This Control directly supports the implied Control(s):
Establish, implement, and maintain a testing program., CC ID: 00654
This Control has the following implementation support Control(s):
Establish and maintain a scoring method for Red Team exercise results., CC ID: 12136
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Establishing critical "Red Teams" to identify and evaluate possible attack scenarios. There is a need to feed information resulting from the "Red Team" evaluation into risk management processes to assess the information and establish appropriate protection strategies. (Critical components of information security 24) viii. ¶ 1 i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
The objectives, scope and rules of engagement should be defined before the commencement of the exercise, and the exercise should be conducted in a controlled manner under close supervision to ensure the activities carried out by the red team do not disrupt the FI's production systems. (§ 13.4.2, Technology Risk Management Guidelines, January 2021)
Based on the security threats observed and the changes made, testing should be performed to incorporate scenarios of relevant and known potential attacks. (3.4.6 48, Final Report EBA Guidelines on ICT and security risk management)
In addition to the tests, drills are also carried out, which are, among other things, based on scenarios resulting from security incidents that have already occurred in the past. (Section 5.14 BCM-04 Description of additional requirements (availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively. (CIS Control 20: Sub-Control 20.3 Perform Periodic Red Team Exercises, CIS Controls, 7.1)
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively. (CIS Control 20: Sub-Control 20.3 Perform Periodic Red Team Exercises, CIS Controls, V7)
The organization conducts, either by itself or by an independent third-party, periodic penetration testing and red team testing on the organization's network, internet-facing applications or systems, and critical applications to identify gaps in cybersecurity defenses. (DE.CM-8.2, CRI Profile, v1.2)
The organization conducts, either by itself or by an independent third-party, periodic penetration testing and red team testing on the organization's network, internet-facing applications or systems, and critical applications to identify gaps in cybersecurity defenses. (DE.CM-8.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
Periodically perform red teaming against organizational assets in order to validate defensive capabilities. (CA.4.227, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
Periodically perform red teaming against organizational assets in order to validate defensive capabilities. (CA.4.227, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [Assignment: organization-defined red team exercises]. (CA-8(2) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [Assignment: organization-defined red team exercises]. (CA-8(2) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
The organization employs [Assignment: organization-defined red team exercises] to simulate attempts by adversaries to compromise organizational information systems in accordance with [Assignment: organization-defined rules of engagement]. (CA-8(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [Assignment: organization-defined red team exercises]. (CA-8(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [Assignment: organization-defined red team exercises]. (CA-8(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Conduct periodic security drills or exercises, to include announced or unannounced tests of security and incident plans. These can be conducted in conjunction with other required drills or exercises. (Table 1: Drills and Exercises Baseline Security Measures Cell 1, Pipeline Security Guidelines)
