adammontville / cis-controls-71-measures

0 stars 0 forks source link

Subcontrol 20.6 #175

Open adammontville opened 5 years ago

adammontville commented 5 years ago

Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts.

Measures

None provided

Metrics

None provided
apiperCIS commented 5 years ago

Internal note (does not need to be included in spec): While we could take this proposal in the direction of ensuring that each result or scan has a corresponding pen test, I didn't think that was the way to go. Not all vuln scans would necessarily translate into a viable test. Please let me know if you disagree.

Inputs 1) Penetration Testing Program document

Operations 1) Manually review the Penetration Testing Program document (Input 1) to verify that it instructs the organization to use vulnerability scan results to inform penetration testing efforts. The presence or absence of this instruction becomes M1.

Measures M1: boolean value indicating if the Penetration Testing Program document includes instructions for using vulnerability scan results to inform penetration testing efforts

Metrics Presence or absence of instructions to use vulnerability scan results to inform penetration testing efforts: M1