18: Penetration Testing
CSF v1.1 References:
PF v1.0 References:
Control Statement
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]
Subcontrols
18.1: Establish and Maintain a Penetration Testing Program
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
18.2: Perform Periodic External Penetration Tests
Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
18.3: Remediate Penetration Test Findings
Remediate penetration test findings based on the enterprise's policy for remediation scope and prioritization.
18.4: Validate Security Measures
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.
18.5: Perform Periodic Internal Penetration Tests
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box.