18.2: Perform Periodic External Penetration Tests
Incorporates the following controls from the previous version: 20.2: Conduct Regular External and Internal Penetration Tests, 20.3: Perform Periodic Red Team Exercises, 20.4: Include Tests for Presence of Unprotected System Information and Artifacts.
Control Statement
Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]