Security Control 20:
Penetration Tests
Use simulated attacks to improve organizational readiness: Conduct regular internal and external penetration tests that mimic an attack to identify vulnerabilities and gauge the potential damage.
Key: REQ = Required, REC = Recommended, OPT = Optional
| ID | Details | High | Med | Low |
|---|---|---|---|---|
|
20.1 |
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit systems successfully. Penetration testing should occur from outside the network perimeter (i.e., the Internet or wireless frequencies) as well as from within its boundaries (i.e., on the internal network) to simulate both outsider and insider attacks. |
REQ | REC | OPT |
|
20.2 |
Ensure that systemic problems discovered in penetration tests are fully mitigated or accepted. |
REQ | REC | OPT |
|
20.3 |
Social engineering should be included within a penetration test. The human element is often the weakest link and one that attackers often target. |
REQ | REC | OPT |
|
20.4 |
Create a test bed that mimics a production environment for specific penetration tests against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems. |
REQ | REC | OPT |