[PCI DSS 3.0] [PCI DSS 3.0] 11.3.1 Perform external penetration testing at least annually and after any significant infrastructu

Discussion in 'Requirement 11: Regularly test security systems and processes' started by pcinetwork, Dec 31, 2013.

  1. pcinetwork

    pcinetwork PCINetwork.org Admin

    11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).

    11.3.1.a Examine the scope of work and results from the most recent external penetration test to verify that penetration testing is performed as follows:
    • Per the defined methodology
    • At least annually
    • After any significant changes to the environment.

    11.3.1.b Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).

    Penetration testing conducted on a regular basis and after significant changes to the environment is a proactive security measure that helps minimize potential access to the CDE by malicious individuals.
    The determination of what constitutes a significant upgrade or modification is highly dependent on the configuration of a given environment. If an upgrade or modification could allow access to cardholder data or affect the security of the cardholder data environment, then it could be considered significant. Performing penetration tests after network upgrades and modifications provides assurance that the controls assumed to be in place are still working effectively after the upgrade or modification.
     
  2. CyberSecurityAgency

    CyberSecurityAgency New Member

    The PCI-DSS 3.1 Requirements are a great baseline for keeping any merchant more secure and minimizing their risks of data breach. It is urgent that a merchant perform penetration testing on their systems after any changes to operating systems, applications, or when adding or removing computers and devices from their network. This is the top issue that many of our clients who have experienced data breaches have failed to do. The cost for preventative testing like Penetration Testing is pennies compared to the costs incurred in a data breach, not to mention the brand damage that companies experience.

    Scott D.
    Cyber Security Agency
    www.CyberSecurityAgency.org
    866-898-3218
     

Share This Page