    > themselves. So we are repeatedly going through security
    > audits of various
    > types. My question is this, are there any standards or
    > companies that can
    > do an audit on a regular basis, who has enough standing in
    > the community
    > that other companies will take their audit instead of doing
    > their own? We
    > have already hired independent companies to do audits and we
    > always turn
    > out fine but from a sales point of view it is becoming a
    > major hurdle to
    > have to jump over each time. Thanks
    >
    >