Minerva Studio - Fotolia

Manage Learn to apply best practices and optimize your operations.

Can NIST 800-115 help with penetration testing?

Compliance with NIST 800-115 is important for enterprises to maintain while testing systems. Expert Mike Chapple explains the best way to do that.

I want to conduct penetration tests on my companies' systems, but I want to make sure the testing complies with...

the NIST 800-115 standard. Can you recommend any steps to ensure compliance?

The National Institute of Standards and Technology produces a series of information security standards designed to provide advice to organizations seeking to build robust security programs. One of those publications, the Technical Guide to Information Security Testing and Assessment: NIST SP 800-115, provides guidance for penetration testing. SP 800-115 is recognized as an industry standard for performing these tests and is called out by PCI DSS 3.0 as an acceptable approach for performing penetration tests of cardholder data environments.

There is really only one way to ensure compliance with SP 800-115: Read it! The document weighs in at 60 pages and is chock full of detailed recommendations to assist with penetration testing. There is no substitute for downloading and reading the standard in detail.

At a high level, the standard suggests a three-step approach to information security assessment. First, rather than jumping right in, testers should begin with a planning phase that includes gathering information about the target environment and developing the test procedures. NIST recommends approaching the planning phase using a formal project management plan, similar to other IT projects.

Only after completing the planning phase should testers proceed to the execution phase, where the testers identify vulnerabilities and validate that they are not false positives. At the conclusion of this phase, the testers will have a list of technical and process vulnerabilities. This list is used during the post-execution phase to determine root causes of vulnerabilities, recommend remediation actions and document the test results in a report.

The NIST 800-115 standard provides a great roadmap for penetration testers that is an accepted industry standard. Following this model is a good way to ensure that your penetration testing program complies with best practices.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Avoiding or overcoming potential penetration testing problems

This was last published in November 2014

Dig Deeper on Information security policies, procedures and guidelines