Your organization is planning for penetration testing to assess the security and privacy controls in organizational information systems. Which of the following is not the best timing to conduct penetration testing?
A. Before any newly developed system is authorized for operation
B. When legacy systems were undergoing a major upgrade.
C. After important changes are made to the environment in which the system operates.
D. When a well-known type of attack, rated as high risk, is retained in the risk register.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. When a well-known type of attack, rated as high risk, is retained in the risk register.
Organizations are more concerned about a new type of attack discovered than a well-known type of attack. Moreover, if a risk is retained in the risk register (risk retention), it means the risk is accepted, as one form of risk treatment. That implies the penetration test has finished, discovered vulnerability and the risk have been further analyzed, the risk exposure has been determined, and the risk has been accepted.
For a newly developed system to be granted the authorization to operate (ATO), it’s not uncommon to include the penetration test result in the assessment report as part of the system authorization package.
Penetration testing exercises can be scheduled and/or random in accordance with organizational policy and organizational assessments of risk. Consideration can be given to performing penetration tests:
(i) on any newly developed information system (or legacy system undergoing a major upgrade) before the system is authorized for operation;
(ii) after important changes are made to the environment in which the information system operates; and
(iii) when a new type of attack is discovered that may impact the system.
Organizations actively monitor the information systems environment and the threat landscape (e.g., new vulnerabilities, attack techniques, new technology deployments, user security and privacy awareness and training) to identify changes that require out-of-cycle penetration testing.Source: NIST SP 800-53A
Reference
- NIST SP 800-53A
- Rules of engagement
- Penetration Testing Rules of Engagement on Microsoft Cloud
- 5 pen testing rules of engagement: What to consider while performing Penetration testing
- Why Are Rules Of Engagement Important To My Penetration Test?
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
您的組織正在規劃進行滲透測試,以評估組織資訊系統中的安全和隱私控制。 下列哪個不是進行滲透測試的最佳時機?
A. 在任何新開發的系統被授權運行之前
B. 舊系統已進行重大升級時。
C. 在對系統運行的環境進行重大更改之後。
D. 當一種已知(well-known)類型的攻擊被評估為高風險且被保留(retent)在風險登錄表中時。