compliance controls are associated with this Policy definition 'Employ independent team for penetration testing' (611ebc63-8600-50b6-a0e3-fef272457132)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CA-8(1) |
FedRAMP_High_R4_CA-8(1) |
FedRAMP High CA-8 (1) |
Security Assessment And Authorization |
Independent Penetration Agent Or Team |
Shared |
n/a |
The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.
Supplemental Guidance: Independent penetration agents or teams are individuals or groups who conduct impartial penetration testing of organizational information systems. Impartiality implies that penetration agents or teams are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems that are the targets of the penetration testing. Supplemental guidance for CA-2 (1) provides additional information regarding independent assessments that can be applied to penetration testing. Related control: CA-2. |
link |
1 |
| FedRAMP_Moderate_R4 |
CA-8(1) |
FedRAMP_Moderate_R4_CA-8(1) |
FedRAMP Moderate CA-8 (1) |
Security Assessment And Authorization |
Independent Penetration Agent Or Team |
Shared |
n/a |
The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.
Supplemental Guidance: Independent penetration agents or teams are individuals or groups who conduct impartial penetration testing of organizational information systems. Impartiality implies that penetration agents or teams are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems that are the targets of the penetration testing. Supplemental guidance for CA-2 (1) provides additional information regarding independent assessments that can be applied to penetration testing. Related control: CA-2. |
link |
1 |
| hipaa |
0712.10m2Organizational.4-10.m |
hipaa-0712.10m2Organizational.4-10.m |
0712.10m2Organizational.4-10.m |
07 Vulnerability Management |
0712.10m2Organizational.4-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
Internal and external vulnerability assessments of covered information systems, virtualized environments, and networked environments, including both network- and application-layer tests, are performed by a qualified individual on a quarterly basis or after significant changes. |
|
2 |
| hipaa |
0788.10m3Organizational.20-10.m |
hipaa-0788.10m3Organizational.20-10.m |
0788.10m3Organizational.20-10.m |
07 Vulnerability Management |
0788.10m3Organizational.20-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
The organization undergoes regular penetration testing by an independent agent or team, at least every 365 days, on defined information systems or system components; conducts such testing from outside as well as inside the network perimeter; and such testing includes tests for the protection of unprotected system information that would be useful to attackers. |
|
1 |
| ISO27001-2013 |
A.12.7.1 |
ISO27001-2013_A.12.7.1 |
ISO 27001:2013 A.12.7.1 |
Operations Security |
Information systems audit controls |
Shared |
n/a |
Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes. |
link |
1 |
| ISO27001-2013 |
A.18.2.1 |
ISO27001-2013_A.18.2.1 |
ISO 27001:2013 A.18.2.1 |
Compliance |
Independent review of information security |
Shared |
n/a |
The organization's approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes occur. |
link |
2 |
| ISO27001-2013 |
A.18.2.3 |
ISO27001-2013_A.18.2.3 |
ISO 27001:2013 A.18.2.3 |
Compliance |
Technical compliance review |
Shared |
n/a |
Information systems shall be regularly reviewed for compliance with the organization's information security policies and standards. |
link |
5 |
| NIST_SP_800-53_R4 |
CA-8(1) |
NIST_SP_800-53_R4_CA-8(1) |
NIST SP 800-53 Rev. 4 CA-8 (1) |
Security Assessment And Authorization |
Independent Penetration Agent Or Team |
Shared |
n/a |
The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.
Supplemental Guidance: Independent penetration agents or teams are individuals or groups who conduct impartial penetration testing of organizational information systems. Impartiality implies that penetration agents or teams are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems that are the targets of the penetration testing. Supplemental guidance for CA-2 (1) provides additional information regarding independent assessments that can be applied to penetration testing. Related control: CA-2. |
link |
1 |
| NIST_SP_800-53_R5 |
CA-8(1) |
NIST_SP_800-53_R5_CA-8(1) |
NIST SP 800-53 Rev. 5 CA-8 (1) |
Assessment, Authorization, and Monitoring |
Independent Penetration Testing Agent or Team |
Shared |
n/a |
Employ an independent penetration testing agent or team to perform penetration testing on the system or system components. |
link |
1 |
|
org.3 Security procedures |
org.3 Security procedures |
404 not found |
|
|
|
n/a |
n/a |
|
83 |
| PCI_DSS_v4.0 |
11.4.1 |
PCI_DSS_v4.0_11.4.1 |
PCI DSS v4.0 11.4.1 |
Requirement 11: Test Security of Systems and Networks Regularly |
External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected |
Shared |
n/a |
A penetration testing methodology is defined, documented, and implemented by the entity, and includes:
• Industry-accepted penetration testing approaches.
• Coverage for the entire CDE perimeter and critical systems.
• Testing from both inside and outside the network.
• Testing to validate any segmentation and scopereduction controls.
• Application-layer penetration testing to identify, at a minimum, the vulnerabilities listed in Requirement 6.2.4.
• Network-layer penetration tests that encompass all components that support network functions as well as operating systems.
• Review and consideration of threats and vulnerabilities experienced in the last 12 months.
• Documented approach to assessing and addressing the risk posed by exploitable vulnerabilities and security weaknesses found during penetration testing.
• Retention of penetration testing results and remediation activities results for at least 12 months. |
link |
1 |
| PCI_DSS_v4.0 |
11.4.3 |
PCI_DSS_v4.0_11.4.3 |
PCI DSS v4.0 11.4.3 |
Requirement 11: Test Security of Systems and Networks Regularly |
External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected |
Shared |
n/a |
External penetration testing is performed:
• Per the entity’s defined methodology
• At least once every 12 months
• After any significant infrastructure or application upgrade or change
• By a qualified internal resource or qualified external third party
• Organizational independence of the tester exists (not required to be a QSA or ASV). |
link |
1 |
| SWIFT_CSCF_v2022 |
7.3A |
SWIFT_CSCF_v2022_7.3A |
SWIFT CSCF v2022 7.3A |
7. Plan for Incident Response and Information Sharing |
Validate the operational security configuration and identify security gaps by performing penetration testing. |
Shared |
n/a |
Application, host, and network penetration testing is conducted towards the secure zone and the operator PCs or, when used, the jump server. |
link |
2 |