Those seeking to satisfy section 11.3 of the PCI DSS 1.1 have been provided new information on this requirement. The publication is in line with other existing best practices and keeps the line of reasonableness and security firmly in place. All organizations should review this important update. It is a short 4 pages. As is my style, a bit of highlights and analysis below.
A few key points:
- Any internal or external party may conduct these evaluations – with a few reasonable qualifiers:
- The individuals have experience conducting these engagements
- The parties are independent (organizationally or from an external vendor). This is dead in line with the much praised IIA Professional Standards guidance on independence.
- Prudence in how these engagements are conducted is expected – i.e. conduct these pentests against the important systems, during approved time frames, and provide sufficient information to the pentester to ensure that the intent of the effort is satisfied (black vs. white testing)
- The Scope of the pentest should include, “All locations of cardholder
- data, all key applications that store, process, or transmit cardholder data, all key network
- connections, and all key access points should be included.”
- The frequency of these engagements should be at least annually (minimal requirement), and should be conducted with greater regularity based on the changes in the environment – i.e. switching from a hardware based network to a virtual network would be considered significant and require a penetration test)
As always, consider best practices, understand the intent, and apply appropriate controls for your own organization.