Body
Issue/Question
What is the USD security policy for Penetration Testing
Environment
Cause
Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity
Resolution
Penetration Testing
Policy Statement: The University recognizes the importance of regularly conducting penetration testing to identify and mitigate security vulnerabilities in its information systems and networks. This policy establishes guidelines for conducting penetration tests to assess the effectiveness of security controls and enhance the overall cybersecurity posture.
Policy Implementation:
-
Scope and Objectives:
- The University will define the scope and objectives of penetration testing activities, including the systems, networks, applications, and assets to be tested.
- Penetration testing objectives should align with the University's risk management strategy and compliance requirements.
-
Authorized Testing Methods:
- Penetration testing activities should be conducted using authorized methods and techniques, including network penetration testing, web application testing, wireless network testing, and social engineering assessments.
- Testing methods should be selected based on the specific goals of the assessment and the nature of the systems and networks being tested.
- Both internal and external pen testing should occur
-
Testing Frequency:
- The University will establish a regular schedule for conducting penetration tests, taking into account factors such as changes in the IT environment, system upgrades, and emerging threats.
- Penetration tests should be conducted at least annually or more frequently as needed based on changes in risk factors or significant system changes.
-
Qualified Testing Teams:
- Penetration tests should be performed by qualified and experienced testing teams with expertise in ethical hacking, security assessments, and vulnerability analysis.
- Testing teams should adhere to professional standards and ethical guidelines, including obtaining appropriate authorization and consent before conducting tests.
-
Reporting and Remediation:
- Following the completion of penetration testing activities, a detailed report should be prepared documenting the findings, vulnerabilities discovered, and recommendations for remediation.
- Identified vulnerabilities should be prioritized based on severity and potential impact, and remediation plans should be developed and implemented promptly.
Compliance and Enforcement: All members of the University community involved in penetration testing activities are responsible for adhering to this policy and following established procedures.
Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of penetration testing practices.
This policy provides a framework for implementing CIS Control 18 within a university environment, focusing on conducting regular penetration tests to identify and remediate security vulnerabilities and enhance the overall cybersecurity posture.
Please contact the Service Desk if you need further assistance