Establish, implement, and maintain a penetration test program.
CONTROL ID 01105
CONTROL TYPE Behavior
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a testing program., CC ID: 00654
This Control has the following implementation support Control(s):
Align the penetration test program with industry standards., CC ID: 12469
Assign penetration testing to a qualified internal resource or external third party., CC ID: 06429
Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation., CC ID: 11958
Retain penetration test results according to internal policy., CC ID: 10049
Retain penetration test remediation action records according to internal policy., CC ID: 11629
Use dedicated user accounts when conducting penetration testing., CC ID: 13728
Remove dedicated user accounts after penetration testing is concluded., CC ID: 13729
Perform penetration tests, as necessary., CC ID: 00655
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
A cyber inspector may monitor and inspect any activity on an Information System in the public domain or website and report any unlawful activity to the appropriate authority. (§ 94(1)(a), The Electronic Communications and Transactions Act, 2002)
If an AI's policy framework for independent assessment does not include penetration tests, the senior management should further ensure that regular penetration tests are performed by qualified independent parties. For the purpose of this module, a penetration test should assess, at the minimum, the … (§ 3.3.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
The FI should carry out penetration testing (PT) to obtain an in-depth evaluation of its cyber security defences. A combination of blackbox and greybox testing should be conducted for online financial services. (§ 13.2.1, Technology Risk Management Guidelines, January 2021)
security testing, including penetration testing; (16(e)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
An APRA-regulated entity must review the sufficiency of the testing program at least annually or when there is a material change to information assets or the business environment. (31., Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 â 1)
periodic security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. These tests should be performed by staff and/or external experts with the necessary expertise, with documented test results and conclusions reported to senior mana… (Title 3 3.3.4(b) 55.h(iv), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
Each threat-led penetration test shall cover several or all critical or important functions of a financial entity, and shall be performed on live production systems supporting such functions. (Art. 26.2. ¶ 1, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Financial entities shall assess which critical or important functions need to be covered by the TLPT. The result of this assessment shall determine the precise scope of TLPT and shall be validated by the competent authorities. (Art. 26.2. ¶ 3, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Financial entities shall ensure that contracts concluded with external testers require a sound management of the TLPT results and that any data processing thereof, including any generation, store, aggregation, draft, report, communication or destruction, do not create risks to the financial entity. (Art. 27.3., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Does the penetration tests encompass social engineering? (Table Row X.10, OECD / World Bank Technology Risk Checklist, Version 7.3)
How are clients prevented from performing penetration testing on other clientsâ environments? (Appendix D, Regularly Monitor and Test Networks Bullet 11 Sub-bullet 2, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
Interview responsible personnel and examine the penetration testing procedures to verify they are based on industry-accepted penetration testing methods. (Testing Procedures § 11.3 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Interview responsible personnel and examine the penetration testing procedures to verify they include the entire cardholder data environment and critical systems. (Testing Procedures § 11.3 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Interview responsible personnel and examine the penetration testing procedures to verify they include testing to validate segmentation controls and scope-reduction controls. (Testing Procedures § 11.3 Bullet 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Examine the scope of work and the most recent external penetration test results to verify the penetration testing was conducted in accordance with the defined methodology. (Testing Procedures § 11.3.1.a Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Examine the scope of work and the most recent internal penetration test results to verify the penetration testing was conducted in accordance with the defined methodology. (Testing Procedures § 11.3.2.a Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Examine the segmentation controls and review the penetration testing procedures to verify procedures are defined to test all of the segmentation methods to confirm they are effective and operational and out-of-scope systems are isolated from the in-scope systems. (Testing Procedures § 11.3.4.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Examine the most recent penetration test results to verify the penetration testing covers all of the used segmentation controls or methods. (Testing Procedures § 11.3.4.b Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
A penetration testing methodology must be implemented that is based on industry-accepted penetration testing practices. (Note: this is a Best Practice and will become a requirement after june 30, 2015. The v2.0 penetration testing requirements must be followed until v3.0 is implemented.). (PCI DSS Requirements § 11.3 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
A penetration testing methodology must be implemented that includes coverage for the entire cardholder data environment perimeter and critical systems. (Note: this is a Best Practice and will become a requirement after june 30, 2015. The v2.0 penetration testing requirements must be followed until v… (PCI DSS Requirements § 11.3 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
A penetration testing methodology must be implemented that includes testing to validate segmentation controls and scope-reduction controls. (Note: this is a Best Practice and will become a requirement after june 30, 2015. The v2.0 penetration testing requirements must be followed until v3.0 is imple… (PCI DSS Requirements § 11.3 Bullet 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Does the penetration-testing methodology include the following?
- Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
- Includes coverage for the entire CDE perimeter and critical systems
- Includes testing from both inside and outside the network
- Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
Does the penetration-testing methodology include the following?
- Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
- Includes coverage for the entire CDE perimeter and critical systems
- Includes testing from both inside and outside the network
- Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Does the penetration-testing methodology include the following?
- Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
- Includes coverage for the entire CDE perimeter and critical systems
- Includes testing from both inside and outside the network
- Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
A penetration testing methodology is defined, documented, and implemented by the entity, and includes: (11.4.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Documented approach to assessing and addressing the risk posed by exploitable vulnerabilities and security weaknesses found during penetration testing. (11.4.1 Bullet 8, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Additional testing procedure for multitenant service providers only: Examine evidence to verify that multi-tenant service providers support their customers for external penetration testing per Requirement 11.4.3 and 11.4.4. (11.4.7, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Is the penetration testing methodology based on industry-accepted penetration testing approaches (for example, NIST SP 800-115)? (PCI DSS Question 11.3 Bullet 1, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
Does the penetration testing methodology include coverage for the entire CDE perimeter and critical systems? (PCI DSS Question 11.3 Bullet 2, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
Does the penetration testing methodology include testing to validate any segmentation and scope-reduction controls? (PCI DSS Question 11.3 Bullet 4, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
Does the penetration testing methodology include review and consideration of threats and vulnerabilities experienced in the last 12 months? (PCI DSS Question 11.3 Bullet 7, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
If segmentation is used to isolate the CDE from other networks, are penetration testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems? (PCI DSS Question 11.3.4(a), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
If segmentation is used to isolate the CDE from other networks, does the penetration testing verify segmentation controls cover all segmentation controls or methods in use? (PCI DSS Question 11.3.4(b) Bullet 2, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
If segmentation is used to isolate the CDE from other networks, does the penetration testing verify that the segmentation methods are operational and effective, and isolates all out-of-scope systems from in-scope systems? (PCI DSS Question 11.3.4(b) Bullet 3, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
If segmentation is used to isolate the CDE from other networks, are penetration testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems? (PCI DSS Question 11.3.4(a), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
If segmentation is used to isolate the CDE from other networks, does the penetration testing verify segmentation controls cover all segmentation controls or methods in use? (PCI DSS Question 11.3.4(b) Bullet 2, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
If segmentation is used to isolate the CDE from other networks, does the penetration testing verify that the segmentation methods are operational and effective, and isolates all out-of-scope systems from in-scope systems? (PCI DSS Question 11.3.4(b) Bullet 3, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
Is the penetration testing methodology based on industry-accepted penetration testing approaches (for example, NIST SP 800-115)? (PCI DSS Question 11.3 Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Does the penetration testing methodology include coverage for the entire CDE perimeter and critical systems? (PCI DSS Question 11.3 Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Does the penetration testing methodology include testing to validate any segmentation and scope-reduction controls? (PCI DSS Question 11.3 Bullet 4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Does the penetration testing methodology include review and consideration of threats and vulnerabilities experienced in the last 12 months? (PCI DSS Question 11.3 Bullet 7, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
If segmentation is used to isolate the CDE from other networks, are penetration testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems? (PCI DSS Question 11.3.4(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
If segmentation is used to isolate the CDE from other networks, does the penetration testing verify segmentation controls cover all segmentation controls or methods in use? (PCI DSS Question 11.3.4(b) Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
If segmentation is used to isolate the CDE from other networks, does the penetration testing verify that the segmentation methods are operational and effective, and isolates all out-of-scope systems from in-scope systems? (PCI DSS Question 11.3.4(b) Bullet 3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Is the penetration testing methodology based on industry-accepted penetration testing approaches (for example, NIST SP 800-115)? (PCI DSS Question 11.3 Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Does the penetration testing methodology include coverage for the entire CDE perimeter and critical systems? (PCI DSS Question 11.3 Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Does the penetration testing methodology include testing to validate any segmentation and scope-reduction controls? (PCI DSS Question 11.3 Bullet 4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Does the penetration testing methodology include review and consideration of threats and vulnerabilities experienced in the last 12 months? (PCI DSS Question 11.3 Bullet 7, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
If segmentation is used to isolate the CDE from other networks, are penetration testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems? (PCI DSS Question 11.3.4(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
If segmentation is used to isolate the CDE from other networks, does the penetration testing verify segmentation controls cover all segmentation controls or methods in use? (PCI DSS Question 11.3.4(b) Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
If segmentation is used to isolate the CDE from other networks, does the penetration testing verify that the segmentation methods are operational and effective, and isolates all out-of-scope systems from in-scope systems? (PCI DSS Question 11.3.4(b) Bullet 3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
A penetration testing methodology is defined, documented, and implemented by the entity, and includes: (11.4.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
Documented approach to assessing and addressing the risk posed by exploitable vulnerabilities and security weaknesses found during penetration testing. (11.4.1 Bullet 8, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
A penetration testing methodology is defined, documented, and implemented by the entity, and includes: (11.4.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Documented approach to assessing and addressing the risk posed by exploitable vulnerabilities and security weaknesses found during penetration testing. (11.4.1 Bullet 8, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
A penetration testing methodology is defined, documented, and implemented by the entity, and includes: (11.4.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Documented approach to assessing and addressing the risk posed by exploitable vulnerabilities and security weaknesses found during penetration testing. (11.4.1 Bullet 8, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
The organization should perform penetration tests and Red Team exercises. (Critical Control 20, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
The organization should include social engineering in the penetration tests. (Critical Control 20.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
The organization should use the penetration testing tools and the vulnerability scanning tools together. (Critical Control 20.8, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
Establish a program for penetration tests that includes a full scope of blended attacks, such as wireless, client-based, and web application attacks. (CIS Control 20: Sub-Control 20.1 Establish a Penetration Testing Program, CIS Controls, 7.1)
Establish a program for penetration tests that includes a full scope of blended attacks, such as wireless, client-based, and web application attacks. (CIS Control 20: Sub-Control 20.1 Establish a Penetration Testing Program, CIS Controls, V7)
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. (CIS Control 18: Safeguard 18.4 Validate Security Measures, CIS Controls, V8)
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise contro… (CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program, CIS Controls, V8)
App B § 2.H: CMS business partners must evaluate automatic controls to make sure they prevent payments to unauthorized persons. CMS business partners must test automatic controls with invalid input, under strict control, and with management's full awareness and prior approval.
App B § 2.I: CMS bus… (App B § 2.H, App B § 2.I, CMS Business Partners Systems Security Manual, Rev. 10)
Steps must be taken by business entities that are subject to Title III Subtitle A of this Act to ensure key controls, procedures, and systems of the personal data privacy and security program are tested regularly to detect, prevent, and respond to intrusions, attacks, or other system failures. The f… (§ 302(c), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
Testing and evaluations through a combination of self-assessments, penetration tests, vulnerability assessments, and audits with appropriate coverage, depth, and independence. (App A Objective 10.1.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Penetration tests that subject a system to real-world attacks and identify weaknesses. (App A Objective 10.3.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Are the groups or individuals who perform the penetration tests appropriately bonded? (IT - IDS IPS Q 36, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Did the penetration test scope include a policy review? (IT - Pen Test Review Q 6d, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Did the penetration test scope include external testing? (IT - Pen Test Review Q 6e, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Did the penetration test scope include internal testing? (IT - Pen Test Review Q 6f, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Did the penetration test scope include social engineering? (IT - Pen Test Review Q 6g, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Did the penetration test scope include documentation and reporting? (IT - Pen Test Review Q 6h, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Does the Credit Union Information Technology policy include vulnerability scanning and penetration tests? (IT - Policy Checklist Q 15, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
The organization should periodically and randomly perform comprehensive security assessments to verify configuration settings, identify rogue devices, and review audit logs. (Table 8-5 Item 52, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
(§ 3.4.4.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
The organization should test a subset of the covert channel avenues discovered by the vendor to determine if they are exploitable. (App F § SC-31(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
Conduct and/or support authorized penetration testing on enterprise network assets. (T0028, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Create comprehensive exploitation strategies that identify exploitable technical or operational vulnerabilities. (T0641, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Establish processing, exploitation and dissemination management activity using approved guidance and/or procedures. (T0683, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
annual Penetration Testing of the Covered Entity's Information Systems determined each given year based on relevant identified risks in accordance with the Risk Assessment; and (§ 500.05 Penetration Testing and Vulnerability Assessments (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity's Risk Assessment, designed to assess the effectiveness of the Covered Entity's cybersecurity program. The monitoring and testing shall include continuous monitorin… (§ 500.05 Penetration Testing and Vulnerability Assessments, New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
