20.2: Conduct Regular External and Internal Penetration Tests
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
N/A |
N/A |
2, 3 |
Dependencies
Sub-control 20.1: Establish a Penetration Testing Program
Inputs
Penetration Testing Report for most recent external penetration test
Penetration Testing Report for most recent internal penetration test
Penetration Testing Program document
Operations
- Examine the Penetration Testing Reports (Inputs 1 and 2) to determine the dates that the most recent penetration tests of each type (external and internal) occurred. Examine the Penetration Testing Program document (Input 3) to determine how frequently the organization is required to conduct external and internal penetration tests, and use those required time frames to determine:
if the most recent external penetration test was within the required time frame (M1)
if the most recent internal penetration test was within the required time frame (M2)
Manually review the Penetration Testing Reports to confirm that they contain any discovered vulnerabilities and attack vectors that can be used to successfully exploit the organization’s systems (M3); or, if none were successful, verify that the documentation describes those that were attempted but were unsuccessful.
Measures
M1 = Boolean value indicating if the most recent external penetration test was within the required time frame; 1 if so, 0 otherwise
M2 = Boolean value indicating if the most recent internal penetration test was within the required time frame; 1 if so, 0 otherwise
M3 = Boolean value indicating if the Penetration Testing Reports contain discovered vulnerabilities and attack vectors that were successful against the organization’s systems; 1 if so, 0 otherwise
Metrics
Penetration Testing Reports
Metric |
Are both internal and external penetration tests conducted regularly?
|
Calculation |
|
Vulnerability Discovery
Metric |
Do penetration testing reports document discovered vulnerabilities?
|
Calculation |
|