18.1: Establish and Maintain a Penetration Testing Program
CSF v1.1 References:
PF v1.0 References:
Previous Version:
- Critical Security Controls Version 7.1:
- 20.1: Establish a Penetration Testing Program
Control Statement
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]