Back

Repeat penetration testing, as necessary.


CONTROL ID
06860
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform penetration tests, as necessary., CC ID: 00655

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Examine the penetration testing results to verify the exploitable vulnerabilities that were detected were corrected and the penetration tests were repeated to confirm the vulnerability was corrected. (Testing Procedures § 11.3.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Verify that noted exploitable vulnerabilities were corrected and testing repeated. (§ 11.3.b Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Exploitable vulnerabilities that are detected during the penetration testing must be corrected and the penetration test must be repeated to verify the vulnerabilities are corrected. (PCI DSS Requirements § 11.3.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections. (11.3.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections. (11.3.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections. (11.3.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are exploitable vulnerabilities found during penetration testing corrected, followed by repeated testing to verify the corrections? (11.3.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are exploitable vulnerabilities found during penetration testing corrected, followed by repeated testing to verify the corrections? (11.3.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are exploitable vulnerabilities found during penetration testing corrected, followed by repeated testing to verify the corrections? (11.3.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are exploitable vulnerabilities found during penetration testing corrected, followed by repeated testing to verify the corrections? (11.3.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are exploitable vulnerabilities found during penetration testing corrected, followed by repeated testing to verify the corrections? (11.3.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are exploitable vulnerabilities found during penetration testing corrected, followed by repeated testing to verify the corrections? (11.3.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine penetration testing results to verify that noted exploitable vulnerabilities were corrected and that repeated testing confirmed the vulnerability was corrected. (11.3.3, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Penetration testing is repeated to verify the corrections. (11.4.4 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Are exploitable vulnerabilities found during penetration testing corrected, followed by repeated testing to verify the corrections? (PCI DSS Question 11.3.3, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are exploitable vulnerabilities found during penetration testing corrected, followed by repeated testing to verify the corrections? (PCI DSS Question 11.3.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are exploitable vulnerabilities found during penetration testing corrected, followed by repeated testing to verify the corrections? (PCI DSS Question 11.3.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Penetration testing is repeated to verify the corrections. (11.4.4 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Penetration testing is repeated to verify the corrections. (11.4.4 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Penetration testing is repeated to verify the corrections. (11.4.4 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The organization should verify that problems identified during Red Team exercises and penetration testing are fully corrected. (Critical Control 20.4, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Remediate penetration test findings based on the enterprise's policy for remediation scope and prioritization. (CIS Control 18: Safeguard 18.3 Remediate Penetration Test Findings, CIS Controls, V8)
  • Performing penetration tests before launching new or making significant changes to existing Internet- and client-facing applications and remediating findings from the tests. (App A Objective 12:8 f., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The organization must correct legitimate vulnerabilities inside an organization-defined time period. (App F § RA-5.d, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Identify and direct the remediation of technical problems encountered during testing and implementation of new systems (e.g., identify and find work-arounds for communication protocols that are not interoperable). (T0107, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Identify functional- and security-related features to find opportunities for new capability development to exploit or mitigate vulnerabilities. (T0410, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation. (SA-11e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation. (SA-11e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation. (SA-11e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)