IG2 IG3

Remediate Penetration Test Findings

Control Group: 18. Penetration Testing

Asset Type: Network

Security Function: Protect

Description

Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Draft policy/procedure document

7

Obtain stakeholder review and approval

8

Communicate to affected personnel

9

Schedule periodic review and updates

10

Define penetration testing scope and rules of engagement

11

Engage qualified penetration testing team

12

Review findings and prioritize remediation

13

Validate remediation through retesting

Tool Recommendations

Tenable Vulnerability Management Gartner MQ Leader, Vulnerability Management 2024

Continuous vulnerability assessment and exposure management across IT assets, cloud, containers, and OT

Tenable · Per-asset subscription

Qualys VMDR Gartner MQ Leader, Vulnerability Management 2024

Cloud-based vulnerability management, detection, and response with integrated patch management and asset inventory

Qualys · Per-asset subscription

Rapid7 InsightVM Gartner MQ Leader, Vulnerability Management 2024

Vulnerability management platform with live dashboards, risk prioritization, and remediation workflows

Rapid7 · Per-asset subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Known Vulnerability Exploited After Unremediated Pentest Finding

Confidentiality

An attacker exploits a vulnerability that was identified in a penetration test but never remediated because no process exists to track and prioritize the remediation of pentest findings.

Critical Finding Deprioritized Without Remediation Policy

Integrity

A critical penetration test finding is deprioritized by a development team focused on features because no organizational policy mandates remediation timelines based on finding severity.

Vulnerabilities (When Safeguard Absent)

No Remediation Process for Penetration Test Findings

Without a defined remediation scope and prioritization policy, penetration test findings are not systematically addressed, leaving identified vulnerabilities exploitable long after discovery.

Penetration Tests Produce Reports Without Accountability

Absence of remediation requirements means penetration test reports become shelf-ware, with findings acknowledged but never assigned, tracked, or verified as fixed.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Record	Penetration test report and executive summary	Per engagement
Record	Remediation tracking and retest validation results	Post-engagement
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Penetration Testing Policy

Control 18

Related Safeguards in Control 18

18.1 Establish and Maintain a Penetration Testing Program

18.2 Perform Periodic External Penetration Tests

18.4 Validate Security Measures

18.5 Perform Periodic Internal Penetration Tests