|
IT Penetration Testing
by Jeff Patterson, BOL Guru
Guru Bios
Question: We use outside vendors to do our IT penetration testing. Is it written anywhere how often this should be done? Can we use the same vendor each time?
Answer: The FFIEC’S Information Security IT Examination Handbook specifies that "[h]igh-risk systems should be subject to an independent diagnostic test at least once a year." Other than that, nothing in the handbook specifies a schedule for penetration testing – only that the frequency of all security tests are based on the level of risk associated with a given system and are "determined by the institution's risk assessment." The Handbook also says, "Information systems that exhibit high risks should be subject to more frequent and rigorous testing than low-risk systems."
The National Institute of Standards and Technology’s (NIST) Guideline on Network Security Testing (800-42) supports this requirement by stating: "Because of the high cost and potential impact, annual penetration testing may be sufficient."
One of the keys in planning the frequency for penetration testing is not to confuse penetration testing with external port and vulnerability scanning. Port and vulnerability scanning is only one aspect of a penetration test. Industry standards recommend at least quarterly port and vulnerability scans, along with scans after substantial changes in firewall configuration, discovery of significant new vulnerabilities, or after adding a new externally exposed system. Additionally, extra social engineering tests should be conducted after any substantial changes in personnel. These tests can be conducted by in-house personnel. Also, the FFIEC’s InfoSec handbook does recommend that auditing of firewall policies and policies governing the interaction of the internal network with other networks should be conducted quarterly. These can also be conducted in-house.
There are also no guidelines for using the same vendor for penetration testing over and over. However, the vendor conducting the penetration test should have no responsibility for the design, installation, maintenance or operation of the system. The actual statement from the handbook says, "To be considered independent, testing personnel should not be responsible for the design, installation, maintenance, and operation of the tested system, as well as the policies and procedures that guide its operation." However, to protect yourself from price gouging and ensure you are getting the highest quality of tests, you should issue requests for bids on an annual basis. A good schedule would include quarterly audits of firewall policies and port and vulnerability scans. Both of these can be conducted by in-house personnel. Full penetration tests, security assessments and information technology audits by independent vendors should be conducted annually. Getting bids for these services through a formal request for proposal process ensures that you are getting the best service and tests.
First published on BankersOnline.com 5/08/06
Privacy Policy Disclaimer Recommend This Site ! Contact Us
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.
|
|
|
Print Friendly!
Email This Article!
Discuss NOW!