Some companies test once a year. Some test several times a year. So what frequency is correct for your organization? Well that all depends on how frequently your environment changes and other unique factors affecting your organization. When determining how often to conduct network penetration tests, consider the following:
- Does the environment change frequently? If so, you should consider timing your tests so that they correspond with those changes as they near production. This minimizes exposure to a narrower timeframe.
- Do you have a large environment? If the environment is considerably large, you might consider testing it in phases. By testing in phases, you are better able to level the testing effort, remediation activities and the load that you are placing on the environment, making it more manageable.
- Is budget a major factor at your company? If budget constraints limit testing, the most critical assets should be tested more frequently with less sensitive areas reviewed less frequently. It’s always a good idea to agree upon a timeline, within your organization, when testing will occur.
- What are your compliance obligations? For example, PCI* requires that you test your environment annually and/or after any major change to your cardholder data environment. HIPAA, GLBA and other laws and regulations require that you test with a frequency that addresses your risk.
Every organization is distinct. It is critical to understand your organization’s needs upfront, so that they can be incorporated in the network pen testing plan from the beginning. The frequency will then be adjusted to meet the needs of your individual organization.
Finding a balance between testing too frequently and too in-frequently can be a challenge. When an organization is not testing enough, it increases its exposure to vulnerabilities. Conversely, when done too often, there usually is not enough time to remediate issues before the next round of network pen testing begins.
Sophisticated organizations recognize the importance of implementing a recurring penetration testing plan. These programs are more flexible and are better suited to take all of these factors into consideration. Recurring pen testing programs allow companies to spread testing over a longer timeframe, thus narrowing the opportunity for exposure to more vulnerabilities.
*Contact your QSA for PCI clarification.