Control Summary
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls, and simulating the objectives and actions of an attacker.
Why is it needed?
Establishing an effective defense strategy necessitates the implementation of a holistic program encompassing robust policies and governance, robust technical safeguards, and the appropriate involvement of individuals. However, achieving perfection in this regard is a rare feat. In today’s intricate technological landscape characterized by constant evolution and the continual emergence of new attacker techniques, enterprises should periodically subject their security measures to testing in order to pinpoint vulnerabilities and gauge their resilience. These assessments can be conducted from various angles, including external and internal networks, applications, systems, and devices, and may extend to encompass social engineering tactics targeting users or attempts to bypass physical access controls.
Independent penetration testing serves as a valuable means of obtaining objective insights into the presence of vulnerabilities within enterprise assets and human factors, as well as the effectiveness of defenses and mitigating controls designed to safeguard the organisation against adverse impacts. These tests form an integral component of an ongoing, comprehensive security management and enhancement program. Additionally, they have the potential to uncover process deficiencies, such as incomplete or inconsistent configuration management and gaps in end-user training.
Implementing Control
The first step to satisfying this control is to establish and maintain a penetration testing program. This includes determining the scope of any penetration testing engagement and key factors such as acceptable hours for testing, excluded attack types, and confidentiality of findings. Defining scope is critical to establish clear rules of engagement and minimise any possible unexpected collateral damage that can occur from invasive testing.
Safeguards at level 2 or 3:
18.1 Establish and Maintain a Penetration Testing Program
18.2 Perform Periodic External Penetration Tests
18.3 Remediate Penetration Test Findings
18.4 Validate Security Measures
18.5 Perform Periodic Internal Penetration Tests
Incident Response Solutions 