I want to conduct penetration tests on my companies' systems, but I want to make sure the testing complies with...
the NIST 800-115 standard. Can you recommend any steps to ensure compliance?
The National Institute of Standards and Technology produces a series of information security standards designed to provide advice to organizations seeking to build robust security programs. One of those publications, the Technical Guide to Information Security Testing and Assessment: NIST SP 800-115, provides guidance for penetration testing. SP 800-115 is recognized as an industry standard for performing these tests and is called out by PCI DSS 3.0 as an acceptable approach for performing penetration tests of cardholder data environments.
There is really only one way to ensure compliance with SP 800-115: Read it! The document weighs in at 60 pages and is chock full of detailed recommendations to assist with penetration testing. There is no substitute for downloading and reading the standard in detail.
At a high level, the standard suggests a three-step approach to information security assessment. First, rather than jumping right in, testers should begin with a planning phase that includes gathering information about the target environment and developing the test procedures. NIST recommends approaching the planning phase using a formal project management plan, similar to other IT projects.
Only after completing the planning phase should testers proceed to the execution phase, where the testers identify vulnerabilities and validate that they are not false positives. At the conclusion of this phase, the testers will have a list of technical and process vulnerabilities. This list is used during the post-execution phase to determine root causes of vulnerabilities, recommend remediation actions and document the test results in a report.
The NIST 800-115 standard provides a great roadmap for penetration testers that is an accepted industry standard. Following this model is a good way to ensure that your penetration testing program complies with best practices.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Avoiding or overcoming potential penetration testing problems
Dig Deeper on Information security policies, procedures and guidelines
Related Q&A from Mike Chapple
Examine the important differences between stateful and stateless firewalls, and learn when each type of firewall should be used in an enterprise ... Continue Reading
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading