1. Purpose
Establish requirements for conducting penetration testing to evaluate the effectiveness of [ORGANIZATION]'s security controls and identify vulnerabilities before they can be exploited by adversaries.
2. Scope
This policy applies to all penetration testing activities conducted on [ORGANIZATION]'s systems, networks, applications, and physical security, whether performed by internal teams or external service providers.
3. Policy
3.1 Testing Requirements
[ORGANIZATION] shall conduct penetration testing at least [CUSTOMIZE: annually/bi-annually] and after significant infrastructure or application changes.
Penetration testing scope shall include: external network penetration testing, internal network penetration testing, web application penetration testing for all internet-facing applications, wireless network assessment, and social engineering testing (phishing, vishing, physical).
The penetration testing program shall be defined and maintained including: scope, frequency, methodology, rules of engagement, and reporting requirements.
Testing methodology shall align with recognized frameworks such as PTES, OWASP Testing Guide, or NIST SP 800-115.
3.2 Tester Qualifications
Penetration testing shall be performed by qualified professionals with relevant certifications (e.g., OSCP, GPEN, CEH, CREST) or demonstrated equivalent experience.
External penetration testing firms shall carry professional liability insurance of at least [CUSTOMIZE: $1M/$5M].
For IG3 environments: At least [CUSTOMIZE: annual] penetration testing shall be performed by an external, independent firm (not the same firm providing other security services to [ORGANIZATION]).
3.3 Rules of Engagement
All penetration testing shall be governed by a signed Rules of Engagement (RoE) document specifying: authorized scope (systems, networks, applications), prohibited activities, testing windows, emergency contacts, data handling requirements for findings, and legal protections for testers.
Testing that could cause service disruption shall be scheduled during [CUSTOMIZE: maintenance windows/off-peak hours] with appropriate stakeholder notification.
Critical vulnerabilities discovered during testing shall be reported to [CUSTOMIZE: CISO/IT Security] immediately, not held for the final report.
3.4 Remediation and Validation
Penetration test findings shall be remediated according to the Vulnerability Management Policy SLAs.
Remediation of Critical and High findings shall be validated through retesting within [CUSTOMIZE: 30/60] days of reported remediation.
Penetration test reports shall be classified as Confidential and distributed only to authorized recipients.
4. Compliance
Compliance with this policy is mandatory for all personnel within its scope. Compliance will be monitored through periodic audits, automated controls, and management review.
Exceptions to this policy must be documented with a business justification, approved by [CUSTOMIZE: CISO/Security Team], and reviewed at least annually.
5. Enforcement
Violations of this policy may result in disciplinary action up to and including termination of employment or contract, and may result in civil or criminal penalties where applicable law has been violated.
[ORGANIZATION] reserves the right to audit compliance with this policy at any time, with or without notice.
6. Review and Revision
This policy shall be reviewed at least annually by [CUSTOMIZE: CISO/Policy Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, or organizational structure.
All revisions shall be documented with version number, date, author, and description of changes.
Policy Approval
Approved By
Title
Date
Document Control