Security Control 20:
Penetration Tests

Use simulated attacks to improve organizational readiness: Conduct regular internal and external penetration tests that mimic an attack to identify vulnerabilities and gauge the potential damage.

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow

20.1

Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit systems successfully. Penetration testing should occur from outside the network perimeter (i.e., the Internet or wireless frequencies) as well as from within its boundaries (i.e., on the internal network) to simulate both outsider and insider attacks.

REQ REC OPT

20.2

Ensure that systemic problems discovered in penetration tests are fully mitigated or accepted.

REQ REC OPT

20.3

Social engineering should be included within a penetration test. The human element is often the weakest link and one that attackers often target.

REQ REC OPT

20.4

Create a test bed that mimics a production environment for specific penetration tests against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems.

REQ REC OPT

Additional Reading