TVM-06: Penetration Testing

CSF v1.1 References:

Info icon.

Control is new to this version of the control set and incorporates the following item from the previous version: TVM-02: Vulnerability / Patch Management.

Control Statement

Define, implement and evaluate processes, procedures and technical measures for the periodic performance of penetration testing by independent third parties.

Implementation Guidance

A formal schedule of red team exercises interspersed with risk assessments, remediation, and penetration testing aligned to the applicable service model (I-P-SaaS, and XaaS) should be established. Penetration testing should comply with all applicable laws and regulations. A written and signed authorization should be obtained and verified before and after services are rendered. Penetration test schedules should be published on the integrated TVM system to ensure tactics, techniques, and test procedures adhere to documented policies.

Auditing Guidance

  1. Examine policy for adequacy, currency, and effectiveness.
  2. Determine if the process for defining frequency of penetration testing is defined.
  3. Determine if the process for selection of independent third parties is defined, and evaluated.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.