apiperCIS
commented
5 years ago Inputs 1) Penetration Testing Report for most recent external penetration test 2) Penetration Testing Report for most recent internal penetration test 3) Penetration Testing Program document
Operations 1) Examine the Penetration Testing Reports (Inputs 1 and 2) to determine the dates that the most recent penetration tests of each type (external and internal) occurred. Examine the Penetration Testing Program document (Input 3) to determine how frequently the organization is required to conduct external and internal penetration tests, and use those required time frames to determine if the most recent external penetration test was within the required time frame (M1) and if the most recent internal penetration test was within the required time frame (M2). 2) Manually review the Penetration Testing Reports to confirm that they contain any discovered vulnerabilities and attack vectors that can be used to successfully exploit the organization's systems (M3); or, if none were successful, verify that the documentation describes those that were attempted but were unsuccessful.
Measures M1: binary value indicating if the most recent external penetration test was within the required time frame; 1 if so, 0 if not M2: binary value indicating if the most recent internal penetration test was within the required time frame; 1 if so, 0 if not M3: binary value indicating if the Penetration Testing Reports contain discovered vulnerabilities and attack vectors that were successful against the organization's systems; 1 if so, 0 if not
Metrics Both types of penetration test conducted regularly: M1 and M2 Reports document discovered vulnerabilities: M3
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully.
Measures
Metrics