Home IT Risk Management IT Security Management Outsourcing Management Penetration Test Third-party Management Vendor Management How to manage your Vendor's Pen Test [Outsource] effectively?

How to manage your Vendor's Pen Test [Outsource] effectively?

, , , , ,

You [Auditor] have to check whether:
  • The agreements are in place such Contract, SLA and especially NDA agreements
  • Formalisation of Authorisation are duly vetted and carried out for this particular job.
  • Communication Plan are properly setup and monitored by management
  • FQA’s procedure are in place to pre-identify the vendor’s qualification, skills, engineers professional certified and capacity prior agreement sign-off.
  • Risk matrix on pen test performance are in place and up-to-date prior conducting a pen test by vendor.
  • Sufficient addressing the scope of work and concerned areas to be carried out a pen test.
  • Sufficient appreciation of IT threats and Remedial Actions by Senior Management after pen test performed.
  • Risk appetites are updated with pen test results prior presenting to the management.
  • Test framework and procedure are properly defined and addressed by management and stakeholder prior sign off a contract.
  • Penetration test activities are fully covered such:
    • Identifying targets from publicly available information
    • Unauthorised internet connection detection
    • War Driving and War Walking
    • Manual Detailed Testing
    • Attempt to exploit weakness in employee activity such social engineering attacks, honey trap, phishing…
    • Exploit physical controls
    • Minimal possibility of false positives (nothing false in stealing the flag!)
    • Codes and compilation tests
    • Back-end structure and middleware test
    • Network vulnerability scan
    • Telephony / remote access testing
    • Wireless vulnerability scan
    • Password / Pin compromising test
  • Evaluation response procedure are in place and up-to-date
  • The reports of penetration test are qualified to the test activities done.
  • The pen test report are well known the IT threats updates and its implication to the business operations and customers.
  • The pen test report are detailed solution to correct or minimise the identified findings or weakness with a cost estimate as appropriate.
  • Post test are dully addressed and verified by risk management or CARA team on its implication and news threats detected.
  • The remedial actions / strategies on system loopholes are dully and properly treated and response by relevant stakeholders on this particular concerns. 
  • The pen test activities are well monitored and documented by custodians or authorised officer in-charge.
How to manage your Vendor's Pen Test [Outsource] effectively? How to manage your Vendor's Pen Test [Outsource] effectively? Reviewed by Unknown on 2:27 AM Rating: 5

No comments:

Subscribe to: Post Comments ( Atom )
Powered by Blogger.