SANS institute has a Windows 2000 "Gold Standard", which is basically a
collection of the industry best practices for Windows 2000 server security.
However, they don't offer any auditing to certify that you've met the
standard.
When it comes to actual auditing, there are a number of large, well
respected organizations which offer penetration testing and security
auditing (PWC, Lucent, Foundstone - don't know how large foundstone is).
The issue really is whether you can convince all of your customers to accept
the audit results from the single third party auditor. The NSA also offers
certifications in their Infosec Assessment Methodology. If you can find a
reputable vendor which has NSA certified analysts, that may be enough for
your customers.
Just my 2c.
-----Original Message-----
From: Matt Hodge [mailto:security (at) hodgefamily (dot) org [email concealed]]
Sent: Friday, November 01, 2002 2:44 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Certification for Win2k Web Servers
I work at a company that offers web services to industries that are fairly
paranoid about security. With each customer we encounter they seem to
wince at hosting their data through our servers instead of hosting it
themselves. So we are repeatedly going through security audits of various
types. My question is this, are there any standards or companies that can
do an audit on a regular basis, who has enough standing in the community
that other companies will take their audit instead of doing their own? We
have already hired independent companies to do audits and we always turn
out fine but from a sales point of view it is becoming a major hurdle to
have to jump over each time. Thanks
collection of the industry best practices for Windows 2000 server security.
However, they don't offer any auditing to certify that you've met the
standard.
When it comes to actual auditing, there are a number of large, well
respected organizations which offer penetration testing and security
auditing (PWC, Lucent, Foundstone - don't know how large foundstone is).
The issue really is whether you can convince all of your customers to accept
the audit results from the single third party auditor. The NSA also offers
certifications in their Infosec Assessment Methodology. If you can find a
reputable vendor which has NSA certified analysts, that may be enough for
your customers.
Just my 2c.
-----Original Message-----
From: Matt Hodge [mailto:security (at) hodgefamily (dot) org [email concealed]]
Sent: Friday, November 01, 2002 2:44 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Certification for Win2k Web Servers
I work at a company that offers web services to industries that are fairly
paranoid about security. With each customer we encounter they seem to
wince at hosting their data through our servers instead of hosting it
themselves. So we are repeatedly going through security audits of various
types. My question is this, are there any standards or companies that can
do an audit on a regular basis, who has enough standing in the community
that other companies will take their audit instead of doing their own? We
have already hired independent companies to do audits and we always turn
out fine but from a sales point of view it is becoming a major hurdle to
have to jump over each time. Thanks
[ reply ]