Hello, On Mon, Sep 28, 2015 at 8:43 PM, Rich Lewis <[email protected]> wrote: <SNIP> > I wondered if anyone on the list could recommend an organisation to do > some penetration testing for us. We've used Pen Test Partners in the > past, and they seemed pretty good to me, but for reasons unknown the > auditors want us to use someone else this time round. <SNIP>
Sometimes, when an ISP reaches a certain public sector customer base (or becomes so big it forms part of the CNI), the ISP may end up needing to use an HMG accredited pen tester. However, others can engage these companies services. These accredited providers, as well as being approved to pen test systems handling OFFICIAL and (under supervision) SECRET information, also get access to specialist briefings covering things like GovCERT alerts, respected vulnerabilities sources and other support material. Even if you only have private sector customers, it is quite easy to end up transmitting or processing sensitive public sector data; for example if you provide an encrypted link between two sites for a company managing payroll for a public sector body. A similar scheme accrediting pen tests for the private sector, CREST, exists and some pen testers are on both lists, including some mentioned in this thread. Although you don't need this level of paper assurance, if you have a choice of providers and are having difficulty picking, you may wish to consider using the one on the CHECK list at https://www.cesg.gov.uk/finda/Pages/CHECKResults.aspx?post=1&sort=name and the CREST list at http://www.crest-approved.org/crest-member-companies/members-supplying-penetration-testing-services/index.html rather than the one that isn't listed on either. It should certainly help keep the auditors happy. HTH, Alex
