Modern-day businesses work in a dynamic regulatory environment. As data security and privacy discussions become mainstream, compliance requirements have continued to increase. Alongside the governments, sector-specific regulatory authorities and industry associations are now developing laws, standards, and regulations that organizations must comply with. Some of these laws even prescribe fines for failing to protect data from cyber-attacks. For example, GDPR provides a fine of up to 10 million Euros or 2% of the global turnover, whichever is higher. In case of serious violations, the fines can go up to 20 million Euros or 4% of the global turnover. This article examines whether or not conducting a penetration testing exercise can help your business fulfil compliance requirements.
What is penetration testing?
NIST defines penetration testing as a security testing methodology that attempts to identify and exploit vulnerabilities in a system in a controlled manner without causing any disruption. A penetration testing exercise can also be used to examine the extent of the damage if attackers successfully exploit these vulnerabilities. From a compliance point of view, penetration testing conducted by an independent/third party provide validation of your company’s cybersecurity posture. Penetration test reports act as evidence to demonstrate that the organization has been maintaining the due diligence required to keep their security posture strengthened
Role of penetration testing in security compliance
Cybersecurity regulations are often designed to hold organizations accountable for their security practices. An organization may be required to fulfill compliance obligations under laws like GDPR, HIPAA, standards like ISO 27001, SOC 1 & 2, and industry-specific regulations like PCI DSS.
While many regulations only imply conducting penetration tests, PCI DSS explicitly mentions penetration tests for evaluating an organization’s security posture. Requirement 11.3 of PCI DSS requires organizations handling payment card data to implement a comprehensive penetration testing program. We have discussed penetration testing requirements for PCI DSS in detail here.
PCI DSS stands for Payment Card Industry Data Security Standard. It was set up by Visa, Mastercard, and American Express, among others, to define industry standards for handling payment card data. Unlike other regulations and laws, PCI DSS is very explicit and detailed on penetration testing requirements. Apart from Requirement 11.3 discussed above, Requirements 11.3.1 and 11.3.2 make it mandatory for organizations to conduct external and internal penetration tests at least once a year, or after a significant environmental change. Requirement 11.3.3 specifies that an organization must correct the vulnerabilities found during a penetration test.
General Data Protection Regulation (GDPR) is an EU-based data protection framework that seeks to give EU residents complete control over their personal data. Though GDPR does not explicitly mention penetration tests, Article 32 requires organizations to implement a process for regular testing, assessment, and evaluation of technical and organizational measures to ensure the security of processing. UK’s Information Commissioner (ICO) has recognized that vulnerability scanning and penetration testing techniques can be used to check the effectiveness of an organization’s security measures.
Health Information Portability and Accountability Act (HIPAA) is a US law that provides national standards to protect and secure patients’ sensitive health information. Like GDPR, HIPAA does not explicitly mention penetration testing. However, § 164.308(a)(8) of HIPAA requires a covered entity to perform a technical evaluation for analyzing the security of patient health information (PHI). In 2008, a NIST white paper on HIPAA Security Rule suggested conducting penetration tests to fulfil the requirement of technical evaluation.
ISO 27001 is a globally recognized information security standard that defines requirements for implementing an information security management system (ISMS). While the new version of this standard is due, ISO 27001 Control A.12.6.1 in the current version requires organizations to document information about technical vulnerabilities in a timely fashion, evaluate the organization’s exposure to these vulnerabilities, and take steps to address the related risks. Here, a penetration testing exercise ensures that this requirement is fully met.
There are two SOC standards: SOC 1 and SOC 2. SOC 1 deals with internal financial controls within an organization and SOC 2 helps organizations demonstrate their security controls for data stored in the cloud. For this discussion, two controls in SOC 2 mention penetration testing. For instance, in CC4.1, penetration testing is recognized as a type of security evaluation, among others. In CC7.1, an organization is expected to use detection and monitoring for configuration changes and new vulnerabilities. An auditor can ask for a penetration test report while assessing your organization for compliance with the standard.
So far, we have seen that organizations must conduct penetration tests to fulfil their compliance obligations. This requirement cannot be avoided even if there is an implied mention of security testing. At the same time, organizations should understand that penetration testing will not be the only exercise they need to conduct. Instead, it will be one of many exercises an organization should do while complying with a cybersecurity regulation. With time, as the number of regulations will increase, organizations can consider simplifying their security testing process with the help of penetration testing platforms like BreachLock that combines the power of AI, Automation and Human PenTesters to deliver Fast & Comprehensive PenTest at Scale- Schedule a pentesting assessment now.”