Compliance is one of the most important aspects an organization needs to address. This means the company and its employees follow strict guidelines that can be external, due to regulations, laws, and industry standards; as well as can be internal, in the form of policies and ethical requirements set by the business or organization itself. In IT security a company seeks compliance for a variety of reasons: requiring the observance of a set of norms and procedures designed to reduce security liabilities and protect digital assets from cyber threats, or it might be the need to seek adherence to data protection standards determined by external regulatory bodies. That said, compliance requires everybody’s effort in a company, from management down. Not only leaders need to decide on, support and enforce regulations, but they also need to be involved in security decisions and understand risks and concerns so that they can allocate the proper budget for the acquiring of today’s effective tools in support of safeguard efforts.
One of the means that a company has at its disposal is penetration testing. Often regarded as a simple vulnerability research project, pen-testing can be a formidable ally in some companies adhering to regulations or are subject to compliance. Pen testing comes in different forms: it can be performed by ad-hoc internal teams that periodically run a series of test in order to assess the resilience of systems and staff to attacks, but it can also be outsourced to professional ethical hackers’ teams, a third-party who would be tasked to attack the systems and company in general just like any malicious hackers would.
So, how can pen testing help an organization reach compliance?
Ten Reasons to Pen-Test for Compliance
Meet data security regulation mandates and avoid fines.
First, pen testing is mandated by many industry-specific regulations, especially regarding technical, financial or healthcare institutions. In the payment card industry, for example, PCI-DSS regulations mandate both an annual and ongoing penetration testing after any system changes; when that occurs, both network and application layer pen testing are to be done. SOX (the Sarbanes–Oxley Act of 2002) and HIPAA (the Health Insurance Portability and Accountability Act) also require an annual penetration test from a third party. Similar provisions are requested by other data protection standards, like GLBA, FISMA, and OWASP. The international information security standard ISO 27001 also has pen testing in its guidelines. In EU, the General Data Protection Regulation (GDPR), comes into force this year on 25 May 2018; with it, the recommendation to include regular testing to assess the resilience of applications and critical infrastructure, all to aid the discovery of security vulnerabilities and to try the effectiveness of the security controls. In many cases, companies risk fines for noncompliance. Penetration tests, therefore, help comply with regulatory bodies.
Realize what is wrong and what is needed.
To meet regulatory compliance policies, it is essential to understand, first, where are the weaknesses in the IT infrastructure and environment, to identify which fixes must be applied. Pen testing can help by making companies understand what they need to strengthen their security defenses. A simple vulnerability assessment using technical tools is not enough to test systems against all the possible options of exploitation that malicious hackers have. Pen testing adds human ingenuity to technical discovery measures and is an invaluable way to assess the needs of an organization regarding IT security. In fact, pen testers can not only address vulnerabilities before they can be utilized by hackers but can help fixing them too by providing ad hoc recommendations.
Produce reports that management can use to justify budget decisions.
Once security needs are identified, it is not over. Expenses need to be entirely justified and a proper budget allocated. Hard data from successful pen testing intrusions and ethical hackers’ report can substantiate proposals of IT departments and can justify additional expenses in the eyes of management. Rather than citing data breach statistics (although important and compelling too), showing strong, real evidence that intrusions are possible and give potential solutions might be the right key for IT security managers to secure investments.
Test if existing measures are working.
Pen testing is also a great tool to measure the effectiveness of any new measures, policies, and procedures implemented in an organization. Moreover, that is the reason why many regulatory standards recommend (or mandate) a security assessment after any new addition or change to a company’s security program. In a perfect world, security budgets would be unlimited, but this is hardly the case. Security budgets are already stretched to the limit normally, and companies need to focus only on means that truly boost their security and therefore help them meet compliance regulation. Relevant metrics are important when determining the effectiveness of programs and tools and comparing pen testing reports can give an idea of any progress made after new implementations.
Understand if awareness is needed.
Pen testing is one of the most effective ways to assess if staff is following procedures and policies and what are the possible gaps in their IT security training. Pen testers can employ social engineering tactics and exploit human weaknesses to get employees to fall for phishing attempts or lure them into clicking malicious links. Having a look at how employees respond to such threats in a controlled environment is invaluable and supports compliance by making sure awareness programs are tailored to the specific needs of the company.
Show the consequences.
Compliance is also data availability. Simply exploring the possible impact an intrusion could have on a company is nothing compared to seeing first-hand just how data could be compromised, which could become inaccessible, and, in general, terms, what it really feels like to have systems not working correctly. It is also important to check response times of available staff, i.e., the average time needed to bring the systems back up or regain access to data, plus the reactions by employees to threats as well as testing if the procedures in place are effective and everyone is ready to apply them. Having a front-row look at all this can be ensured by a penetration testing effort, especially when conducted in an unannounced way by an external team.
Helps an organization prioritize risks.
Pen testing can also help understand what the priorities for an organization are; once an event has been simulated and the possible consequences identified, a step forward is necessary. It might not be possible to secure all areas of the network at once for a variety of reasons, including cost. Pen testing can help assess the worst-case scenarios and what are the assets more at risk and, above all, helps management focus on which areas to concentrate efforts on. It can help during risk assessment exercises by executives that, by having a realistic look at an incident (albeit simulated), can better determine how much risk they are willing to take and that the company can withstand without catastrophic consequences.
Fine tune effective policies and internal guidelines.
As many regulatory standards prescribe the need for effective security policies that address information security, pen testing can test their efficacy by trying intrusions that will test end users’ response and their adherence to the policy-mandated procedures. This helps identify employees’ non-compliance but also goes along with the required updates and additions to the documents. In many organizations, the number of guidelines to follow, internal notices and regulations are often overwhelming for employees. Although security is important and end users do need to be made aware of the proper use of the digital assets they are entrusted, bombarding them with documents is not a viable option. Pen testing can help fine-tune regulations already in place and test their effectiveness giving a company and its information technology security staff invaluable information for the preparation of streamlined documents that can really address security concerns and related mandatory actions for the workforce.
Proves the effectiveness of amenable requirements.
Pen testing can help compliance by validating existing security controls or defenses. Often, in fact, regulatory standards also prescribe the utilization of specific technical tools such as firewalls and antivirus as well as measures for the physical and digital protection of data. Pen testing can help show, for example, that firewalls are maintained and are effectively preventing intrusions or that strong passwords are enforced for all users; it can prove that access to customers’ data is granted on a need-to-know basis, that different classification and access types are applied, and that data are highly protected in general.
Can help develop staff.
It might be counterintuitive, but pen testing can help with compliance by showing an organization critical gaps in the staff’s knowledge. A pen testing effort could, for example, uncover security flaws enabling
staff to work repairing and securing any of the issues and vulnerabilities. By highlighting mistakes, especially when repetitive, it helps staff further their knowledge and prevent future mistakes. A more attentive staff helps keeping compliance in check.
These are all good reasons to make sure pen-testing occurs on an on-going basis to maintain a secure environment as it changes and evolves to meet business or compliance demands.
Compliance is one of the greatest concerns for companies of any size today. From strict regulatory standards to clients’ demands, every business or organization is asked to adhere to stringent regulations to protect the sensitive data they collect and process daily. Many are the tools at the disposal of IT security managers to meet this demand, and pen testing is one of the most effective. Other than being simply listed as one of the requirements or recommendations in many standards, a pen test is also an effective tool for managers to get a true insight in their systems and in their ability to withstand a variety of attacks.
Pen testing can help meet many of the compliance demands, from tailoring effective policies to justifying a proper budget to verifying the presence and effectiveness of tools required by industry regulatory requirements. By allowing staff to see first-hand the consequences of a breach in a realistic but controlled environment gives companies the insight necessary to strengthen their security posture in a budget-conscious way and withstand the severity of any audits by regulatory bodies. However, mainly, specify penetration testing gives them the resilience to survive in an environment that affords more and more dangers as technology advances while ultimately earning the trust and confidence of their clients.
Brecht, D. (2016, November 30). Pros and Cons in Penetration Testing Services: The Debate Continues. Retrieved from http://resources.pentestingexpertsinstitute.com/pros-and-cons-in-penetration-testing-services-the-debate-continues/
Chapple, M. (2007, July). Are penetration tests essential for enterprise network security?
Fahey, R. (2017, August 29). Security Awareness Compliance Requirements: Understanding Regulatory Mandates. Retrieved from
PentestingExperts Institute. (n.d.). Hacking & Pen Testing. Retrieved from
National Institute of Standards and Technology. (2008, September). SP 800-115: Technical Guide to Information Security Testing and Assessment. Retrieved from
Ollmann, G. (2016, November 28). What is a Pentest? Retrieved from https://www.ablativesecurity.com/single-post/2016/11/28/What-is-a-Pentest
Rothman, M. (2008, May). Penetration testing: Helping your compliance efforts. Retrieved from http://searchsecurity.techtarget.com/tip/Penetration-testing-Helping-your-compliance-efforts
SANS Institute Reading Room. (2002). Penetration Testing – Is it right for you? Retrieved from https://www.sans.org/reading-room/whitepapers/testing/penetration-testing-you-265
Sullivan, K. (2018, January 18). A Step-by-Step Guide to Data Security Compliance by Industry. Retrieved from http://resources.pentestingexpertsinstitute.com/step-step-guide-data-security-compliance-industry/
Swift, D. (2010, November 24). A Compliance Primer for IT Professionals. Retrieved from https://www.sans.org/reading-room/whitepapers/compliance/compliance-primer-professionals-33538
The PTES Team. (2017, February 8). The Penetration Testing Execution Standard Documentation, Release 1.1. Retrieved from https://media.readthedocs.org/pdf/pentest-standard/latest/pentest-standard.pdf