Back

Perform penetration tests, as necessary.


CONTROL ID
00655
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a penetration test program., CC ID: 01105

This Control has the following implementation support Control(s):
  • Perform internal penetration tests, as necessary., CC ID: 12471
  • Perform external penetration tests, as necessary., CC ID: 12470
  • Include coverage of all in scope systems during penetration testing., CC ID: 11957
  • Test the system for broken access controls., CC ID: 01319
  • Test the system for broken authentication and session management., CC ID: 01320
  • Test the system for insecure communications., CC ID: 00535
  • Test the system for cross-site scripting attacks., CC ID: 01321
  • Test the system for buffer overflows., CC ID: 01322
  • Test the system for injection flaws., CC ID: 01323
  • Test the system for Denial of Service., CC ID: 01326
  • Test the system for insecure configuration management., CC ID: 01327
  • Perform network-layer penetration testing on all systems, as necessary., CC ID: 01277
  • Test the system for cross-site request forgery., CC ID: 06296
  • Perform application-layer penetration testing on all systems, as necessary., CC ID: 11630
  • Perform penetration testing on segmentation controls, as necessary., CC ID: 12498
  • Repeat penetration testing, as necessary., CC ID: 06860
  • Test the system for covert channels., CC ID: 10652


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • If an AI's policy framework for independent assessment does not include penetration tests , the senior management should further ensure that regular penetration tests are performed by qualified independent parties (the functions/firms or individuals conducting the tests should have proven experience… (§ 3.3.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • If an AI's policy framework for independent assessment does not include penetration tests, the senior management should further ensure that regular penetration tests are performed by qualified independent parties. For the purpose of this module, a penetration test should assess, at the minimum, the … (§ 3.3.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • An application security review/testing, initially and during major changes, needs to be conducted using a combination of source code review, stress loading, exception testing and compliance review to identify insecure coding techniques and systems vulnerabilities to a reasonable extent. (Critical components of information security 11) c.30., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • All wireless Access Points / Base Stations connected to the corporate network must be registered and approved by Information Security function of a bank. These Access Points / Base Stations need to subjected to periodic penetration tests and audits. Updated inventory on all wireless Network Interfac… (Critical components of information security 28) iii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Penetration testing needs to be conducted at least on an annual basis. (Critical components of information security 30) a) ¶ 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should carry out penetration tests in order to conduct an in-depth evaluation of the security posture of the system through simulations of actual attacks on the system. The FI should conduct penetration tests on internet-facing systems at least annually. (§ 9.4.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should conduct penetration testing prior to the commissioning of a new system which offers internet accessibility and open network interfaces. The FI should also perform vulnerability scanning of external and internal network components that support the new system. (§ 6.2.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • To obtain a more accurate assessment of the robustness of the FI's security measures, PT should be conducted on the production environment. Proper safeguards should be implemented when PT is conducted on the production environment. (§ 13.2.3, Technology Risk Management Guidelines, January 2021)
  • The frequency of PT should be determined based on factors such as system criticality and the system's exposure to cyber risks. For systems that are directly accessible from the Internet, the FI is expected to conduct PT to validate the adequacy of the security controls at least once annually or when… (§ 13.2.4, Technology Risk Management Guidelines, January 2021)
  • conducting vulnerability assessments or penetration tests for systems at least annually (Security Control: 1163; Revision: 6; Bullet 2, Australian Government Information Security Manual, March 2021)
  • conducting vulnerability assessments and penetration tests for systems prior to deployment, including prior to deployment of significant changes, and at least annually thereafter (Control: ISM-1163; Revision: 9; Bullet 2, Australian Government Information Security Manual, June 2023)
  • conducting vulnerability assessments and penetration tests for systems prior to deployment, including prior to deployment of significant changes, and at least annually thereafter (Control: ISM-1163; Revision: 10; Bullet 2, Australian Government Information Security Manual, September 2023)
  • The organization should conduct e-mail server auditing, e-mail server vulnerability analysis, and e-mail server security reviews on a regular basis. (Control: 0568, Australian Government Information Security Manual: Controls)
  • periodic security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. These tests should be performed by staff and/or external experts with the necessary expertise, with documented test results and conclusions reported to senior mana… (Title 3 3.3.4(b) 55.h(iv), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • In line with the EBA Guidelines on ICT risk assessment under the SREP, institutions should, where relevant, ensure that they are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. Taking into account Title… (4.13.3 94, Final Report on EBA Guidelines on outsourcing arrangements)
  • Financial entities, other than entities referred to in Article 16(1), first subparagraph, and other than microenterprises, which are identified in accordance with paragraph 8, third subparagraph, of this Article, shall carry out at least every 3 years advanced testing by means of TLPT. Based on the … (Art. 26.1., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The tests are carried out every six months. They must always be performed by independent external auditors. Internal personnel for penetration tests may support the external service providers. (Section 5.6 RB-18 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The cloud provider has penetration tests performed by qualified internal personnel or external service providers at least once a year. The penetration tests are carried out according to documented test methods and include the infrastructure components defined to be critical to the secure operation o… (Section 5.6 RB-18 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Management uses a combination of different ongoing and separate evaluations, including system internal and external penetration testing, third-party independent verifications and certifications using established security control frameworks (NIST, COBIT, OWASP, etc.) and vendor and industry-specific,… (S7.5 Considers different types of ongoing and separate evaluations, Privacy Management Framework, Updated March 1, 2020)
  • (§ X.3, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Are penetration tests conducted on a bi-annual basis? (Table Row X.3, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Are searches conducted for backdoors and other unexpected violations of integrity? (Table Row XII.11, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Is penetration testing performed across different layers of the environment (e.g., between VMs and the CSP’s management network, or between clients on shared infrastructure)? (Appendix D, Regularly Monitor and Test Networks Bullet 10, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Get and examine the results from the most recent penetration test to verify that penetration testing is performed at least annually and after any significant changes to the environment. (§ 11.3.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify that the penetration test includes network-layer penetration tests. (§ 11.3.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify that the penetration test includes application-layer penetration tests. (§ 11.3.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Examine recent wireless scan results to verify the scan is conducted for all components and facilities at least quarterly. (Testing Procedures § 11.1.c Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview responsible personnel and examine the penetration testing procedures to verify testing is completed from inside the network and outside the network. (Testing Procedures § 11.3 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the scope of work and the most recent external penetration test results to verify the penetration testing is conducted at least annually. (Testing Procedures § 11.3.1.a Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the scope of work and the most recent internal penetration test results to verify the penetration testing is conducted at least annually. (Testing Procedures § 11.3.2.a Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the scope of work and the most recent external penetration test results to verify the penetration testing is conducted after significant environmental changes. (Testing Procedures § 11.3.1.a Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the scope of work and the most recent internal penetration test results to verify the penetration testing is conducted after significant environmental changes. (Testing Procedures § 11.3.2.a Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the most recent penetration test results to verify penetration testing on segmentation controls is conducted at least annually and after changes to any segmentation controls or methods. (Testing Procedures § 11.3.4.b Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Obtain and examine the results from the most recent penetration test to verify that penetration testing is performed at least annually and after any significant changes to the environment. (§ 11.3.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that the penetration test includes network-layer penetration tests. (§ 11.3.1 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that the penetration test includes application-layer penetration tests. (§ 11.3.2 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • A penetration testing methodology must be implemented that includes testing from inside the network and outside the network. (Note: this is a Best Practice and will become a requirement after june 30, 2015. The v2.0 penetration testing requirements must be followed until v3.0 is implemented.). (PCI DSS Requirements § 11.3 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • External penetration testing must be conducted at least annually and after significant changes to infrastructure or upgrades or modifications to the application. (PCI DSS Requirements § 11.3.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Internal penetration testing must be conducted at least annually and after significant changes to infrastructure or upgrades or modifications to the application. (PCI DSS Requirements § 11.3.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Penetration tests must be conducted at least annually and after changes to segmentation controls or methods to verify the segmentation methods are effective and operational, whenever segmentation is used to isolate the cardholder data environment from other networks. (PCI DSS Requirements § 11.3.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE. (11.3.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network … (11.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network … (11.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE. (11.3.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network … (11.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE. (11.3.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods - Covers all segmentation controls/methods in use - Verifies that segmentation methods are operational and effective, and isolate all out-… (11.3.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Is external penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)? (11.3.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE? (11.3.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE? (11.3.4 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods - Covers all segmentation controls/methods in use - Verifies that segmentation methods are operational and effective, and isolate all out-… (11.3.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE? (11.3.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Is external penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)? (11.3.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is internal penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)? (11.3.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods - Covers all segmentation controls/methods in use - Verifies that segmentation methods are operational and effective, and isolate all out-… (11.3.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE? (11.3.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods - Covers all segmentation controls/methods in use - Verifies that segmentation methods are operational and effective, and isolate all out-… (11.3.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE? (11.3.4 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is internal penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)? (11.3.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is external penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)? (11.3.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE? (11.3.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine segmentation controls and review penetration-testing methodology to verify that penetration-testing procedures are defined to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE. (11.3.4.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine the results from the most recent penetration test to verify that: - Penetration testing to verify segmentation controls is performed at least annually and after any changes to segmentation controls/methods. - The penetration testing covers all segmentation controls/methods in use. - The pene… (11.3.4.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Verify that the test was performed by a qualified internal resource or qualified external third party and, if applicable, organizational independence of the tester exists (not required to be a QSA or ASV). (11.3.4.c, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine penetration-testing methodology and interview responsible personnel to verify a methodology is implemented that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical s… (11.3, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Is external penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)? (PCI DSS Question 11.3.1(a), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • If segmentation is used to isolate the CDE from other networks, is penetration testing to verify segmentation controls performed at least annually and after any changes to the segmentation controls or methods? (PCI DSS Question 11.3.4(b) Bullet 1, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • If segmentation is used to isolate the CDE from other networks, is penetration testing to verify segmentation controls performed at least annually and after any changes to the segmentation controls or methods? (PCI DSS Question 11.3.4(b) Bullet 1, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Is external penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)? (PCI DSS Question 11.3.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is internal penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)? (PCI DSS Question 11.3.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • If segmentation is used to isolate the CDE from other networks, is penetration testing to verify segmentation controls performed at least annually and after any changes to the segmentation controls or methods? (PCI DSS Question 11.3.4(b) Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is external penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)? (PCI DSS Question 11.3.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Is internal penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)? (PCI DSS Question 11.3.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • If segmentation is used to isolate the CDE from other networks, is penetration testing to verify segmentation controls performed at least annually and after any changes to the segmentation controls or methods? (PCI DSS Question 11.3.4(b) Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Good privacy management is supported by performing penetration testing and independent testing and reviewing of key systems, controls, and procedures. (§ 4.5 (Privacy Best Practices), IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • Penetration testing should be accomplished on a regular basis to ensure the systems are configured securely and that all of the latest patches have been applied. If the organization does not have the resources to conduct penetration testing, it should at least run a vulnerability scanner. (Action 1.8.8, SANS Computer Security Incident Handling, Version 2.3.1)
  • Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. Penetration testing should occur from outside the network perimeter (i.e., the Internet or wireless frequencies around an organization) … (Control 20.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively. (Control 20.3, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The system must run scanning tools on a daily basis to check for open ports, patch levels, services, configuration files, and software version. (Control 3 Test ¶ 2.2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should periodically scan for back-channel Internet connections that bypass the Demilitarized Zone. (Critical Control 13.9, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should conduct internal penetration tests and external penetration tests on a regular basis. (Critical Control 20.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should conduct Red Team exercises on a periodic basis to test how ready the organization is to identify and stop attacks or to respond quickly and effectively. (Critical Control 20.3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Validate the operational security configuration and identify security gaps by performing penetration testing. (7.3A Control Objective, Swift Customer Security Controls Framework (CSCF), v2019)
  • Test the overall strength of an organization's defense (the technology, the processes, and the people) by simulating the objectives and actions of an attacker. (CIS Control 20: Penetration Tests and Red Team Exercises, CIS Controls, 7.1)
  • Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. (CIS Control 20: Sub-Control 20.2 Conduct Regular External and Internal Penetration Tests, CIS Controls, 7.1)
  • Test the overall strength of an organization's defense (the technology, the processes, and the people) by simulating the objectives and actions of an attacker. (CIS Control 20: Penetration Tests and Red Team Exercises, CIS Controls, V7)
  • Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. (CIS Control 20: Sub-Control 20.2 Conduct Regular External and Internal Penetration Tests, CIS Controls, V7)
  • Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker. (CIS Control 18: Penetration Testing, CIS Controls, V8)
  • Intrusion Detection. As network connections increase, it will become easier for intruders to: • find multiple ways to penetrate an organization's IT systems and networks, • disguise their initial point of access, and • access through networks and target internal IT systems. Further, intruders … (¶ 13.5, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • The evaluator should perform penetration testing on the product to ensure it is resistant to attacks from an attacker who possesses either a low-, moderate-, or high-attack potential. The penetration tests should also determine the exploitability of the identified vulnerabilities. (§ 19.4, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • Penetration tests should be developed based on the vulnerability analysis. The penetration testing should determine the susceptibility of the product and its environment. Penetration testing documentation should be developed and include the vulnerability being tested, steps to set up the initial con… (§ 11.9.2.5, § 12.10.3.5, § 13.10.3.5, § 13.10.3.7, § 13.10.3.8, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • The organization conducts periodic cyber attack simulations to detect control gaps in employee behavior, policies, procedures and resources. (DE.CM-3.3, CRI Profile, v1.2)
  • The organization conducts, either by itself or by an independent third-party, periodic penetration testing and red team testing on the organization's network, internet-facing applications or systems, and critical applications to identify gaps in cybersecurity defenses. (DE.CM-8.2, CRI Profile, v1.2)
  • The organization conducts periodic cyber attack simulations to detect control gaps in employee behavior, policies, procedures and resources. (DE.CM-3.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization conducts, either by itself or by an independent third-party, periodic penetration testing and red team testing on the organization's network, internet-facing applications or systems, and critical applications to identify gaps in cybersecurity defenses. (DE.CM-8.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components]. (CA-8 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components]. (CA-8 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components]. (CA-8 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments. (CC4.1 Considers Different Types of Ongoing and Separate Evaluations, Trust Services Criteria)
  • Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments. (CC4.1 ¶ 4 Bullet 1 Considers Different Types of Ongoing and Separate Evaluations, Trust Services Criteria, (includes March 2020 updates))
  • Members should monitor and regularly review the effectiveness of their ISSPs, including the efficacy of the safeguards deployed, and make adjustments as appropriate. A Member should perform a regular review of its ISSP at least once every twelve months using either in-house staff with appropriate kn… (Review of Information Security Programs ¶ 1, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Are penetration tests performed on internal networks? (§ G.10, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are penetration tests performed on external networks? (§ G.10, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are penetration tests performed on internal networks? (§ G.10.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are penetration tests performed on external networks? (§ G.10.5, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When a web site is supported that has access to scoped systems and data, are regular penetration tests executed against web-based applications? (§ I.4.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When a web site is hosted that has access to scoped systems and data, are regular penetration tests executed against web-based applications? (§ I.4.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When a web site is maintained that has access to scoped systems and data, are regular penetration tests executed against web-based applications? (§ I.4.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Has a network penetration test been conducted in the last 12 months? (§ L.10, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • For cloud computing services, do clients have the ability to perform a penetration test of the external environment? (§ V.1.17.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are automated penetration tests performed? (§ V.1.32, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, are manual penetration tests performed? (§ V.1.33, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • The annual penetration testing of CMS business partner network shall include approved Internet infrastructures. The CMS business partner still has mandatory requirements to perform quarterly vulnerability scans and annual penetration testing. (§ 5 ¶ 1, CMS Business Partners Systems Security Manual, Rev. 10)
  • Penetration test reviews of the network, firewalls, and production systems shall be conducted at a frequency of not less than once every three years; and (§242.1003(b)(1)(i), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts. (CA.4.164, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts. (CA.4.164, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Penetration testing must be planned, scheduled, conducted, and independently verified to ensure compliance with vulnerability mitigation procedures, such as the Department of Defense Information Assurance Vulnerability Alert. (ECMT-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Examine the penetration testing results and determine if unannounced penetration tests are conducted on a monthly basis. (EMCT-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Each interface agency shall allow the Federal Bureau of Investigation to periodically test the ability to penetrate the Federal Bureau of Investigation's network through the system or an external network connection. (§ 5.1.1.2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • A noncriminal justice agency that directly accesses Federal Bureau of Investigation criminal justice information shall permit the Federal Bureau of Investigation to periodically conduct penetration tests to test the ability to penetrate its network through the system or an external connection. (§ 5.1.1.6 ¶ 3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Channelers that directly access criminal justice information shall permit the federal bureau of investigation to conduct periodic penetration testing. (§ 5.1.1.7 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Performing penetration tests before launching new or making significant changes to existing Internet- and client-facing applications and remediating findings from the tests. (App A Objective 12:8 f., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Penetration tests of new or updated applications, particularly for Internet- or client-facing applications, to detect and correct security flaws. (App A Objective 12:10 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilitie… (§ 314.4 ¶ 1(d)(2), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • Annual penetration testing of your information systems determined each given year based on relevant identified risks in accordance with the risk assessment; and (§ 314.4 ¶ 1(d)(2)(i), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • The organization conducts penetration testing [FedRAMP Assignment: at least annually] on [Assignment: organization-defined information systems or system components]. (CA-8 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization conducts penetration testing [FedRAMP Assignment: at least annually] on [Assignment: organization-defined information systems or system components]. (CA-8 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Conduct penetration testing [FedRAMP Assignment: at least annually] on [Assignment: organization-defined systems or system components]. (CA-8 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Conduct penetration testing [FedRAMP Assignment: at least annually] on [Assignment: organization-defined systems or system components]. (CA-8 Control, FedRAMP Security Controls Low Baseline, Version 5)
  • Conduct penetration testing [FedRAMP Assignment: at least annually] on [Assignment: organization-defined systems or system components]. (CA-8 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Do the audit policies and procedures include penetration testing? (IT - Audit Program Q 2b, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union conduct penetration tests and security scans on the internet banking network? (IT - Member Online Services Q 9, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include network surveying? (IT - Pen Test Review Q 7a, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include port scanning? (IT - Pen Test Review Q 7b, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include system identification? (IT - Pen Test Review Q 7c, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include services identification? (IT - Pen Test Review Q 7d, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include vulnerability research and verification? (IT - Pen Test Review Q 7e, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include application testing and code review? (IT - Pen Test Review Q 7f, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include router testing? (IT - Pen Test Review Q 7g, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include firewall testing? (IT - Pen Test Review Q 7h, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include Intrusion Detection System testing? (IT - Pen Test Review Q 7i, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include trusted systems testing? (IT - Pen Test Review Q 7j, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include password cracking? (IT - Pen Test Review Q 7k, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include wireless networks testing? (IT - Pen Test Review Q 8a, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include infrared systems testing? (IT - Pen Test Review Q 8b, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include voicemail testing? (IT - Pen Test Review Q 8d, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include modem testing? (IT - Pen Test Review Q 8e, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include access controls testing? (IT - Pen Test Review Q 9a, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include a perimeter review? (IT - Pen Test Review Q 9b, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include a monitoring review? (IT - Pen Test Review Q 9c, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include alarm response testing? (IT - Pen Test Review Q 9d, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include a location review? (IT - Pen Test Review Q 9e, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did the penetration test work plan include an environment review? (IT - Pen Test Review Q 9f, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Perform penetration testing where trusted insiders attempt to compromise system security for the sole purpose, to test security control effectiveness. (§ 4.8.3 Bullet 4, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined systems or system components]. (CA-8 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Conduct penetration testing [Assignment: organization-defined frequency], leveraging automated scanning tools and ad hoc tests using subject matter experts. (3.12.1e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components]. (CA-8 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Perform penetration testing as required for new or updated applications. (T0266, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct exploitation of wireless computer and digital networks. (T0612, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Exploit network devices, security devices, and/or terminals or environments using various methods or tools. (T0696, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Announced or unannounced security control assessments (red team exercises, penetration testing, in-depth monitoring, malicious user testing, and other assessment forms) should be included as part of the security control assessment and should be conducted on a predetermined frequency. (App F § CA-2(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use unannounced penetration testing on a predefined frequency to try to circumvent or bypass security controls that are associated with facility physical access points. (App F § PE-3(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Perform penetration testing as required for new or updated applications. (T0266, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Exploit network devices, security devices, and/or terminals or environments using various methods or tools. (T0696, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Identify basic common coding flaws at a high level. (T0111, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conduct exploitation of wireless computer and digital networks. (T0612, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop new techniques for gaining and keeping access to target systems. (T0664, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization includes as part of security control assessments, {organizationally documented frequency}, {announced or unannounced}, {insider threat assessment}. (CA-2(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization conducts penetration testing {organizationally documented frequency} on {organizationally documented information systems or system components}. (CA-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs a penetration testing process that includes {organizationally documented frequency}, unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility. (PE-3(6), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform penetration testing at {organizationally documented breadth/depth} and with {organizationally documented constraints}. (SA-11(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization includes as part of security control assessments, {organizationally documented frequency}, {announced or unannounced}, {in-depth monitoring}. (CA-2(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes as part of security control assessments, {organizationally documented frequency}, {announced or unannounced}, {vulnerability scanning}. (CA-2(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes as part of security control assessments, {organizationally documented frequency}, {announced or unannounced}, {malicious user testing}. (CA-2(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes as part of security control assessments, {organizationally documented frequency}, {announced or unannounced}, {insider threat assessment}. (CA-2(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes as part of security control assessments, {organizationally documented frequency}, {announced or unannounced}, {performance/load testing}. (CA-2(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes as part of security control assessments, {organizationally documented frequency}, {announced or unannounced}, {organizationally documented other forms of security assessment}. (CA-2(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts penetration testing {organizationally documented frequency} on {organizationally documented information systems or system components}. (CA-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components]. (CA-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components]. (CA-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs a penetration testing process that includes [Assignment: organization-defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility. (PE-3(6) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization requires the developer of the information system, system component, or information system service to perform penetration testing at [Assignment: organization-defined breadth/depth] and with [Assignment: organization-defined constraints]. (SA-11(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the inform… (SA-12(11) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ [Selection (one or more): organizational analysis, independent third-party analysis, organizational testing, independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [Assignment: organizatio… (SR-6(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined systems or system components]. (CA-8 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • At the following level of rigor: [Assignment: organization-defined breadth and depth of testing]; and (SA-11(5) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ [Selection (one or more): organizational analysis, independent third-party analysis, organizational testing, independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [Assignment: organizatio… (SR-6(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined systems or system components]. (CA-8 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • At the following level of rigor: [Assignment: organization-defined breadth and depth of testing]; and (SA-11(5) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the inform… (SA-12(11) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Periodically test network security. (¶ 3, Internet Security: Distributed Denial of Service Attacks - OCC Alert 2000-1)
  • Conduct periodic penetration tests to determine effectiveness of systems and staff procedures in detecting and responding to security breaches. (Part I ¶ 9, California OPP Recommended Practices on Notification of Security Breach, May 2008)
  • penetration testing of their information systems from both inside and outside the information systems' boundaries by a qualified internal or external party at least annually; and (§ 500.5 Vulnerability Management (a)(1), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • The organization conducts penetration testing [TX-RAMP Assignment: at least annually] on [Assignment: organization-defined information systems or system components]. (CA-8 Control, TX-RAMP Security Controls Baseline Level 2)