It seems that debate over the automatic tools vs. manual penetration tools raises serious questions within the government agencies.South Carolina and Delaware already use Core Impact, other might follow:

Let’s assume you’ve signed off on a decision to run penetration tests because you want to know how vulnerable your agency is to outside attacks. Now what? Should your agency hire a consultant? Buy automated software to perform the tests? Both?

Answering 10 questions can help you decide whether hiring a consultant or buying software is the right answer.

1. What is your risk tolerance for information technology security threats?
2. Does your agency perform critical functions or have stewardship of critical or sensitive data? How serious are the implications of disrupted service or lost or compromised data?
3. Do you know how well your software patching system is working?
4. Do you have the in-house expertise necessary to run and interpret automated tests?
5. Have you determined a baseline of IT security?
6. Are you required to have a third-party assessor review your IT security?
7. Does your agency have a robust presence on the Web?
8. Does your agency primarily use custom applications or does it mostly use commercial software?
9. How frequently do you want to test your system and network vulnerability?
10. What level of spending can your budget support?

Federal Computer Week magazine has the full story