Compliance and penetration testing
Compliance requirements aside, penetration testing is a critical aspect of any security programme. The continually evolving threat landscape brought about by the ever-increasing complexity of attack techniques underscores the need for organisations to continually monitor and manage vulnerabilities.
Connecting compliance with penetration testing
In today’s regulated environment, many organisations are looking for better ways to continually assess their compliance posture. Various regulations and standards have multiple components specifically related to system auditing and security, and either indicate or specify that penetration testing is necessary to determine whether identified vulnerabilities pose a genuine risk to an organisation.
PCI DSS
Regulation
What is it?
The PCI DSS was set up to help businesses process card payments securely and reduce card fraud. It achieves this through enforcing tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. The PCI DSS is intended to protect sensitive cardholder data.
Requirement
Requirement 11.3 of the PCI DSS describes the need to regularly carry out penetration testing to identify unaddressed security issues and scan for rogue wireless networks.
Find out more
ISO 27001
Regulation
What is it?
An essential component of ISO 27001 compliance (and potentially for achieving certification) is performing a penetration test. With penetration testing, organisations can effectively identify where to make improvements to the information security management system (ISMS). Penetration testing also forms part of an effective continual improvement regime.
Requirement
ISO 27001 control objective A12.6 (Technical Vulnerability Management) says that “Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.”
Find out more
GDPR
Regulation
What is it?
The GDPR recommends that you assess applications and critical infrastructure for security vulnerabilities and that the effectiveness of your security controls are tested regularly. Services such as penetration testing and regular vulnerability assessments would help meet this recommendation.
Requirement
Requires an organisation to implement technical measures to ensure data security. Article 32 says organisations should put in place “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”.
Find out more
PSD2
Regulation
What is it?
PSD2 is a significant evolution of existing regulation for the payment industry and payment service providers. It aims to increase competition in an already competitive industry, bring into scope new types of payment services, enhance customer protection and security and extend the reach of the Directive.
Requirement
PSD2 requires prospective payment institutions to provide a security policy document – including a detailed risk assessment – that describes the measures taken to protect customers from fraud and illegal use of sensitive and personal data. At least annually, payment service providers will be required to report the following to their national competent authority: updated operational and security risk assessments and the adequacy of the control and mitigation measures deployed.
Find out more
Offering practical solutions to help you meet your legal, regulatory and contractual requirements
Our expertise in standards such as the PCI DSS, the GDPR and ISO 27001 means we can offer an integrated approach to your testing challenges and develop suitable solutions that will enable you to reduce your risks and ensure compliance with standards, frameworks, legislation and other business requirements.
Download free information on compliance and penetration testing
Speak to an expert
For more information and guidance on penetration testing or packages IT Governance offers, please contact our experts who will be able to discuss your organisations needs further.