Hey all,
The CIOs reauthorized assessments for the next two fiscal years at their last meeting. As it happens, the budget was never adjusted when we went to a two-year cycle so there are some extra funds available this fiscal year and I think we'll use that money to purchase our hardware refresh stuff.
I also need to inform the ISO committee (which some of you sit on) that we're going to keep going. I'm going to ask for input from that group on direction for the assessments, but I also want to make sure that the team has input as well.
Ideas we've thrown around in the past include:
Enhanced physical / social engineering testing (proximity stuff, duckies, etc) Longer assessment time period, more work done before showing up on campus, etc. Possibly allows the team to assume a quieter stance to avoid detection. (Is this feasible for a part-time team?) SANS Critical Security Controls (make sure pen-testing meshes with SANS controls)
What other ideas or direction would you like for the assessments moving forward?
Thanks, Andrew