We begin this chapter with an overview of regulation and compliance frameworks and how penetration testing fits in to them. The next section establishes the regulatory management approaches and considerations as well as the legal aspects that apply to conducting penetration testing. The final part of the chapter describes the main types of organisational regulation and compliance that apply to penetration testing.
GOVERNANCE AND REGULATORY COMPLIANCE OVERVIEW
Increasingly, high-profile security breaches have been in our headlines. For example, the 2013 breach of cardholder data at the US company Target led to costs to the company of US$252 million (McGinty, 2015). Arguably high-profile cases like this impact consumer confidence in online shopping (NCC Group, 2016).
Breaches like this cause direct and indirect damage to organisations themselves and to other organisations that they have a business relationship with or a responsibility for. Consequently, organisations have responded by employing a range of cyber-security technologies, policies, procedures and controls. At the same time, governments, regulatory bodies and industries have sought to improve and assure by responding with new and revised laws, regulations and compliance schemes aimed at preventing and mitigating such incidents. For example, following the 2017 Equifax breach, the US New York State Department of Financial Services announced that credit reporting agencies will now be required to register and comply with state cyber-security regulations (Clark, 2018).
With the scale and complexity of the systems used to deliver today’s highly capable services, comes an increasing number of potential vulnerabilities lying in wait for discovery and exploitation. Penetration testing as a tool is used to discover the presence and extent of such vulnerabilities so that they can be assessed and resolved or mitigated before they can be exploited. On this basis, governments, regulatory bodies and businesses want to ensure that the organisations they work with are employing penetration testing effectively as one of the steps towards their information assurance.
Legal and regulatory requirements are by nature mandatory in that they apply to all. The EU General Data Protection Regulation (GDPR) as tailored by the UK Data Protection Act for example, applies to all processing of personal data of individuals (EU data subjects). Compliance frameworks are largely optional; however they can prove to be mandatory in practice when they are a requirement for access to an essential service that an organisation cannot operate without. This would include instances where a licence to operate will not be granted or will be withdrawn if an organisation is not compliant. The payment card industry’s PCI DSS standard would be an example of this as organisations are required to demonstrate compliance to be permitted to process card payments.
Compliance frameworks such as the ISO27001:2013 information security standard are also available as a means for organisations to demonstrate that they operate to a specific standard. Demonstrating and certifying compliance with these standards can then be used competitively to differentiate from competitors as part of a strategy to generate new business or to protect existing business.
Key terms
When dealing with regulatory, legal and compliance frameworks, there are a number of applicable key terms and definitions. Key examples of these are described below.
Information governance
The organisational approach taken to meet regulatory, legal and risk requirements delivered through a system of policies, procedures and controls. Penetration testing in this context would be employed as part of an organisation’s vulnerability management processes to treat risks presented by exploitable vulnerabilities. It would also typically be present in many of the regulatory and compliance standards that the organisation is required to meet.
Information assurance
The ability to provide confidence in the capabilities of an organisation’s information systems to protect information. Penetration testing plays a key part in establishing this confidence by actively seeking to identify the presence of exploitable vulnerabilities so that they can be subsequently assessed and remediated or mitigated.
Regulatory bodies
Government or industry bodies charged with ensuring that organisations are operating in an appropriate manner. These organisations vary widely depending on the sectors that they are responsible for, but aspects of information security are a common theme among many of the regulations issued by them.
Compliance standards
Compliance standards are the framework of requirements set out by government, regulatory bodies and other organisations. These are set up to provide organisations with a specific baseline set of requirements they are to meet in order to demonstrate compliance.
Regulatory and compliance requirements
Regulatory requirements are the criteria that organisations are obliged to meet in order to operate legally; compliance requirements are those needed to achieve a compliant status.
Legal regulatory requirements would include national laws such as the UK Data Protection Act 2018/GDPR, Computer Misuse Act 1990 and Freedom of Information Act 2000. International laws could also apply such as the US Sarbanes–Oxley and Health Insurance Portability and Accountability Act (HIPAA) regulations.
Compliance frameworks and standards would vary based on organisation type, sector and organisational aims but could include ISO27001, PCI DSS and many others. These would frequently include an element of penetration testing specifically or indirectly as part of a wider requirement to manage risks from vulnerability exploitation.
REGULATORY AND LEGAL PREPARATORY CONSIDERATIONS
In preparing for penetration testing, an organisation needs to establish the overall requirements for a test, as shown in Figure 3.1. These will be based upon the organisation’s legal, regulatory, compliance and information assurance requirements which will help to define which services are to be tested and how. These would be added to the penetration testing requirements from other areas such as responses to risks identified by the organisation’s risk management processes or as preventive responses following security incidents.
Figure 3.1 Legal and regulatory requirements overview
The legal requirements would be based upon the areas of operation and the subsequent local, national and international laws that apply to the organisation. The regulatory requirements would come from the type and activities of the organisation concerned.
Lastly, the compliance and standards requirements would be based on the standards that the organisation is maintaining or any that the organisation is seeking to meet as part of an organisational or business strategy.
In all cases, the requirements should factor in the laws, regulations and standards as they currently stand along with forthcoming changes. Researching such changes so that preparations can be made before they come into effect can be advantageous by helping to simplify introduction and minimise impact.
For services that are internal (services that are owned, managed and delivered by the organisation’s resources) the penetration process will go through the organisation’s processes to engage with the service owners. These processes would be specific to each organisation but could include elements from frameworks such as ITIL to ensure that testing is carried out on a formally agreed basis.
For contracted services that involve partners, suppliers (managed services or public cloud services for example) or other third parties, contracts will need to be reviewed to identify the basis for the penetration testing as follows:
• Is the penetration testing of the third party’s service and its supporting infrastructure specified in the contract?
• Are there any contractual terms and conditions specifying how the penetration testing can be undertaken?
• Does the third party conduct its own penetration testing to a suitable level that will negate the need for further penetration testing?
• If there are contractual issues with carrying out the penetration testing, can the contract be updated to address these?
Public cloud services
Organisations subscribing to public cloud services will be required to enter a contractual relationship with the cloud provider. The terms and conditions for these services will typically include:
• The types of penetration testing of the service that are permitted.1
• The penetration testing actions that are allowed or prohibited.
• The notification that needs to be provided.
• Confidentiality and reporting of any cloud service vulnerabilities discovered by the penetration testing.
• The penetration testing and assurances given by the cloud provider.
Penetration testing contracts
Penetration testing may be carried out on behalf of the organisation by an external service provider or by an internal resource. Where the testing is to be carried out by an external service provider, a contractual relationship will be needed to establish the legal basis for the testing. Penetration testing may also be carried out in a hybrid manner using internal resources in conjunction with an external provider, in which case the considerations for both scenarios will apply.
Typically, the client organisation’s contract with the service provider protects them as follows:
• Ensures that testing will only be carried out against services defined as being in-scope.
• Specifies how the testing will be conducted in terms of timing, locations and communications.
• Ensures ownership and confidentiality of the penetration testing results.
• Ensures retention and destruction of client data acquired during the testing.
The contract protects the penetration testing service provider as follows:
• Establishes that the client organisation is providing the permission for the testing against only their own services or their supplier-hosted services, granting the penetration test provider the legal authority to conduct the testing.
• Defines the overall scope of the testing to be carried out.
• Establishes the basis for the service provider’s indemnity should the penetration testing disrupt services and cause subsequent damages.
Penetration test service provider accreditation
While in some instances there may not be a requirement for penetration test service providers to be accredited, organisations procuring penetration testing services may require assurance based upon industry accreditation.
The industry’s main penetration testing accreditation is provided by the international not-for-profit accreditation body CREST.2 Penetration testing providers can become members and be accredited in a number of information security disciplines including penetration testing. The application process assesses many factors including:
• quality procedures, policies and processes;
• penetration testing methodology;
• vetting and clearance of penetration testing personnel;
• qualifications and experience of penetration testing personnel;
• professional indemnity insurance level.
In addition to CREST, the UK’s National Cyber Security Centre (NCSC) provides a similar accreditation known as CHECK3 for penetration testing of UK government and critical national infrastructure systems.
Individuals can also become accredited through the Tigerscheme4 and the Cyber Scheme5 certifications. These schemes provide formal recognition to individuals and a number of the qualifications are recognised by the NCSC as part of CHECK accreditation.
Where penetration tests will be carried out by an internal resource, the organisation needs to go through a process to develop a framework for the testing to be carried out in a controlled and approved manner. Without a supporting framework of policies and processes, the ability to carry out effective testing that meets requirements and identifies risks may be limited. In addition to this, employees engaged in penetration testing could find that their activities are not clearly authorised and could find themselves at risk of disciplinary action or prosecution.
To provide a framework for authorised penetration testing to take place by employees within an organisation, a penetration testing policy and process should be developed that specifies the following:
• roles and responsibilities;
• penetration testing authorisation and approval processes;
• training and organisation or employee accreditation;
• approved tools and methods;
• communication, notification and reporting;
• confidentiality and disclosure of the penetration test results;
• confidentiality, retention and destruction of any data acquired during the testing.
The findings of the penetration tests are critical and highly sensitive as they identify vulnerabilities within the organisation’s systems; great care should be taken with the handling of this data. In addition to this, should the penetration testing directly or indirectly identify a breach that poses a risk to personal data, the relevant regulatory bodies must be notified. For the UK, the Information Commissioner’s Office (ICO) must be notified unless the breach is unlikely to result in a risk to the rights and freedoms of individuals as defined under GDPR.
A review of other internal policies should be undertaken to ensure that they correctly reference and do not contradict the penetration testing policy. For example, acceptable use policies (AUPs) should define what unauthorised hacking is, while specifying that a penetration testing policy governs the permitted activities.
By establishing these policies and processes, employees can conduct the penetration testing in a legal and authorised manner.
Legal basis and authorisation
Whether the penetration testing is carried out by an external provider or by the organisation’s in-house resources, there are laws that apply that will need to be followed to ensure testing is carried out on a legal basis. The applicable laws are as follows:
GDPR
Section 170 of the UK Data Protection Act 2018/GDPR refers to unlawfully obtaining personal data. If an employee engages in a penetration testing activity that results in access to personal data without sufficient authorisation and without a legal basis, they could potentially face prosecution under this section of the act.
More on GDPR later in this chapter.
UK Computer Misuse Act (1990)
This Act6 contains sections that could be presented if penetration testing activities are carried out without authorisation.
Section 1 of the Act refers to unauthorised access to computer material.
Section 3 concerns offences committed through unauthorised acts with intent to impair, or with recklessness as to impairing the operation of a computer. This could be presented if unauthorised penetration testing has disrupted services.
Section 3A concerns making, supplying or obtaining articles for use in offences under other sections of the act. This section of the act is primarily aimed at the illegitimate development and use of exploit tools such as malware. Penetration testing, however, also involves the development and use of tools designed to identify and exploit vulnerabilities – so authorisation for penetration testing is required to demonstrate that such use is legitimate and to avoid potential prosecution.
Section 3ZA applies to unauthorised acts causing or creating risk of serious damage. Again, as penetration testing has the potential to disrupt services, criminal offences could apply to penetration testing carried out without sufficient authorisation.
Organisations should put in place policies and notifications to specify to users that unauthorised access and activities contravene the Computer Misuse Act.
UK Health and Safety at Work etc. Act (1974)
This Act7 contains a number of duties for employers and employees. These duties include ensuring the health, safety and welfare of employees and ensuring the public are not exposed to risks to their health and safety. There is also a duty requiring employees take care towards the health and safety of others that may be affected by their work activities.
Based on these duties, it is an offence under the act to fail to discharge them.
The nature of penetration testing will mean that there is a risk of disruption to the systems and services being tested. As penetration testing may cover production mission-critical systems it is essential to put in place measures to ensure health and safety as far as is reasonably practical. Failure to do so could result in criminal offences under this act, based on failing to discharge the duties.
Whether the penetration testing is carried out by an external or an internal resource the governance and regulatory aspects related to employees need to be considered. Examples would include the handling of any personal data obtained during the testing in a manner that is compliant with data protection regulations and the organisation’s policies.
Consideration should also be given to the regulatory and legal aspects of employee-owned devices used as part of an organisational bring-your-own-device (BYOD) service. Issues that should be considered include the accidental capture of data from such devices and handling of any risks identified on employee-owned devices during the testing. Policies and processes should be in place to govern BYOD and the inclusion of penetration testing aspects will help to ensure that there are no surprises.
An additional area that may be included as part of a penetration test programme is the use of social engineering to test the effectiveness of policies, processes and training. To ensure this is carried out on a legal basis, this should be defined, reviewed and authorised by an organisation. This should include:
• ensuring specific consent is in place for the social engineering attempts;
• ensuring that appropriate8 communication has been carried out;
• ensuring individual employee rights are not compromised.
SECTORS AND COMPLIANCE STANDARDS
Like a jar of assorted buttons, the diverse range of laws, regulations, standards and compliance schemes related to penetration testing can be categorised based on many different criteria: International or national? Public or private sector? Mandatory or optional? Industry or functional area?
Some regulations will be legally based, applying horizontally to specific areas of a wide range of organisations such as financial functions. Others will be highly specific applying only to organisations operating within a specific vertical sector such as nuclear industries.
Horizontal sector examples
The remit of data protection regulations such as the EU General Data Protection Regulation (GDPR) cover the handling and protection of all personally identifiable data for all organisations within the EU or processing the data of EU citizens.
Financial accounting regulations such as the US Sarbanes–Oxley Act span the accountancy functions of all businesses with a listing in the United States. Section 404 of this Act applies to information security and penetration testing as it mandates the establishment of internal controls and procedures. It also requires the maintenance and testing of controls and procedures to ensure their effectiveness. Focused penetration testing and reporting can be carried out to specifically meet Sarbanes–Oxley compliance requirements.
Vertical sector examples
Nuclear regulation in the UK is carried out by the UK Office for Nuclear Regulation (ONR). Its regulatory responsibilities apply to the nuclear aspects of all civilian organisations, including:
• nuclear material transportation;
• nuclear energy generation;
• nuclear fuel processing;
• nuclear site decommissioning;
• emergency preparation and response.
The ONR regulates these areas on a compliance and guidance basis. The published guidance (ONR, 2017) for ONR’s inspectors makes several references to penetration testing as a means for organisations to demonstrate their information assurance.
Other regulatory bodies or legislation may apply to specific sectors. For example, in the US, the Health Insurance Portability and Accountability Act (HIPAA) regulates the privacy and security of individually identifiable health information for US citizens. This legislation consequently applies to care providers, medical insurers, researchers, pharmaceutical companies and many others.
The high dependence of all organisations upon electronic information-based services means that most regulatory standards will have elements of information security. As a key means of securing any information-based service, the effective application of penetration testing will directly or indirectly feature in these.
Regulatory bodies and legislation
Regulatory bodies vary based upon the sector they are responsible for regulating. They may apply their regulatory powers through legal measures or on a basis of guidance and recommendations.
In the UK, the ICO with the protection of personal data as its remit is responsible for the enforcement of GDPR/Data Protection Act 2018. Because of the nature of personal data, these legal requirements cover the operations across most, if not all, sectors and industries.
General Data Protection Regulation (GDPR)/UK Data Protection Act 2018
GDPR is an EU regulation that, following a two-year adoption period, was implemented across the EU in 2018 with nation specific tailoring implemented in the UK in the form of the UK Data Protection Act 2018. The aim of the regulation is to strengthen and unify data protection across the EU. The UK Data Protection Act 2018 supplements GDPR into UK law with UK-specific provisions. GDPR applies to personal data and defines the obligations for organisations to protect such data in terms of Data Controllers, Data Processors and principles. Data Controllers are the organisations that, following consent, are collecting personal data from citizens. Data Processors are organisations that are processing personal data as a service on behalf of Data Controllers.
Article 5 of the GDPR states that personal data shall be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’.
This is followed by a requirement that ‘the controller shall be responsible for, and be able to demonstrate, compliance with the principles’.
Article 32 of GDPR further specifies that measures to be implemented should include ‘a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing’. Penetration testing in most circumstances will be considered as one of the most effective means of meeting this requirement. In addition, as a means of identifying potential vulnerabilities, it also presents a valuable means for organisations to demonstrate compliance with the principles based upon the effectiveness of other security measures.
The GDPR includes principles9 for personal data such as the right to erasure – individuals can request that an organisation deletes their personal data. These principles should be considered in terms of any personal data obtained during the penetration testing.
In the event that a breach is discovered that affects (loss, alteration or destruction) personal data and there is a resultant risk to the rights and freedoms of individuals, GDPR establishes a requirement for notification.10 This notification will be to the relevant supervisory authority (ICO) and directly to the individuals. Notifiable breaches must be reported within 72 hours and must be done without undue delay if the breach is sufficiently serious.
The adoption of GDPR in the UK alongside the 2018 Data Protection Act has resulted in a significant increase in the size of penalties that can be imposed for failures to protect personal data (€20 million or 4% of total annual worldwide turnover) and the increased requirements represent a greater compliance challenge for organisations to meet.
Trade body compliance
Compliance frameworks from trade bodies are typically established as a means of ensuring standards are met before trade services will be offered. These could range from highly specific standards set by individual companies to widely applicable standards such as the PCI DSS standard that organisations are required to meet for them to be able to process card payments. Many of these standards, like the PCI DSS, have evolved to include information security requirements including penetration testing.
Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS is an industry compliance standard established by the major card companies as a means of combating credit card fraud by increasing security controls. The degree of compliance validation varies according to the nature and scale of the card handling organisation. Small volume organisations can self-assess against the standard, while larger organisations will be assessed by an external qualified security assessor or an internal security assessor.
Since being established in 2004, PCI DSS has been repeatedly updated with additions being initially added as guidance before being changed to mandatory requirements as the version of the standard is updated. This approach gives organisations awareness and time to prepare for the changes. Penetration testing is one such area that has evolved significantly through the updates to the standard.
Requirement 11 of the standard now requires organisations to regularly test security systems and processes. Section 11.3 specifically requires organisations to establish a methodology for annual external and internal penetration testing. As key elements of the standard cover the segmentation of the cardholder data environment from other areas of the organisation’s infrastructure, this testing must also be carried out after changes to the controls that provide this segmentation.
Non-governmental organisation (NGO) compliance frameworks
Many compliance standards are established by non-government organisations. Arguably, the most significant information technology and information security standards have been developed by the International Organization for Standardization (ISO). The most relevant standard to penetration testing is ISO’s Information Security Standard ISO 27001:2013. This standard provides a specification of processes and policies for the establishment of an Information Security Management System (ISMS). This can be scoped to apply to the entire organisation or to specific organisational areas or functions that can choose to adapt their information security policies and procedures to make themselves compliant with the standard.
Organisations can then proceed to be independently assessed by an accredited party in order to certify their compliance. This certified compliance may then enable access to business contracts that require compliance and it also helps the organisation to differentiate themselves from competitors.
Section 12.6 of Annex A of the ISO 27001:2013 specifies an objective to reduce the risks resulting from the exploitation of published technical vulnerabilities. This has an associated control to obtain, assess and apply appropriate measures to meet the objective. An established penetration testing process provides an essential means of compliance with this requirement.
Types of compliance conformity
Aligned
Adaptation and alignment of an organisation’s processes to be similar in practice or spirit to a framework.
Compliant
The organisation is compliant with a framework based on self-assessment or assessment by a third party.
Certified
The organisation or specific sections are verified and certified against a framework by an independent accredited body.
Accredited
Independent organisations that are accredited by the standards bodies to assess and certify other organisations.
There are a number of frameworks for governing enterprise information technology and ensuring alignment of IT with business objectives.
COBIT
COBIT is one such framework that defines a maturity model and specifies processes, controls and guidelines that, when implemented well, can contribute to achieving and maintaining regulatory compliance.11 COBIT is a high-level framework and recent iterations have included updates to enable it to be aligned with more detailed frameworks such as the ITIL framework described next.
ITIL, ITSM, ISO20000
Alongside the ISO 27001:2013 Information Security standard, there are also standards for Information Technology Service Management (ITSM). The employment of these frameworks of IT processes can be used as a means of simplifying and demonstrating regulatory compliance. These frameworks can also assist with the development and integration of penetration testing as part of other IT processes.
For example, based upon the ITIL® ITSM framework,12 an organisation can establish operational level agreements (OLAs) to describe the inter-group responsibilities, processes and schedules to support the delivery of the penetration testing service. For penetration testing services, these would include such things as information provision, notifications, approvals, communications and resourcing.
The penetration testing service owner can then define and agree a service level agreement (SLA) for the delivery of the service to the organisation. The SLA will include the penetration testing service definition, responsibilities and targets.
Lastly, ITSM certification can also be obtained through the ISO20000 ITSM compliance standard.
ISO 22301 is the ISO’s Business Continuity Management Standard. The adoption of this standard provides organisations with a means to respond in the event of disruption to services. While steps should be taken to minimise the risk of service disruption resulting from penetration testing, intrusive probing can have unforeseen consequences. Mature business continuity processes provide organisations with a degree of assurance that should any service-disrupting events occur, they can be responded to in a planned manner that minimises impact.
The development of business continuity processes may also provide the penetration testing teams with isolated test environments in which to conduct the testing without being held back by the fear of live service disruption. If this approach is used, care should be taken to ensure that penetration testing remains an effective assessment of what is in place in the organisation’s production environments.
In summary, regulations and compliance schemes are the measures that are used to establish a minimum standard of information governance, minimising risk to all parties. Many compliance schemes will specifically require penetration testing processes, and those that do not will typically require it by implication. This creates a need for organisations to manage how regulation and compliance fit into their penetration testing and how penetration testing fits in with their regulation and compliance.
Clark, D.M. (2018) ‘In wake of Equifax data breach, credit reporting agencies made subject to NY State cybersecurity regulations’. New York Law Journal, 25 June 2018. Available at: https://www.law.com/newyorklawjournal/2018/06/25/in-wake-of-equifax-data-breach-credit-reporting-agencies-made-subject-to-ny-state-cybersecurity-regulations/?slreturn=20190423063530
McGinty, K.M. (2015) Target data breach price tag: $252 million and counting. Mintz, 26 February 2015. Available at: https://www.mintz.com/insights-center/viewpoints/2826/2015-02-target-data-breach-price-tag-252-million-and-counting
NCC Group (2016) 63% of consumers think their financial information will be hacked within the next year. Available at: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/press-releases/2016/january/63-of-consumers-think-their-financial-information-will-be-hacked-within-the-next-year/
Office for Nuclear Regulation (2017) Protection of Nuclear Technology and Operations. Available at: www.onr.org.uk/operational/tech_asst_guides/cns-tast-gd-7.3.pdf