Does anyone know off the top of their head where to find regulatory guidance on how often to conduct penetration testing? Thanks.

I think at this point it is entirely risk based. The updated FFIEC IT Exam Handbook (Dec. 2003), Information Security Booklet, states on page 81 "The frequency of testing should be determined by the institution's risk assessment. High-risk systems should be subject to an independent diagnostic test at least once a year." The word "independent" in this context only means that the individuals performing the testing have independance from creating or developing the systems being tested. So these could be internal auditors or it could be out-sourced, either would work.

Penetration testing is important. I do such testing as a standard part of my IT audits, and I find weaknessess 30% of the time. In almost every instance, the vendor for the firewall has a patch that eliminates the weakness. However, no one at the bank knows to check the vendor's web site for updated software.

At a minimum, I recommend penetration testing once a year. I also recommend that the vendor's web site be checked once a month, to ensure the firewall is running the most current version of its software. It only takes 60 seconds to do the check, and it's one of the best things you can do to protect yourself from Hackers.

Regards,
Wayne Barnett, CPA
800-680-8692
www.barnettcpa.com

Wayne Barnett Software
A Texas Corporation
877-945-4344
www.barnettsoftware.com