the SANS gold standard training is in understanding and applying the recent
composite security standard for Microsoft Windows 2000 Professional (not
server). (the composite is a NSA, NIST, SANS, Microsoft etc, etc,
consensus) and there is a certificate available. (not certification).
Roberta Bragg
Have Computer Will Travel, Inc.
> -----Original Message-----
> From: disciple [mailto:marcus (at) nwnc (dot) net [email concealed]]
> Sent: Friday, November 01, 2002 4:50 PM
> To: Matt Hodge; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: Certification for Win2k Web Servers
>
>
> SANS institute has a Windows 2000 "Gold Standard", which is
> basically a
> collection of the industry best practices for Windows 2000
> server security.
> However, they don't offer any auditing to certify that you've met the
> standard.
>
> When it comes to actual auditing, there are a number of large, well
> respected organizations which offer penetration testing and security
> auditing (PWC, Lucent, Foundstone - don't know how large
> foundstone is).
> The issue really is whether you can convince all of your
> customers to accept
> the audit results from the single third party auditor. The
> NSA also offers
> certifications in their Infosec Assessment Methodology. If
> you can find a
> reputable vendor which has NSA certified analysts, that may
> be enough for
> your customers.
>
> Just my 2c.
>
>
>
> -----Original Message-----
> From: Matt Hodge [mailto:security (at) hodgefamily (dot) org [email concealed]]
> Sent: Friday, November 01, 2002 2:44 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Certification for Win2k Web Servers
>
>
>
>
> I work at a company that offers web services to industries
> that are fairly
> paranoid about security. With each customer we encounter they seem to
> wince at hosting their data through our servers instead of hosting it
> themselves. So we are repeatedly going through security
> audits of various
> types. My question is this, are there any standards or
> companies that can
> do an audit on a regular basis, who has enough standing in
> the community
> that other companies will take their audit instead of doing
> their own? We
> have already hired independent companies to do audits and we
> always turn
> out fine but from a sales point of view it is becoming a
> major hurdle to
> have to jump over each time. Thanks
>
>
the SANS gold standard training is in understanding and applying the recent
composite security standard for Microsoft Windows 2000 Professional (not
server). (the composite is a NSA, NIST, SANS, Microsoft etc, etc,
consensus) and there is a certificate available. (not certification).
Roberta Bragg
Have Computer Will Travel, Inc.
> -----Original Message-----
> From: disciple [mailto:marcus (at) nwnc (dot) net [email concealed]]
> Sent: Friday, November 01, 2002 4:50 PM
> To: Matt Hodge; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: Certification for Win2k Web Servers
>
>
> SANS institute has a Windows 2000 "Gold Standard", which is
> basically a
> collection of the industry best practices for Windows 2000
> server security.
> However, they don't offer any auditing to certify that you've met the
> standard.
>
> When it comes to actual auditing, there are a number of large, well
> respected organizations which offer penetration testing and security
> auditing (PWC, Lucent, Foundstone - don't know how large
> foundstone is).
> The issue really is whether you can convince all of your
> customers to accept
> the audit results from the single third party auditor. The
> NSA also offers
> certifications in their Infosec Assessment Methodology. If
> you can find a
> reputable vendor which has NSA certified analysts, that may
> be enough for
> your customers.
>
> Just my 2c.
>
>
>
> -----Original Message-----
> From: Matt Hodge [mailto:security (at) hodgefamily (dot) org [email concealed]]
> Sent: Friday, November 01, 2002 2:44 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Certification for Win2k Web Servers
>
>
>
>
> I work at a company that offers web services to industries
> that are fairly
> paranoid about security. With each customer we encounter they seem to
> wince at hosting their data through our servers instead of hosting it
> themselves. So we are repeatedly going through security
> audits of various
> types. My question is this, are there any standards or
> companies that can
> do an audit on a regular basis, who has enough standing in
> the community
> that other companies will take their audit instead of doing
> their own? We
> have already hired independent companies to do audits and we
> always turn
> out fine but from a sales point of view it is becoming a
> major hurdle to
> have to jump over each time. Thanks
>
>
[ reply ]