ID.IM-02.183

Does your organization conduct penetration testing on high-risk systems with leadership approval?

Explanation

Penetration testing involves simulating real-world attacks to identify vulnerabilities in high-risk systems before malicious actors can exploit them. These tests should be conducted on systems that contain sensitive data or are critical to operations, with proper authorization from leadership to ensure awareness and support of the testing activities. Evidence could include a penetration testing policy document, recent penetration test reports for high-risk systems, documentation of leadership approval for testing, and remediation plans addressing identified vulnerabilities. These documents should demonstrate a systematic approach to identifying and addressing security weaknesses in critical systems.

Implementation Example

Perform penetration testing to identify opportunities to improve the security posture of selected high-risk systems as approved by leadership

ID: ID.IM-02.183

Context

Function: ID: IDENTIFY
Category: ID.IM: Improvement
Sub-Category: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub