Back

Employ third parties to carry out testing programs, as necessary.


CONTROL ID
13178
CONTROL TYPE
Human Resources Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a testing program., CC ID: 00654

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Under CPS 234, an APRA-regulated entity must ensure that testing is conducted by appropriately skilled and functionally independent specialists. For an APRA-regulated entity to have confidence in the quality of testing, it is important that testers are sufficiently independent in order to provide a … (82., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • An APRA-regulated entity must ensure that testing is conducted by appropriately skilled and functionally independent specialists. (30., Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • are carried out by independent testers with sufficient knowledge, skills and expertise in testing information security measures and who are not involved in the development of the information security measures; (3.4.6 43(a), Final Report EBA Guidelines on ICT and security risk management)
  • The tests are carried out every six months. They must always be performed by independent external auditors. Internal personnel for penetration tests may support the external service providers. (Section 5.6 RB-18 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Scans are performed by qualified personnel and organizational independence of the tester exists. (11.3.1 Bullet 5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV). (11.3.1.3 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.2 Bullet 5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.5 Bullet 7, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.6 Bullet 7, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.3 Bullet 5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Additional testing procedure for service provider assessments only: Interview personnel to verify that the test was performed by a qualified internal resource or qualified external third party and that organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.6.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Interview personnel to verify that the test was performed by a qualified internal resource or qualified external third party and that organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.5.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Interview personnel to verify that the internal penetration test was performed by a qualified internal resource or qualified external third-party and that organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.2.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Interview personnel to verify that the external penetration test was performed by a qualified internal resource or qualified external third-party and that organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.3.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Interview personnel to verify that internal scans are performed by a qualified internal resource(s) or qualified external third party and that organizational independence of the tester exists. (11.3.1.3.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Interview personnel to verify that external scans are performed by a qualified internal resource(s) or qualified external third party and that organizational independence of the tester exists. (11.3.2.1.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.3 Bullet 5, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.5 Bullet 7, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.5 Bullet 7, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV). (11.3.1.3 Bullet 3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Scans are performed by qualified personnel and organizational independence of the tester exists. (11.3.1 Bullet 5, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.5 Bullet 7, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Scans are performed by qualified personnel and organizational independence of the tester exists. (11.3.1 Bullet 5, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV). (11.3.1.3 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.2 Bullet 5, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.3 Bullet 5, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.5 Bullet 7, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Scans are performed by qualified personnel and organizational independence of the tester exists. (11.3.1 Bullet 5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV). (11.3.1.3 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.3 Bullet 5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.5 Bullet 7, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.2 Bullet 5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Organizational independence of the tester exists (not required to be a QSA or ASV). (11.4.6 Bullet 7, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the bank holding company's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those tha… (§ III.C(3), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external-facing systems and the internal network. (Domain 3: Assessment Factor: Detective Controls, THREAT AND VULNERABILITY DETECTION Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Testing internally and with third-party service providers, as appropriate. (App A Objective 12:4c Bullet 9, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management uses independent organizations to test aspects of its information security programs. (App A Objective 10.4, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Provide for independent testing for compliance to be conducted by credit union personnel or outside parties; (§ 748.2 (c)(2), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the credit union's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develo… (§ 748 Appendix A. III.C.3., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the national bank's or Federal savings association's risk assessment. Tests should be conducted or reviewed by independent third parties or staf… (§ III. C. 3., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)