apiperCIS
commented
5 years ago Question: Should this be testing that the Penetration Testing Program document requires that these tests be performed (that's the way I went with the proposal below)? Or, should it check to make sure that a pen test actually tested for these things? Or both?
Inputs 1) Penetration Testing Program document
Operations 1) Manually review the Penetration Testing Program document (Input 1) to determine if it requires tests to discover the following unprotected system information: network diagrams (M1), configuration files (M2), penetration test reports (M3), emails or documents containing passwords or other information critical to system operation (M4).
Measures M1: binary value indicating if the Penetration Testing Program document requires tests to discover unprotected network diagrams; 1 if so, 0 if not M2: binary value indicating if the Penetration Testing Program document requires tests to discover unprotected configuration files; 1 if so, 0 if not M3: binary value indicating if the Penetration Testing Program document requires tests to discover unprotected penetration test reports; 1 if so, 0 if not M4: binary value indicating if the Penetration Testing Program document requires tests to discover unprotected emails or documents containing passwords or other critical system information; 1 if so, 0 if not
Metrics Penetration Testing Program Includes Tests for the Presence of Unprotected System Information and Artifacts: (M1 + M2+ M3 + M4) / 4
Include tests for the presence of unprotected system information and artifacts that would be useful to attackers, including network diagrams, configuration files, older penetration test reports, emails or documents containing passwords or other information critical to system operation.
Measures
Metrics