Separation of Duties in Penetration Testing
Penetration Testing in Support of PCI Compliance
PCI Requirement 11.3 calls out the need to implement a methodology for penetration testing that includes the following:
- Based on industry-accepted penetration testing approaches
- Includes coverage for the entire CDE perimeter and critical systems
- Includes testing from both inside and outside the network
- Includes testing to validate any segmentation and scope-reduction controls
- Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
- Defines network-layer penetration tests to include components that support network functions as well as operating systems
- Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
- Specifies retention of penetration testing results and remediation activities results
One of the most common questions regarding penetration testing for PCI compliance is about who should perform the testing. It doesn’t have to be a QSA or an ASV or even a third party. But, it does need to be an qualified individual who is separated from the operational responsibilities of your environment. This separation of duties means that they are considered to be independent. As far as qualifications go, you need a true penetration tester in order to get a thorough test. Penetration testing is generally a highly manual, active process, where the tester uses their knowledge of systems to penetrate an environment. Often the tester will chain several types of exploits together with a goal of breaking through layers of defenses. The intent of penetration testing is to simulate real-world attacks against your environment so that you can identify any potential vulnerabilities and see how far an attacker would be able to enter into your environment.
AWS customers can carry out security assessments and penetration testing against their AWS infrastructure without prior approval for eight services. For more information, learn about vulnerability assessment and management in AWS Marketplace and the AWS Customer Support Policy for Penetration Testing.
One of the requirements in the PCI DSS is the requirement for penetration testing. You will read in PCI Requirement 11.3 that there is a requirement to have annual external penetration testing and annual internal penetration testing, as well as additional penetration testing after any significant changes within your environment.
One of the things that people have to contemplate is who you are going to have do your penetration testing of your environment. First of all, it does not have to be a QSA. It does not have to be an ASV. You can select a qualified, trained, experienced penetration tester to perform these tests for you. Secondly, it does not have to be an external party. It doesn’t have to be a third party that you hire, as long as you have separation of duties within your organization. If there is an individual who is separated from the operational responsibilities of your environment, they are considered independent and can perform these tests for you. However, one of the things that we look at during a PCI assessment is the qualifications of the person conducting the penetration test. Whether you hire a third party or whether you use an internal resource to perform your testing, you have to evaluate their qualifications and skill level to ensure that it’s appropriate to meet the complexity of your environment in order to accomplish your security initiatives.