Back

Include coverage of all in scope systems during penetration testing.


CONTROL ID
11957
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform penetration tests, as necessary., CC ID: 00655

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • If an AI's policy framework for independent assessment does not include penetration tests, the senior management should further ensure that regular penetration tests are performed by qualified independent parties. For the purpose of this module, a penetration test should assess, at the minimum, the … (§ 3.3.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • While traditional penetration testing usually focuses on technical assessment (i.e. effectiveness of infrastructure, hardware and application protection), iCAST extends testing coverage to the "people" and "process" elements (III. Bullet 3, Hong Kong Monetary Authority The Cyber Resilience Assessment Framework, Cybersecurity Summit 2016)
  • The FI should carry out penetration testing (PT) to obtain an in-depth evaluation of its cyber security defences. A combination of blackbox and greybox testing should be conducted for online financial services. (§ 13.2.1, Technology Risk Management Guidelines, January 2021)
  • Financial entities shall assess which critical or important functions need to be covered by the TLPT. The result of this assessment shall determine the precise scope of TLPT and shall be validated by the competent authorities. (Art. 26.2. ¶ 3, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The cloud provider has penetration tests performed by qualified internal personnel or external service providers at least once a year. The penetration tests are carried out according to documented test methods and include the infrastructure components defined to be critical to the secure operation o… (Section 5.6 RB-18 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network … (11.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network … (11.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network … (11.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods - Covers all segmentation controls/methods in use - Verifies that segmentation methods are operational and effective, and isolate all out-… (11.3.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods - Covers all segmentation controls/methods in use - Verifies that segmentation methods are operational and effective, and isolate all out-… (11.3.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods - Covers all segmentation controls/methods in use - Verifies that segmentation methods are operational and effective, and isolate all out-… (11.3.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods - Covers all segmentation controls/methods in use - Verifies that segmentation methods are operational and effective, and isolate all out-… (11.3.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods - Covers all segmentation controls/methods in use - Verifies that segmentation methods are operational and effective, and isolate all out-… (11.3.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods - Covers all segmentation controls/methods in use - Verifies that segmentation methods are operational and effective, and isolate all out-… (11.3.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Does penetration testing cover all segmentation controls/methods in use? (11.3.4.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine penetration-testing methodology and interview responsible personnel to verify a methodology is implemented that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical s… (11.3, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Coverage for the entire CDE perimeter and critical systems. (11.4.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Coverage for the entire CDE perimeter and critical systems. (11.4.1 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Coverage for the entire CDE perimeter and critical systems. (11.4.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Coverage for the entire CDE perimeter and critical systems. (11.4.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conduc… (CIS Control 18: Safeguard 18.2 Perform Periodic External Penetration Tests, CIS Controls, V8)
  • How well the system's capabilities cover (i.e., have at least one effect on) adversary activities as identified by the threat context. This can be expressed as a threat heat map [DHSCDM] or a simple threat coverage score. For an initial assessment, coverage can be in terms of attack stages. Alternat… (3.2.2.3 ¶ 1 Bullet 2, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)