INTRODUCTION
Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat to key systems is ever increasing and the probability of a security weakness being accidentally exposed or maliciously exploited needs to be continually assessed – such as via a penetration test – to ensure that the level of risk is at an acceptable level to the business.
A penetration test involves the use of a variety of manual and automated techniques to simulate an attack on an organisation’s information security arrangements – either from malicious outsiders or your own staff.
Undertaking a series of penetration tests will help test your security arrangements and identify improvements. When carried out and reported properly, a penetration test can give you knowledge of nearly all of your technical security weaknesses and provide you with the information and support required to remove or reduce those vulnerabilities. Research has shown that there are also other significant benefits to your organisation through effective penetration testing, which can include:
- A reduction in your ICT costs over the long term;
- Improvements in the technical environment, reducing support calls;
- Greater levels of confidence in the security of your IT environments;
- Increased awareness of the need for appropriate technical controls.
Many organisations choose to appoint a trusted, specialist organisation (a CREST member), employing qualified professionals (CREST qualified staff), to help them conduct penetration tests. Although these suppliers are sometimes employed just to conduct testing, they can also help you when specifying requirements, defining the scope of the test and developing a management framework.
Penetration testing is not, however, a straightforward process – nor is it a panacea for all ills. It is often very technical in nature, and the methods used and the output can be riddled with jargon, which can be daunting for organisations considering the need for it. Furthermore, buyers have reported a number of difficulties when conducting penetration tests, which include:
- Determining the depth and breadth of coverage of the test;
- Identifying what type of penetration test is required;
- Managing risks associated with potential system failure and exposure of sensitive data;
- Agreeing the targets and frequency of tests;
- Assuming that by fixing vulnerabilities uncovered during a penetration test, their systems will then be ‘secure’.
To help address these issues, a research project was commissioned by CREST to produce a Procurement Guide for penetration testing services, addressing the main requirements organisations have for considering and conducting penetration tests.
One of the main reasons for commissioning a research project was that the potential customers of CREST members were often unclear about how to best procure penetration testing services.