What are the key points that should be discussed and asked suppliers to confirm if their approach towards Red Team assessment is the most suitable one?
I think that you must have a mature IS program before Red Teaming is really worthwhile.
You need to distinguish(very roughly) between: audit: do a verifcation based on a checklist... vuln assessment: use vuln scanner to find vuln but not exploiting it self pentest: epxloit those vulnerabiliy.. red teaming: red teaming is a pentest, but it is also a test of your detection capacity. if you dont have a blue team, then red teaming is not really useful.
If it is one of your first foray into IS, then start with the basic, then vuln assessment and pentest.
Comments
You need to distinguish(very roughly) between:
audit: do a verifcation based on a checklist...
vuln assessment: use vuln scanner to find vuln but not exploiting it self
pentest: epxloit those vulnerabiliy..
red teaming: red teaming is a pentest, but it is also a test of your detection capacity. if you dont have a blue team, then red teaming is not really useful.
If it is one of your first foray into IS, then start with the basic, then vuln assessment and pentest.