Your organization is planning for penetration testing to assess the security and privacy controls in organizational information systems. Which of the following is not the best timing to conduct penetration testing?
A. Before any newly developed system is authorized for operation
B. When legacy systems were undergoing a major upgrade.
C. After important changes are made to the environment in which the system operates.
D. When a well-known type of attack, rated as high risk, is retained in the risk register.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. When a well-known type of attack, rated as high risk, is retained in the risk register.
Organizations are more concerned about a new type of attack discovered than a well-known type of attack. Moreover, if a risk is retained in the risk register (risk retention), it means the risk is accepted, as one form of risk treatment. That implies the penetration test has finished, discovered vulnerability and the risk have been further analyzed, the risk exposure has been determined, and the risk has been accepted.
For a newly developed system to be granted the authorization to operate (ATO), it’s not uncommon to include the penetration test result in the assessment report as part of the system authorization package.
Penetration testing exercises can be scheduled and/or random in accordance with organizational policy and organizational assessments of risk. Consideration can be given to performing penetration tests:
(i) on any newly developed information system (or legacy system undergoing a major upgrade) before the system is authorized for operation;
(ii) after important changes are made to the environment in which the information system operates; and
(iii) when a new type of attack is discovered that may impact the system.
Organizations actively monitor the information systems environment and the threat landscape (e.g., new vulnerabilities, attack techniques, new technology deployments, user security and privacy awareness and training) to identify changes that require out-of-cycle penetration testing.
Source: NIST SP 800-53A
- NIST SP 800-53A
- Rules of engagement
- Penetration Testing Rules of Engagement on Microsoft Cloud
- 5 pen testing rules of engagement: What to consider while performing Penetration testing
- Why Are Rules Of Engagement Important To My Penetration Test?
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.