In today’s increasingly regulated business landscape, organisations across all industries are required to comply with a myriad of compliance standards and regulations relating to information security.
In many cases, penetration testing – a type of ethical hacking engagement designed to identify and address security vulnerabilities in networks, systems and applications – is required. Sometimes this requirement is specified directly, while in other cases it is implied by a need to build audit or assessment processes to mitigate cyber risk.
This blog identifies some of the most common pen testing standards and regulations and provides guidance about the type of testing required.
The one regulation that impacts almost all organisations which operate in European markets is the General Data Protection Regulation (GDPR). In the UK, the GDPR’s requirements are enshrined in the Data Protection Act 2018 (DPA 2018), ensuring they remain in place once the UK completes its withdrawal from the EU.
The GDPR covers all aspects of data protection, but among its many requirements is the need for organisations that handle personal data to improve information security and governance.
Specifically, GDPR Article 32 requires organisations to implement ‘A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of data processing’.
In online guidance, the Information Commissioner’s Office (ICO), the authority responsible for upholding data protection in the UK, recommends that organisations conduct GDPR penetration testing and vulnerability scanning on a regular basis, and crucially, ensure they address any risks identified. Given the GDPR’s focus on personal information, organisations need to ascertain where this data is stored, handled and processed to work out where testing is required.
Redscan advises that GDPR penetration testing should be conducted annually on internal and external infrastructure. Web app testing should also be carried out if the applications in question, including email, payroll and CRM systems, handle personal data.
ISO 27001, part of the ISO/IEC series of standards, is an international information security standard that outlines a framework of controls for Information Security Management Systems (ISMS). To become certified, organisations need to build a suite of security controls to identify and address security risks across their networks and ensure they meet changing security needs over time.
ISO 27001 requires organisations to apply controls in line with their own specific security risks. This means that no set of controls is mandatory, but the standard does outline an extensive list of best practice recommendations that should be considered.
Objective A.12.6.1 of ISO 27001 states that information about technical security vulnerabilities should be obtained in a timely fashion, exposure to these vulnerabilities evaluated and appropriate measures taken to address the associated risks.
Penetration testing is useful at multiple stages of an ISMS project, so organisations should look for a flexible ISO 27001 penetration testing provider that can tailor assessments to meet bespoke requirements. ISO pen tests can be performed as part of the risk assessment process (where risks are identified and analysed), the risk treatment plan (where controls and implemented and tested) or the continual improvement process.
The Payment Card Industry Data Security Standard (PCI DSS) is a minimum set of requirements designed to help businesses protect customer cardholder data. All organisations that accept or process online card payments are required to undertake annual PCI security audits to ensure compliance.
Requirement 11 of PCI DSS 3.2 specifically mandates the performance of regular penetration testing. Organisations that fall within the scope of PCI DSS must perform internal and external penetration testing at least annually, or after any significant changes to infrastructure.
PCI DSS penetration testing must include assessments of infrastructure and applications across the cardholder data environment (CDE), from both inside and outside organisation’s network. Businesses should look for a PCI pen test provider that will help to identify issues such as unsafe configurations, poor access controls, encryption flaws and coding vulnerabilities.
NIS Directive & Regulations
The Network and Information Systems Directive, better known as the NIS Directive, or NIS Regulations in the UK, is a piece of pan-EU legislation designed to improve the security and resilience of critical infrastructure and services.
The NIS Directive applies to Operators of Essential Services (OES) like energy, transport, utilities and healthcare providers, as well as Relevant Digital Service Providers (RDSP) including online marketplaces, online search agencies and cloud computing services.
There is no specific requirement within the NIS Directive or NIS Regulations that mandates penetration testing, but for organisations to effectively manage security risk and protect against cyber-attacks, as specified under the conditions of Objectives A and B, processes to enable auditing, testing, assessment, inspection and verification are essential.
In the ICO’s guide to NIS compliance, it draws parallels with the requirements of data controllers under the GDPR. While the NIS Directive does not go into the same depth on the specifics of testing, OESs and RDSPs would be best advised to follow similar testing procedures as they do for the GDPR.
NHS DSP Toolkit
The Data Security and Protection Toolkit (DSP Toolkit) is an online self-assessment tool that helps organisations in the UK healthcare sector to benchmark their security against the National Data Guardian’s Data Security Standards (NDG Standards). NDG Standards apply to all organisations that handle health and social care information.
NDG Standard 9 dictates that a strategy must be in place to protect IT systems from cyber threats. This should include at least an annual penetration test, covering critical network infrastructure and web services.
NHS Digital guidance recommends that organisations tread carefully when scoping a test to prevent any adverse effects on assets being assessed. It is also recommended that organisations look for a provider that can holistically analyse their risk landscape and identify their top data security risks in line with requirement 9.4.3.
The SWIFT Customer Security Programme (CSP) is a framework designed to help improve the security of the SWIFT interbank communications system, as well as the financial institutions which rely on it to send and receive information about financial transactions.
The SWIFT CSP contains a range of mandatory and advisory controls designed to help organisations secure their environment, track and limit access and detect and respond to threats. Principle 2 of the CSP requires organisations to reduce their attack surface and manage vulnerabilities.
While the programme was initially designed to require a self-attestation of compliance, a recent update means it now requires an independent assessment providing evidence of the design, implementation and effectiveness of security controls.
The new testing requirements under SWIFT CSP v2020 are still in their infancy, but from 2021, SWIFT will begin to analyse these assessments, request additional evidence of compliance and share results with third parties.
Choosing a pen testing supplier
Wading through the many requirements of relevant security legislation can be daunting for any business, but it is important to recognise that testing requirements do not need to be dealt with independently. There are many commonalities between requirements and a good pen testing programme will cater to all those relevant to your business simultaneously.
Any organisations that require penetration testing for compliance purposes should look for a flexible provider that understands the regulatory landscape and can tailor testing to not just the requirements of the latest pen testing standards, but also the unique risk profile of their business.
Crucially, however, penetration testing shouldn’t be viewed as a tick-box exercise performed purely for the sake of compliance. Penetration testing should be a critical element of all organisations’ security programmes, performed as regularly as possible to keep up with the fast-evolving threat landscape.
Why choose Redscan?
Redscan is an award-winning provider of security assessment, threat detection and incident response services. Our range of CREST-approved ethical hacking engagements help organisations to effectively manage cyber security risk by identifying, safely exploiting, and helping to remediate vulnerabilities across their environments.
Whether you’re looking for infrastructure testing, wireless testing, web app testing or social engineering, our team has the skills and experience to build a testing programme that best suits your requirements, with tailored compliance reporting to meet your needs.