Below is a list of a few of our services that meet or exceed compliance testing requirements. If the compliance standard you are looking for is not listed here, it’s likely we haven’t performed testing services for a client seeking that particular standard as of yet. It’s likely that one, or more, of our services, could meet the standard, though. Contact Us
An “important way to identify technical vulnerabilities in information systems is through information systems security testing.”
“Technical testing helps reveal security flaws or weaknesses in information systems and includes but is not limited to configuration setting validation, vulnerability assessment, and penetration testing.”
“The basic elements of any program should consist of developing a security policy, performing vulnerability assessments, establishing a network monitoring program, and performing periodic penetration testing.”
“Internal and external network vulnerability scans run at least quarterly [and internal and external penetration testing performed at least annually] and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).”
“The information security officer and the information system auditor should undertake periodic penetration tests of the system” which can “be carried out by engaging outside experts.”
“Internal and external vulnerability scans are [to be] performed quarterly and annually and their frequency adjusted as required to meet ongoing and changing commitments and requirements” and “periodically undertake threat and vulnerability testing, including security penetration and web vulnerability and resilience.”
Most compliance standards require additional analysis and documentation beyond the security testing. PEN Consultants provides testing services to verify both technical and non-technical defensive controls, detections, processes, etc., and provide attestation for such. Ultimately, you would perform any non-testing requirements (policy and process review, architecture diagrams, documentation, checklist, etc.), submit the required paperwork, and obtain acceptance of compliance. If needed, PEN Consultants can connect you with a 3rd party compliance and audit service provider to assist with those other elements and the process in general.
*PCI is the only current standard that requires a portion of the required testing to be performed by ASV (Approved Scanning Vendor) – namely the external network vulnerability scan. PEN Consultants directly performs all testing with the exception of the external network vulnerability scan, for which we partner with a 3rd party ASV to perform. This provides a convenient and cost effective solution for your organization.