Pen Testing Increasingly Required for Regulatory Compliance
Penetration testing is a critical element of modern cybersecurity practices, designed to give you a hacker’s perspective of your network security controls. More than three-quarters of IT professionals say they rely on the practice to reveal security weaknesses.
In a pen test, security professionals conduct an ethical hacking exercise in which they launch simulated attacks on your network to illustrate how would-be attackers would likely exploit any weaknesses. These tests are increasingly required to satisfy the mandates of a variety of government and industry regulations. These are some of the most notable regulations that might impact your organization:
The General Data Protection Regulation (GDPR)
The European Union’s data privacy law impacts how companies worldwide collect and handle personal data about European customers. Among the GDPR’s requirements is a provision requiring organizations to implement processes for regularly testing, assessing and evaluating data security measures. Although pen testing isn’t specifically mentioned, the regulatory agency that administers GDPR provides online guidance recommending pen tests on a regular basis.
The Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS, mandated by Visa, MasterCard and other card issuers, establishes essential data protection measures for all merchants that store, process or transmit cardholder data. Requirement 11.3 states that comprehensive pen testing should be performed at least annually and any time there is a “significant infrastructure or application upgrade or modification.”
In a pen test, security professionals conduct an ethical hacking exercise in which they launch simulated attacks on your network.
The Gramm-Leach-Bliley Act
The GLBA is a federal law that requires financial institutions to inform their customers about how they share and safeguard customer information. A December 2021 update to the law explicitly requires institutions to perform annual pen testing of their systems, in addition to at least semi-annual vulnerability assessments.
The Health Insurance Portability and Accountability Act (HIPAA)
Any healthcare organization that creates, stores, transmits or receives health information in any electronic format must comply with HIPAA security guidelines. Although those guidelines do not specifically mandate pen testing, they do suggest pen tests as a recommended method for performing a required security risk analysis.
Security standards for medical devices remain a work in progress, but the Food and Drug Administration has adopted UL 2900-2-1 as a “consensus standard” for premarket certification of medical devices. The standard calls for structured pen testing as part of a regular evaluation of device security. The National Institute of Standards and Technology (NIST), The Institute of Electrical and Electronics Engineers (IEEE) and The National Telecommunications and Information Administration (NTIA) also recommend pen testing for medical devices.
International Organization for Standardization 27001
The ISO 27001 standard outlines a series of controls for establishing and maintaining an information security management system. While pen testing isn’t mandatory to achieve ISO 27001 certification, it is considered a best-practice procedure for validating the effectiveness of security controls.
NIST Cybersecurity Framework (CSF)
The NIST CSF is not really a regulation, but a voluntary framework of standards, guidelines and best practices for managing cybersecurity risk. In 2021, the NIST updated the guidelines to recommend the regular use of pen tests and network security assessments to maintain “situational awareness” of potential threats.
Benefits of Managed IT Services from Global Data Systems
- Strategic Managed IT: We help you solve your technology related business problems.
- Connectivity: We get you reliable, secure connectivity anywhere in the western hemisphere in 48 hours.
- Support: When you need help simply call our 24x7x365 support number.
- Billing: Instead of managing hundreds of vendors - get one, easy to read bill from GDS.