Does your organization conduct penetration testing on high-risk systems with leadership approval?
Explanation
Penetration testing involves simulating real-world attacks to identify vulnerabilities in high-risk systems before malicious actors can exploit them. These tests should be conducted on systems that contain sensitive data or are critical to operations, with proper authorization from leadership to ensure awareness and support of the testing activities.
Evidence could include a penetration testing policy document, recent penetration test reports for high-risk systems, documentation of leadership approval for testing, and remediation plans addressing identified vulnerabilities. These documents should demonstrate a systematic approach to identifying and addressing security weaknesses in critical systems.
Implementation Example
Perform penetration testing to identify opportunities to improve the security posture of selected high-risk systems as approved by leadership
ID: ID.IM-02.183
Context
- Function
- ID: IDENTIFY
- Category
- ID.IM: Improvement
- Sub-Category
- Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties
Related questions
- Does your organization regularly conduct self-assessments of critical services that incorporate current threat intelligence and adversary tactics, techniques, and procedures (TTPs)?
- Has your organization conducted third-party assessments or independent audits of your cybersecurity program within the past 12 months?
- Does your organization utilize automated tools or systems to continuously evaluate compliance with your established cybersecurity requirements?
- Does your organization have a process to identify and implement improvements to incident response procedures based on findings from exercises, tests, and reviews?
- Does your organization have a formal process to identify and implement improvements to business continuity, disaster recovery, and incident response plans based on exercises conducted with critical service providers and suppliers?
- Does your organization involve internal stakeholders (such as senior executives, legal, and HR) in security tests and exercises?

