I've been tasked with creating a formal security testing schedule / calendar for our organisation, as most of our current testing (scans, pentesting, etc) is done ad hoc.
I'm wondering if anyone has created something similar for their organisation, and what process was used in order to build this schedule.
My current thoughts are the following:
- Create a list of infrastructure, applications, hardware, etc, arranged into criticality categories (e.g. mission critical, critical, non-critical)
- Determine what needs to be determined for each criticality level through testing, and determine which tests will be done for each (e.g. Red-team testing only done on mission critical).
- Determine the regularity of tests and types of tests for each criticality category.
- Create a testing schedule.
I've not had much opportunity to think about how often tests / types of tests should be done, so I'm very open to referrals to material I could review to get a better understanding.
Aucun commentaire:
Enregistrer un commentaire