Penetration Testing for Compliance
By ERMProtect Staff
Penetration testing is one of the most efficient types of cybersecurity assessments organizations can use to validate their cyber risks and mitigate them. In a penetration test, a qualified “ethical hacker” attempts to scale the cybersecurity wall a company has built and discover the weak spots. These tests are vital to the security of an organization - which is why they are required by so many data regulations.
Depending on your organization’s industry profile and regulatory requirements, the tests may be required once a year or more frequently. Some regulations don’t spell out frequency but include a general provision requiring organizations to effectively manage and mitigate security risks through testing.
How can you use penetration testing to help your organization meet regulatory requirements? Below, we offer a list of regulations where pen tests could help. (At ERMProtect, we have spent 24 years conducting penetration testing to mitigate threats and secure compliance. Give us a call or email us at [email protected] if we can help.)
Penetration Testing for PCI Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that companies that accept, process, store, or transmit credit card information maintain a secure environment. Basically, anyone who takes credit cards is affected by this standard.
Requirement 11 of PCI DSS 3.2.1 specifically mandates the performance of regular penetration testing. This requirement is applicable to merchants that need to do a formal audit or fill out a SAQ C and SAQ D. It is also applicable to all Service Providers.
Organizations that fall within the scope of PCI DSS must perform internal and external penetration testing at least annually, or after any significant changes to infrastructure.
Penetration Testing for HIPAA Compliance
HIPAA is the Health Insurance Portability and Accountability Act (HIPAA). It requires health care practitioners to protect electronically stored Protected Health Information (PHI) by using appropriate administrative, physical, and technical safeguards to ensure the confidentiality and security of the information.
Strictly speaking, HIPAA does not require a penetration test or a vulnerability scan. However, it does require a risk analysis which, effectively, requires covered entities to test their security controls. HIPAA Evaluation Standard § 164.308(a)(8) specifically speaks to the safety, privacy, and electronic exchange of medical information. It’s penetration testing requirements allow technical and non-technical evaluations of security through “white hat” hacking when deemed reasonable and appropriate. HIPAA requires that healthcare providers regularly test data security or face fines ranging from $100 to $50,000 per record compromised.
Penetration Testing for FINRA Compliance
FINRA establishes the cybersecurity rules for financial organizations, such as securities firms, that must comply with the Securities Exchange Act of 1933 (17 CFR §240.17a-4(f)). FINRA performs detailed reviews of effective information-security controls at financial firms. While the agency does not require penetration tests, they are highly recommended as an effective practice to address select cybersecurity risks.
FINRA recommends running penetration tests both on a regular basis, as well as after key events such as significant changes to a firm’s infrastructure or access controls.
Penetration Testing for SWIFT CSF
The SWIFT Customer Security Program (CSP) is a framework designed to help improve the security of the SWIFT interbank communications system, as well as the financial institutions that on it to send and receive financial transaction data.
The SWIFT CSP contains a range of mandatory and advisory controls designed to help organizations secure their environment, restrict access to confidential data, and detect and respond to threats. Principle 2 of the CSP requires organizations to reduce their attack surface and manage vulnerabilities.
SWIFT Control 7.3 requires financial institutions to conduct penetration testing to identify security gaps. Application, host, and network penetration testing must be conducted yearly.
Penetration Testing for NY SHIELD Act
New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act effective March 2020. The law imposes more data security requirements on companies who collect information on New York residents.
The NY SHIELD Act requires that businesses develop, implement, and maintain “reasonable safeguards to protect the security, confidentiality and integrity” of New York residents’ data, including administrative, technical, and physical safeguards. Penetration testing is one way to demonstrate that reasonable steps were taken to protect data.
Penetration Testing for NIS Directive & Regulations
The Network and Information Systems Directive, better known as the NIS Directive (or NIS Regulations in the UK), is a piece of pan-EU legislation designed to improve the security and resilience of critical infrastructure and services.
The NIS Directive applies to Operators of Essential Services (OES) such as energy, transport, utilities, and healthcare providers, as well as Relevant Digital Service Providers (RDSP) including online marketplaces, online search agencies, and cloud computing services.
There is no specific requirement within the NIS Directive or NIS Regulations that mandates penetration testing. But for organizations to effectively manage security risk and protect against cyber-attacks, penetration tests are essential to meet NIS objectives.
Penetration Testing for Data Privacy Compliance
Data privacy laws specify how people’s data should be collected, stored, and shared with third parties. The goal is to give people protection from misuse of their personal information and unfettered sharing of their personal information without informed consent.
Penetration testing is a key component of data privacy compliance since it allows organizations to assure citizens about the security of their data, as privacy laws require.
The most widely discussed data privacy laws include the EU and UK GDPR (General Data Protection Regulation) and Brazil´s General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD).
GDPR states that companies must regularly test, assess, and evaluate the effectiveness of technical and organizational measures that ensure the security of data (Article 32 GDPR). Similarly, LGPD requires companies to guarantee the security of personal data (Article 47 LGPD).
Penetration testing allows organizations that are subject to such privacy laws to identify pathways that could permit data compromises, so they can be remediated.
Penetration Testing for ISO 27001 Compliance
The ISO 27001 standard details a very specific course of action for organizations to secure their assets, encompassing a series of IT security controls. As part of the risk management process in ISO 27001, penetration tests can be used to validate that the implemented security controls work as designed.
Specifically, the standard states in A.12.6.1 that information about technical vulnerabilities “shall be obtained in a timely fashion” and remediated to address the associated risk. Penetration tests provide the visibility demanded by the standard.
Penetration Testing for SOC 2 Compliance
SOC 2 certification involves an audit by a third-party to verify that a company is meeting stringent security and privacy controls. SOC 2 has two specific requirements that mention penetration testing and vulnerability management for auditors to review:
- CC4.1 – Management uses a variety of different types of ongoing and separate evaluations, including penetration testing; independent certifications made against established specifications (for example, ISO certifications); and internal audit assessments.
- CC7.1 – The entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
While subject to auditor interpretation, penetration tests are generally considered the best and most cost-effective way to help meet these mandates.
Penetration Testing for Regulatory Requirements
Both consumers and governments are increasingly concerned about the threats that cyber-insecurity may pose to industry, national security, and our daily lives. As a result, both public and private regulatory agencies are establishing more guidelines and requiring more tests to secure IT infrastructure.
Penetration tests can help secure mission-critical assets and, in turn, prevent financial losses and disruption. They assist with compliance, but more importantly, they help protect enterprises and the customers they serve.
How ERMProtect Can Help
For more information about penetration testing, check out ERMProtect’s Guide to Penetration Testing. To speak with an expert for a free consultation about how pen testing can secure your organization, click here.
Get a curated briefing of the week's biggest cyber news every Friday.
Intelligence and Insights