18.1: Establish and Maintain a Penetration Testing Program

Control Statement

Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.

[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]