The majority of compliance standards and guidelines do not specifically call for security testing (i.e. vulnerability scanning, penetration testing, etc.). Instead, they use language such as: identify vulnerabilities, assess the risk of discovered vulnerabilities, and provide appropriate measures to protect against threats.
These requirements are typically interpreted by auditors (for example) as needing some form of security testing. The most common testing that satisfies most compliance requirements are our following services:
- Network Vulnerability Scanning
- Network Vulnerability Assessment
- Web Application Vulnerability Scanning
- Web Application Vulnerability Assessment
Depending on the specific compliance you’re working towards, and the rigor required by your auditor, the following, more thorough, testing services we offer may be required to meet the assessment requirements.
- Network Security and Penetration Testing
- Wireless Security and Penetration Testing
- Web Application Security and Penetration Testing
Below is a list of a few of our services which meet or exceed compliance testing requirements. If the compliance standard you are looking for is not listed here, it’s likely we haven’t performed testing services for a client seeking that particular standard as of yet. It’s likely that one, or more, of our services could meet the standard, though. Contact Us to discuss.
- CIS Controls – “organizations should periodically test their defenses to identify gaps and to assess their readiness by conducting penetration testing.” [Source]
- FFIEC – “Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external facing systems and the internal network.” [Source]
- GDPR – “Implement appropriate technical and organisational measures to protect systems, technologies and digital services that process personal data from cyber-attack” and “undertake regular testing to evaluate the effectiveness of your security measures, including virus and malware scanning, vulnerability scanning and penetration testing as appropriate.” [Source]
- HIPAA – An “important way to identify technical vulnerabilities in information systems is through information systems security testing.” [Source]
- HITRUST – “Technical testing helps reveal security flaws or weaknesses in information systems and includes but is not limited to configuration setting validation, vulnerability assessment, and penetration testing.” [Source]
- NCUA – “The basic elements of any program should consist of developing a security policy, performing vulnerability assessments, establishing a network monitoring program, and performing periodic penetration testing.” [Source]
- PCI DSS – “Internal and external network vulnerability scans run at least quarterly [and internal and external penetration testing performed at least annually] and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).” [Source]
- Note: PCI is the only current standard that requires a portion of the required testing to be performed by ASV (Approved Scanning Vendor) – namely the external network vulnerability scan. PEN Consultants directly performs all testing with the exception of the external network vulnerability scan, which we partner with a 3rd party ASV to perform. This provides a convenient and cost effective solution for your organization.
- RBI – “The information security officer and the information system auditor should undertake periodic penetration tests of the system” which can “be carried out by engaging outside experts.” [Source]
- SOC 2 – “Internal and external vulnerability scans are [to be] performed quarterly and annually and their frequency adjusted as required to meet ongoing and changing commitments and requirements” and “periodically undertake threat and vulnerability testing, including security penetration and web vulnerability and resilience.” [Source]
* Most compliance standards require additional analysis and documentation beyond the security testing. PEN Consultants provides testing services to verify both technical and non-technical defensive controls, detections, processes, etc., and provide attestation for such. Ultimately, you would perform any non-testing requirements (policy and process review, architecture diagrams, documentation, checklist, etc), submit the required paperwork, and obtain acceptance of compliance. If needed, PEN Consultants can connect you with a 3rd party compliance and audit service provider to assist with those other elements and the process in general.