Penetration Testing
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.
Why Is This Control Critical?
A successful defensive posture requires a comprehensive program of effective policies and governance, strong technical defenses, combined with appropriate action from people. In a complex environment where technology is constantly evolving, and new attacker tradecraft appears regularly, enterprises should periodically test their controls to identify gaps and to assess their resiliency. This test may be from external network, internal network, application, system, or device perspectives. It may include social engineering of users, or physical access control bypasses.
Related Policy Templates
Safeguards (5)
| ID | Title | Asset Type | Function | Implementation Groups |
|---|---|---|---|---|
| 18.1 | Establish and Maintain a Penetration Testing Program | N/A | Identify |
IG2
IG3
|
| 18.2 | Perform Periodic External Penetration Tests | Network | Identify |
IG2
IG3
|
| 18.3 | Remediate Penetration Test Findings | Network | Protect |
IG2
IG3
|
| 18.4 | Validate Security Measures | Network | Protect |
IG3
|
| 18.5 | Perform Periodic Internal Penetration Tests | N/A | Identify |
IG3
|