Skip to content

IT Penetration Testing

Answered by: 

Question: 
We use outside vendors to do our IT penetration testing. Is it written anywhere how often this should be done? Can we use the same vendor each time?
Answer: 

The FFIEC’S Information Security IT Examination Handbook specifies that "[h]igh-risk systems should be subject to an independent diagnostic test at least once a year." Other than that, nothing in the handbook specifies a schedule for penetration testing - only that the frequency of all security tests are based on the level of risk associated with a given system and are "determined by the institution's risk assessment." The Handbook also says, "Information systems that exhibit high risks should be subject to more frequent and rigorous testing than low-risk systems."

The National Institute of Standards and Technology’s (NIST) Guideline on Network Security Testing (800-42) supports this requirement by stating: "Because of the high cost and potential impact, annual penetration testing may be sufficient."

One of the keys in planning the frequency for penetration testing is not to confuse penetration testing with external port and vulnerability scanning. Port and vulnerability scanning is only one aspect of a penetration test. Industry standards recommend at least quarterly port and vulnerability scans, along with scans after substantial changes in firewall configuration, discovery of significant new vulnerabilities, or after adding a new externally exposed system. Additionally, extra social engineering tests should be conducted after any substantial changes in personnel. These tests can be conducted by in-house personnel. Also, the FFIEC’s InfoSec handbook does recommend that auditing of firewall policies and policies governing the interaction of the internal network with other networks should be conducted quarterly. These can also be conducted in-house.

There are also no guidelines for using the same vendor for penetration testing over and over. However, the vendor conducting the penetration test should have no responsibility for the design, installation, maintenance or operation of the system. The actual statement from the handbook says, "To be considered independent, testing personnel should not be responsible for the design, installation, maintenance, and operation of the tested system, as well as the policies and procedures that guide its operation." However, to protect yourself from price gouging and ensure you are getting the highest quality of tests, you should issue requests for bids on an annual basis. A good schedule would include quarterly audits of firewall policies and port and vulnerability scans. Both of these can be conducted by in-house personnel. Full penetration tests, security assessments and information technology audits by independent vendors should be conducted annually. Getting bids for these services through a formal request for proposal process ensures that you are getting the best service and tests.

First published on BankersOnline.com 5/08/06

First published on 05/08/2006

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics