Penetration testing is a key requirement for many regulatory frameworks i.e., ISO27001, SOC 2, PCI DSS, GDPR, or OSFI. Every compliance and audit framework, standard, or procedure has its own set of guidelines regarding penetration testing, which organizations must have to follow to meet the requirements. Penetration testing is the process of identifying security gaps and issues in your IT infrastructure by emulating the tactics, techniques and procedures of a real world attacker..
The digital landscape is frequently changing, and new hacking methods are finding new vulnerabilities ever day. Our penetration testers actively stay up to date with all known techniques being used by threat actors. As Zero Day Vulnerabilities are fixed, new vulnerabilities are discovered. Through regular penetration testing, you can be confident that your digital infrastructure remains robust, protected and compliant. According to Gartner’s report from March 2021, failure to ensure compliance can cost from $1000 to more than $1 million.
ISO 2007 and Penetration Testing
ISO 27001 is an international standard for information security, and it sets out the specification of the Information Security Management System (ISMS). In the best practice of ISO 27001, it helps organizations to manage their information security by addressing people, processes, and technology.
You need ISO 27001 certification to ensure that you have implemented minimum security measures to achieve protection of your data, increase attack resilience, respond to evolving threats, and comply with legal requirements.
In terms of penetration testing requirements; ISO control A.12.6.1 of Annex A of ISO 27001:2013 (a.k.a. Technical Vulnerability Management) states: “Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk.”
SOC 2 and Penetration Testing
Developed by The American Institute of Certified Public Accountants (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles:”
- processing integrity,
- confidentiality and,
It is important to note that SOC 2 is not a certification but rather an auditor’s opinion. This is where the confusion and ambiguity stems from as there is no defined list of boxes to check to become SOC 2 compliant. Instead of using a defined control set (e.g. ISO 27001 Annex A Controls), SOC 2 specifies criteria for which adequate controls must be designed.
SOC 2 becomes essential when you are selling services to other businesses (B2B). Having SOC 2 compliance informs your clients that your organization has the capability and security measures in place to protect sensitive information from unauthorized attempts. Apart from this, organizations need SOC 2 to gain a marketing edge and it also serves as a pathway to other compliances.
SOC 2 is based on Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, or “TSC 2017,” recently updated in March 2020. The TSC 2017 presents a list of Common Criteria (CC) for addressing:
- The control environment (CC1 series)
- Communication and information (CC2 series)
- Risk assessment (CC3 series)
- Monitoring of controls (CC4 series)
- Control activities related to the design and implementation of controls (CC5 series)
Under the “Points to Focus on” of CC4.1, the criteria suggests:
Considers Different Types of Ongoing and Separate Evaluations — Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments
Furthermore, according to CC7.1:
To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
And under the “Points of Focus,”
Conducts Vulnerability Scans—The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis.
PCI DSS and Penetration Testing
PSCI DSS (Payment Card Industry Data Security Standard) is a set of security standards developed in 2004. This standard is controlled by PCI SSC (Payment Card Industry Security Standard Council). The goal of this compliance scheme is to secure credit and debit card transactions against fraud and data theft.
Not having PCI DSS while dealing with customer’s financial transactions can result in heavy fines and plenty. PCI DSS secures your business data, boosts customer confidence, protects your clients, and reduces the cost of a data breach.
PCI DSS requirements are complex and detailed for penetration testing. The PCI Security Standards Council has released a guide for entities that are required to conduct a penetration test whether they use an internal or external resource. While the guide can be complex, Nivee has performed these tests before and we are quite comfortable with all of the requirements.
At Nivee, our PCI penetration testing helps you meet PCI-DSS requirements by identifying vulnerabilities present in the Cardholder Data Environment (CDE) before a “malicious” attacker is able to discover and exploit them. PCI penetration testing will provide a realistic view of the opportunities an attacker may take in order to compromise POS devices, payment applications and other devices within the CDE.
OSFI and Penetration Testing
OSFI (Office of the Superintendent of Financial Institutions) is a Canadian government body, established in 1987 with the aim to contribute to the safety and wellness of the Canadian financial system including federal banks and insurers, federal private pension plans, trust and loan companies.
OSFI ensures that the interest of engaging parties in financial activity remains protected. Being OSFI compliant will tighten your cyber resilience against cyber-attacks and prevent critical financial information from unauthorized access or theft.
The Cyber Security Self-Assessment from OSFI published in August 2021 stated that financial organizations in Canada should conduct a penetration test against networks, cloud, and all critical IT systems to identify security gaps and deficiencies.
GDPR and Penetration Testing
GDPR (General Data Protection Regulation) is a set of privacy laws and regulations which are developed to protect European residents. Any entity which processes or collects personal data of residents of the EU must comply with the regulation set by GDPR.
Violating GDPR can cost you a heavy fine of a maximum of 20 million euros or 4% of your global revenue (whichever is higher), and a claim of damages from the user’s end is on top of all that. GDPR compliance is mandatory for organizations to perform business operations in the EU, and it also provides confidence to clients while trusting an organization for their personal data.
As per article 32 of GDPR, “(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.” It’s not specifically defined what must be tested on regular basis but as a rule of thumb, any system, application, or process that touches personal data must be tested.
Designing an accurate penetration test to achieve compliance or audits is not easy and requires in-depth technical knowledge and experience. Organizations should take advice from experts which can assist them in achieving security standards. Nivee is a team of expert and experienced Information Security Professionals specialized in compliance and audit penetration tests. Nivee helps businesses to achieve and maintain compliance by identifying and addressing specific security vulnerabilities impacting the regulation.