Skip to content

Penetration Testing Requirements

Question: 
Are there any requirements or criteria for Penetration testing? Can we perform the penetration testing ourselves? If we hire a third party vendor, should we require documentation saying they are authorized by the Regulators to perform the tests or that the testing will meet certain standards? Does the penetration testing requirement only apply to wired network or do we have to have penetration testing on the wireless as well?
Answer: 

Answer by Mary Beth Guard:

The Interagency Guidelines for Safeguarding Customer Information ("the InfoSec Guidelines") require each financial institution to put into place a program of appropriate administrative, technical and physical safeguards to protect customer information. Those safeguards may, depending upon the size of the institution, the nature of its information storage and usage, and other factors, include such things as intrusion detection systems, logical access controls and more. It is not enough to put those safeguards into place, however. The InfoSec Guidelines also require you to test the efficacy of the safeguards. Specifically, the Guidelines state that you should:


Regularly test the key controls, systems and procedures ofthe information security program. The frequency and nature of suchtests should be determined by your risk assessment. Tests should beconducted or reviewed by independent third parties or staffindependent of those that develop or maintain the security programs.



This would include penetration testing of your network, trying to get around firewalls (software and hardware), identifying weaknesses in passwords or other access codes.

Answer: 

Answer by Clayton Hoskinson:

To my knowledge there is no "authorization" from any federal or state regulatory agency for the pen-testing firms. Self-Testing is possible, as long as the institution can convince their regulators that the testing that was done was independent of the operations unit who administers that part of the operation. As to your question on testing of wired or wireless networks, there is certainly no exemption from the testing requirement for either wired or wireless networks.

First published on BankersOnline.com 1/6/03

First published on 01/06/2003

Search Topics