jdreddjdredd MemberMember Posts: 33 ■■□□□□□□□□
I have just discovered OSSTMM (Open Source Security Testing Methodology).

To start with, I can't believe I keep finding stuff I never heard about.

Anyway, things I read say this is the most used Security testing Methodology that there is.

Does this compare to things like COBIT? Can it be used for Sarbanes-Oxley compiance?


  • BeginCOBITBeginCOBIT Junior Member Banned Posts: 6 ■□□□□□□□□□
    COBIT now has a specific publication to help with Sarbanes-Oxley (SOX):

    IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting, 2nd Edition

    COBIT is an internationally recognized IT Governance framework from ISACA that can be used to help businesses comply with the IT control requirements of SOX.

    OSSTMM may be able to help with SOX but its focus is probably quite narrow, i.e., just security testing, when compared to something like COBIT, which is broadly focused on IT governance within the enterprise, in manner that is consistent with COSO the framework for governance of the enterprise.

    OSSTMM and COBIT are not equivalent but they may, in certain circumstances, be complementary.
  • contentproscontentpros Senior Member Member Posts: 115 ■■■■□□□□□□
    Please understand when you are reference frameworks like COBIT that they are designed to give guidance and have many controls that overlap. If you want to quickly fail at security try to implement every control in COBIT. You will hamstring your organization so bad that you may have to run from people with pitchforks and torches. Remember it is there for guidance on controls and practices, follow the spirit of the framework not the letter. If done well COBIT can be wonderful but too many people fail to understand this point.
Sign In or Register to comment.