Perform network-layer penetration testing on all systems, as necessary.

Back

CONTROL ID
01277

CONTROL TYPE
Testing

CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Perform penetration tests, as necessary., CC ID: 00655

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

Interview responsible personnel and examine the penetration testing procedures to verify they include the network-layer penetration tests. (Testing Procedures § 11.3 Bullet 6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification. (§ 11.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Network-layer penetration tests (§ 11.3.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
A penetration testing methodology must be implemented that defines the network-layer penetration tests to include. (Note: this is a Best Practice and will become a requirement after june 30, 2015. The v2.0 penetration testing requirements must be followed until v3.0 is implemented.). (PCI DSS Requirements § 11.3 Bullet 6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network … (11.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network … (11.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network … (11.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Examine penetration-testing methodology and interview responsible personnel to verify a methodology is implemented that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical s… (11.3, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Network-layer penetration tests that encompass all components that support network functions as well as operating systems. (11.4.1 Bullet 6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Testing from both inside and outside the network. (11.4.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Does the penetration testing methodology define the network-layer penetration tests to include components that support network functions as well as operating systems? (PCI DSS Question 11.3 Bullet 6, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
Does the penetration testing methodology define the network-layer penetration tests to include components that support network functions as well as operating systems? (PCI DSS Question 11.3 Bullet 6, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Does the penetration testing methodology define the network-layer penetration tests to include components that support network functions as well as operating systems? (PCI DSS Question 11.3 Bullet 6, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Testing from both inside and outside the network. (11.4.1 Bullet 3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
Network-layer penetration tests that encompass all components that support network functions as well as operating systems. (11.4.1 Bullet 6, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
Testing from both inside and outside the network. (11.4.1 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Network-layer penetration tests that encompass all components that support network functions as well as operating systems. (11.4.1 Bullet 6, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Network-layer penetration tests that encompass all components that support network functions as well as operating systems. (11.4.1 Bullet 6, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Testing from both inside and outside the network. (11.4.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
(Further Issues 4, § 2.2, ISF Security Audit of Networks)
Penetration testing can be accomplished in three stages. The first stage is "war-dialing." This will identify both unauthorized and poorly-configured authorized modems. The second stage is external testing. This will show what an "outsider" can see and exploit on the system. The third stage is inter… (Action 1.8.8, SANS Computer Security Incident Handling, Version 2.3.1)
For cloud computing services, are automated penetration tests conducted on an ad hoc basis? (§ V.1.32.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, are automated penetration tests conducted on a daily basis? (§ V.1.32.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, are automated penetration tests conducted on a weekly basis? (§ V.1.32.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, are automated penetration tests conducted on a biweekly basis? (§ V.1.32.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, are automated penetration tests conducted on a monthly basis? (§ V.1.32.5, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, is the frequency of automated penetration tests greater than 3 months? (§ V.1.32.6, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, is the frequency of automated penetration tests greater than 6 months? (§ V.1.32.7, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, is the frequency of automated penetration tests another time period? (§ V.1.32.8, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, are manual penetration tests conducted on an ad hoc basis? (§ V.1.33.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, are manual penetration tests conducted on a daily basis? (§ V.1.33.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, are manual penetration tests conducted on a weekly basis? (§ V.1.33.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, are manual penetration tests conducted on a biweekly basis? (§ V.1.33.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, are manual penetration tests conducted on a monthly basis? (§ V.1.33.5, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, is the frequency of manual penetration tests more than 3 months? (§ V.1.33.6, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, is the frequency of manual penetration tests more than 6 months? (§ V.1.33.7, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
Penetration testing must be included in the security test and evaluation (ST&E). (§ 5 ¶ 1, CMS Business Partners Systems Security Manual, Rev. 10)
Check for presence of a firewall consistent with documented security designs. (DCBP-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Did the last external penetration test that was conducted after a major system update result in a favorable rating? (IT - Firewalls Q 31a, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Are penetration tests conducted on a regular basis and after changes are made to the Credit Union network? (IT - IDS IPS Q 35, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Perform additional security evaluations when environmental and operational changes are made to the organization that affect ePHI security such as the introduction of new technology or if new risks are identified. (§ 4.8.5 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
Conduct and/or support authorized penetration testing on enterprise network assets. (T0028, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Test and maintain network infrastructure including software and hardware devices. (T0232, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Test and maintain network infrastructure including software and hardware devices. (T0232, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
The organization employs {organizationally documented red team exercises} to simulate attempts by adversaries to compromise organizational information systems in accordance with {organizationally documented rules of engagement}. (CA-8(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)