Control: The organisation conducts penetration testing [Assignment: organisation-defined frequency] on [Assignment: organisation-defined information systems or system components].
Supplemental Guidance: Penetration testing is a specialised type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organisational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organisations and provides a more in-depth analysis of security-related weaknesses/deficiencies. Organisations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls. A standard method for penetration testing includes, for example: (i) pretest analysis based on full knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organisations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organisational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing.
Related control: SA-12.
Penetration Testing Control Enhancements:
CA-8 (1) Penetration Testing - Independent penetration agent or team
The organisation employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.
Supplemental Guidance: Independent penetration agents or teams are individuals or groups who conduct impartial penetration testing of organisational information systems. Impartiality implies that penetration agents or teams are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems that are the targets of the penetration testing. Supplemental guidance for CA-2 (1) provides additional information regarding independent assessments that can be applied to penetration testing.
Related control: CA-2.
CA-8 (2) Penetration Testing - Red team exercises
The organisation employs [Assignment: organisation-defined red team exercises] to simulate attempts by adversaries to compromise organisational information systems in accordance with [Assignment: organisation-defined rules of engagement].
Supplemental Guidance: Red team exercises extend the objectives of penetration testing by examining the security posture of organisations and their ability to implement effective cyber defences. As such, red team exercises reflect simulated adversarial attempts to compromise organisational mission/business functions and provide a comprehensive assessment of the security state of information systems and organisations. Simulated adversarial attempts to compromise organisational missions/business functions and the information systems that support those missions/functions may include technology-focused attacks (e.g., interactions with hardware, software, or firmware components and/or mission/business processes) and social engineering-based attacks (e.g., interactions via email, telephone, shoulder surfing, or personal conversations). While penetration testing may be largely laboratory-based testing, organisations use red team exercises to provide more comprehensive assessments that reflect real-world conditions. Red team exercises can be used to improve security awareness and training and to assess levels of security control effectiveness.