Back

Test security systems and associated security procedures, as necessary.


CONTROL ID
11901
CONTROL TYPE
Technical Security
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a testing program., CC ID: 00654

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Robust System Security Testing, in respect of critical e-banking systems, needs to incorporate, inter-alia, specifications relating to information leakage, business logic, authentication, authorization, input data validation, exception/error handling, session management, cryptography and detailed lo… (Critical components of information security 11) c.32., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • All detection mechanisms referred to in the first subparagraph shall be regularly tested in accordance with Article 25. (Art. 10.1. ¶ 2, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Establishing information security is not a project with a limited time span, but a continuous process. The appropriateness and effectiveness of all elements of the information security management system must be checked at regular intervals. This means that not only individual security safeguards mus… (§ 7.4 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Regular checks must be performed to determine whether the security safeguards are appropriate for achieving the security objectives that have been set. Their suitability can be assessed, for instance, by evaluating past security incidents, interviewing employees, or performing penetration tests. Thi… (§ 8.3 Subsection 4 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Regular checks must be performed to see whether all the security safeguards are being applied and implemented as planned in the security concept. This must involve checking that the technical security safeguards (e.g. regarding the configuration) and the organisational regulations (e.g. processes, p… (§ 8.3 Subsection 3 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Successful implementation of security safeguards should be checked regularly. Basically, it is important that checks and audits are not performed by the persons having developed the respective security specifications and that management of the organisation is informed on the state of information sec… (§ 10.1 ¶ 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The requirements of the IT-Grundschutz modules to be fulfilled must be specified for security safeguards based on the organisational and technical situation of the organisation. The implementation recommendations of IT-Grundschutz provide practical recommendations for many modules and requirements. … (§ 9.1 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • System approval tests are carried out under consideration of the information security requirements. (5.3.1 Requirements (must) Bullet 4, Information Security Assessment, Version 5.1)
  • The entity tests the effectiveness of the key administrative, technical and physical safeguards protecting personal data, periodically and as required by entity policy, or by relevant, applicable laws or regulations. (S7.5, Privacy Management Framework, Updated March 1, 2020)
  • Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise's information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subs… (DS5.5 Security Testing, Surveillance and Monitoring, CobiT, Version 4.1)
  • The control system shall provide the capability to support verification of the intended operation of security functions and report when anomalies are discovered during FAT, SAT and scheduled maintenance. These security functions shall include all those necessary to support the security requirements … (7.5.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Components shall provide the capability to support verification of the intended operation of security functions according to IEC 62443-3-3 SR3.3. (7.5.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Regularly test security systems and processes. (Requirement 11, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Regularly test security systems and processes. (Requirement 11, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Regularly test security systems and processes. (Requirement 11, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Regularly test security systems and processes (Requirement 11:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Regularly test security systems and processes (Requirement 11, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Regularly test security systems and processes (Requirement 11:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Regularly test security systems and processes (Requirement 11, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Regularly test security systems and processes (Requirement 11:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Regularly test security systems and processes (Requirement 11, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Regularly test security systems and processes (Requirement 11:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Regularly test security systems and processes (Requirement 11, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Regularly test security systems and processes (Requirement 11:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Regularly test security systems and processes (Requirement 11, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, Information Systems; (Section 4.D ¶ 1(2)(h), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Regularly tests or otherwise regularly monitors the key controls, systems and procedures of the information security program. The frequency and nature of these tests or other monitoring practices are determined by the licensee's risk assessment. (Section 7 ¶ 1.C., Standards for Safeguarding Customer Information Model Regulation, NAIC MDL-673, April 2002)
  • Maintenance and testing of each Physical Access Control System and locally mounted hardware or devices at the Physical Security Perimeter at least once every 24 calendar months to ensure they function properly. (CIP-006-6 Table R3 Part 3.1 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Physical Security of BES Cyber Systems CIP-006-6, Version 6)
  • All organizations subject to OMB Circular A-130 are required to have a Security Plan. All such organizations must modify their Security Plan to detail the methodologies and protective measures if they decide to use the Internet for transmittal of HCFA Privacy Act-protected and/or other sensitive HCF… (§ 8 ¶ 2, HIPAA HCFA Internet Security Policy, November 1998)
  • Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the bank holding company's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those tha… (§ III.C(3), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • A plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents;… (§242.1001(b)(2)(iii), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • Assessments of SCI systems directly supporting market regulation or market surveillance shall be conducted at a frequency based upon the risk assessment conducted as part of the SCI review, but in no case less than once every three years; and (§242.1003(b)(1)(ii), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes th… (§ 164.308(a)(8), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 7, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Analysis of the functionality, including security and resilience, of legacy systems and identification of gaps. (App A Objective 12:6b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Uses the software to assist in the identification of gaps in infrastructure security and resilience. (App A Objective 13:6f Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Regular testing of financial institution controls for critical systems. Processes should be in place for regular audit and testing of security controls and configurations commensurate with the risk of the operations supported by the cloud service. These processes can include the audit and testing of… (Risk Management Audit and Controls Assessment Bullet 1, FFIEC Security in a Cloud Computing Environment)
  • Security configuration, provisioning, logging, and monitoring. Misconfiguration of cloud resources is a prevalent cloud vulnerability and can be exploited to access cloud data and services. System vulnerabilities can arise due to the failure to properly configure security tools within cloud computin… (Risk Management Cloud Security Management Bullet 4, FFIEC Security in a Cloud Computing Environment)
  • Regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems. (§ 314.4 ¶ 1(d)(1), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • The biometric system SHOULD implement PAD. Testing of the biometric system to be deployed SHOULD demonstrate at least 90% resistance to presentation attacks for each relevant attack type (i.e., species), where resistance is defined as the number of thwarted presentation attacks divided by the number… (5.2.3 ¶ 7, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Two or more organizations with similar or identical system configurations and backup technologies may enter into a formal agreement to serve as alternate sites for each other or enter into a joint contract for an alternate site. This type of site is set up via a reciprocal agreement or memorandum of… (§ 3.4.3 ¶ 8, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization tests intrusion-monitoring tools [Assignment: organization-defined frequency]. (SI-4(9) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Verifies that both detection of the test case and associated incident reporting occur. (SI-3(6)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Test intrusion-monitoring tools and mechanisms [Assignment: organization-defined frequency]. (SI-4(9) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Verify that the detection of the code and the associated incident reporting occur. (SI-3(6)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Test intrusion-monitoring tools and mechanisms [Assignment: organization-defined frequency]. (SI-4(9) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Verify that the detection of the code and the associated incident reporting occur. (SI-3(6)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems. (Section 27-62-4(d)(2) h., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Regular testing and monitoring of systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems; (Part VI(c)(4)(B)(viii), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions, into an information system. (§ 8604.(d)(2) h., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems; (§431:3B-203(2)(H), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Regularly testing and monitoring systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems. (Sec. 18.(2)(H), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems. (507F.4 4.b.(8), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Regularly test and monitor systems and procedures to detect actual and attempted attacks on or intrusions into information systems. (§2504.D.(2)(h), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Regularly test and monitor systems and procedures to detect actual and attempted attacks on or intrusions into information systems; (§2264 4.B.(8), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Regularly testing and monitoring systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems. (Sec. 555.(4)(b)(ix), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems; (§ 60A.9851 Subdivision 4(2)(viii), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems; (§ 83-5-807 (4)(b)(viii), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems. (§ 420-P:4 IV.(b)(8), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems; (26.1-02.2-03. 4.b.(8), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems; (Section 3965.02 (D)(2)(h), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • regularly testing and monitoring systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems; (SECTION 38-99-20. (D)(2)(h), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems; (§ 56-2-1004 (4)(B)(viii), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Implement regular testing and monitoring of systems and procedures to detect actual and attempted attacks on, or intrusions into, an information system. (§ 601.952(3)(b)8., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)