Regulations that govern business activities in industries such as finance, trade, healthcare, transportation, energy, etc. usually contain provisions and rules related to cybersecurity. This is done to ensure that organizations are responsible and take care of the high-quality protection of sensitive information from intruders. At the same time, some laws and standards contain specific provisions and recommendations, while others make rather vague requirements. In this article, we will talk about how a penetration test can affect standardization or compliance, and also look at some laws and standards in the context of a penetration test.
Why is pen testing so crucial for compliance?
A penetration test is carried out in order to demonstrate how effective the cybersecurity system of an enterprise is at the current time. In this way, an organization can accurately know:
- Is the infrastructure secure, or are there security vulnerabilities.
- If vulnerabilities exist, how can they be exploited by attackers.
- Can intruders gain control over the activities of the enterprise.
- What kind of damage can potentially be caused by attackers.
- What effective actions can an organization take to detect unauthorized access and prevent data leakage.
Accordingly, such diagnostics allow you to give certain guarantees sufficient to confirm that the mandatory security measures are observed and effective. Which in turn can serve as a prerequisite for standardization or assurance of compliance.
Prescriptive and descriptive compliance framework: what is the difference?
Regulations that belong to this type contain a precise description of what needs to be done, as well as clear criteria and schemes for assessing the satisfaction of meeting the requirements. Thus, you can easily understand whether you need to conduct a penetration test, or organize other infrastructure security testing activities in your organization. These types of regulations include:
- PCI DSS;
Regulations of this type usually contain a general description and recommendations about what should be done and what goals should be achieved by the organization. How this will be implemented — the organization must determine itself. Examples of such regulations are:
- SOC 2;
- ISO 27001;
Pentest for regulatory compliance: requirements for compliance frameworks
In the following, we will briefly review some of the well-known laws and standards that require penetration testing in one way or another.
SOC 2 (System and Organization Controls 2) is an auditing system that is applied to various IT service businesses to check how they handle data privacy. This term refers to both the standard itself and the report — a document that contains a description of the company’s controls and an assessment of the effectiveness of these tools.
The main requirement for compliance with SOC 2 is to conduct several independent security assessments: these can be both penetration test and an audit of the organization’s cybersecurity system. As noted above, the standard is not mandatory, like, for example, PCI DSS, however, it is widely adopted at the international level as confirmation that the company properly cares about data security.
There are two types of SOC 2 reports:
- Type 1 — represents an assessment of the organization’s cybersecurity system at a specific point in time;
- Type 2 — evaluates the security system within 3–6 months, and sometimes even within 12 months.
PCI DSS (Payment Card Industry Data Security Standard) is a standard that is required for commercial organizations that process, store or transmit credit card data. In general, PCI certification is the most widely used worldwide and is an advanced way to ensure data security.
To determine if your card processing system is secure, a penetration test must be performed. This procedure is of paramount importance for compliance with the PCI DSS standard, as you can see by looking at the structure, which contains four reference levels:
- Level 1: the highest level for which the organization is most scrutinized. It applies to companies that process more than 6 million transactions per year or have suffered a data leakage. Among other security requirements, this level mandates a quarterly vulnerability scan and an annual penetration test.
- Level 2: applies to any company that processes between 1 and 6 million transactions per year. At this level, the standard requires the organization to conduct quarterly security audits — ASV-scans, as well as filling out a self-assessment sheet — Self-Assessment Questionnaire (SAQ).
- Level 3: designed for businesses that process between 20,000 and 1 million transactions per year. The testing requirements are the same as for level 2.
- Level 4: allows you to process up to 20,000 transactions per year. It is highly recommended that the company conduct an ASV-scan and also complete the Self-Assessment Questionnaire (SAQ).
HIPAA (Health Insurance Portability and Accountability Act) is a federal law that is the only standard of its kind in the United States for protecting health information from unauthorized access. The law itself does not state that it is necessary to conduct a penetration test, but it requires a lot of checks, which, as a rule, are carried out during a penetration test.
HIPAA addresses the following aspects of data security:
- Organizational and legal: the company must provide for the existence of the necessary policies and procedures that relate to access management, incidents, risks, prescribe the procedure for dealing with emergency situations, etc.
- Physical security: the actual physical security of the system’s infrastructure.
- Technical security: security of the system from unauthorized access, disclosure or damage to information.
ISO/IEC 27001 is an international standard that, among other things, is used by organizations to establish and implement information security management systems (ISMS). ISO 27001 has two parts:
- Body — strategy, the main part of the standard;
- Annex A — a list of 114 controls that can be applied to an organization.
This level of detail makes ISO 27001 a comprehensive framework that can be applied to many organizations. This explains the popularity of the standard. As part of the ISO 27001 standardization, every company must conduct penetration tests to ensure that the security measures taken are effective. You can read more about certification in our separate article.
GDPR (General Data Protection Regulation) is an international law that is a set of legal rules passed in the European Union (EU). In essence, this law protects the personal data of EU citizens from unauthorized storage and use. And it can apply to all organizations around the world that store or process personal data of EU citizens.
Accordingly, in order to ensure the security of personal data, a company must take care of the physical and technical security of its infrastructure. And although the GDPR is a rather voluminous regulation, it does not contain any specific technical guidance on how to comply with the requirements. The company must determine how this will be implemented.
A penetration test for GDPR compliance is crucial, since during this procedure it is checked whether the organization has really ensured proper data security, or if attackers can still somehow penetrate the system.
How to conduct penetration testing for compliance?
As you have already seen for yourself, a penetration test is an absolutely necessary procedure if you plan to standardize business processes in your organization, or if you want your company to comply with HIPAA or another law or regulation.
These procedures go hand in hand and their implementation will allow you to clearly understand the capabilities of your company’s cybersecurity system, due to which you will be able to give certain information security guarantees to your business partners and customers.
If you have questions regarding penetration testing, certification and compliance, we will be happy to provide you with relevant services. Contact us today to learn more about our offer. Read more about penetration test