Penetration Testing
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.
Why Is This Control Critical?
A successful defensive posture requires a comprehensive program of effective policies and governance, strong technical defenses, combined with appropriate action from people. In a complex environment where technology is constantly evolving, and new attacker tradecraft appears regularly, enterprises should periodically test their controls to identify gaps and to assess their resiliency. This test may be from external network, internal network, application, system, or device perspectives. It may include social engineering of users, or physical access control bypasses.
Related Policy Templates
Safeguards (5)
| ID | Title | Function | IG | Checklist Items | Evidence |
|---|---|---|---|---|---|
| 18.1 | Establish and Maintain a Penetration Testing Program | Identify |
IG2
IG3
|
7 | 5 |
| 18.2 | Perform Periodic External Penetration Tests | Identify |
IG2
IG3
|
7 | 5 |
| 18.3 | Remediate Penetration Test Findings | Protect |
IG2
IG3
|
7 | 5 |
| 18.4 | Validate Security Measures | Protect |
IG3
|
7 | 5 |
| 18.5 | Perform Periodic Internal Penetration Tests | Identify |
IG3
|
7 | 5 |
Audit Verification Details
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
An inventory or catalog is maintained, accurate, and complete.
Inventory export with timestamps showing recent updates
Inventory is reviewed and reconciled on the defined schedule.
Review meeting minutes, sign-off records, or change logs
New assets/items are added to the inventory within the defined onboarding window.
Sample of recently onboarded assets with inventory timestamps
Penetration testing is performed by qualified testers within the past 12 months.
Pentest report, tester qualifications, scope documentation
Pentest findings are remediated and validated through retesting.
Remediation tracking, retest validation report
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Record | Penetration test report and executive summary | Per engagement |
| Record | Remediation tracking and retest validation results | Post-engagement |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
An inventory or catalog is maintained, accurate, and complete.
Inventory export with timestamps showing recent updates
Inventory is reviewed and reconciled on the defined schedule.
Review meeting minutes, sign-off records, or change logs
New assets/items are added to the inventory within the defined onboarding window.
Sample of recently onboarded assets with inventory timestamps
Penetration testing is performed by qualified testers within the past 12 months.
Pentest report, tester qualifications, scope documentation
Pentest findings are remediated and validated through retesting.
Remediation tracking, retest validation report
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Record | Penetration test report and executive summary | Per engagement |
| Record | Remediation tracking and retest validation results | Post-engagement |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
Penetration testing is performed by qualified testers within the past 12 months.
Pentest report, tester qualifications, scope documentation
Pentest findings are remediated and validated through retesting.
Remediation tracking, retest validation report
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Penetration test report and executive summary | Per engagement |
| Record | Remediation tracking and retest validation results | Post-engagement |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
Penetration testing is performed by qualified testers within the past 12 months.
Pentest report, tester qualifications, scope documentation
Pentest findings are remediated and validated through retesting.
Remediation tracking, retest validation report
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Penetration test report and executive summary | Per engagement |
| Record | Remediation tracking and retest validation results | Post-engagement |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
An inventory or catalog is maintained, accurate, and complete.
Inventory export with timestamps showing recent updates
Inventory is reviewed and reconciled on the defined schedule.
Review meeting minutes, sign-off records, or change logs
New assets/items are added to the inventory within the defined onboarding window.
Sample of recently onboarded assets with inventory timestamps
Penetration testing is performed by qualified testers within the past 12 months.
Pentest report, tester qualifications, scope documentation
Pentest findings are remediated and validated through retesting.
Remediation tracking, retest validation report
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Record | Penetration test report and executive summary | Per engagement |
| Record | Remediation tracking and retest validation results | Post-engagement |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |