On 6/5/12, Green, Timothy <Timothy.Green@mantech.com> wrote:
I'm a Security Manager of a large network, we are conducting a Pentest next month and the testers are demanding a complete network diagram of the entire network. We don't have a "complete" network diagram that shows everything and everywhere we are. At most we have a bunch of network diagrams that show what we have in various areas throughout the country. I've been asking the network engineers for over a month and they seem to be too lazy to put it together or they have no idea where everything is.
I've never been in this situation before. Should I be honest to the testers and tell them here is what we have, we aren't sure if it's accurate; find everything else?
Tim, Your system is what it is, including any defects in configuration management. Provide the testers with what you have, give them contact info for the engineers so they can ask questions and specify that you expect strengths and weaknesses in configuration management which impact system security to be reflected in their report. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004