Do I need an Internal Penetration Test?

The answer to this question depends heavily on the maturity of your information security program. Let me explain.

Maturity Level 1

Description

  • You do not have a comprehensive, asset-based Risk Assessment.
  • You do not have written policies or procedures.
  • You have minimal technical controls such as a firewall, anti-virus, and security update management.

Do I need an internal pentest?

No, an internal penetration test would be like shooting fish in a barrel. You need to start by doing a risk assessment, which should include a list of all your assets, potential risks to those assets, and controls to mitigate the risks. Then, you need to implement the identified controls, which will include written policies and technical controls. The risk assessment should be updated regularly. You may also consider hiring an information security consultant to assist you in the process.

Maturity Level 2

Description

  • You have a comprehensive asset-based risk assessment, which is updated regularly.
  • You have implemented a number of controls based on your risk assessment.
  • You have a number of written policies and procedures, but they are not followed consistently.
  • You have update management procedures and/or an associated policy.
  • You have change management procedures and/or an associated policy.

Do I need an internal pentest?

No an internal penetration test would find a number of vulnerabilities but without an effective vulnerability management program you will not see much value in the penetration test. Instead, you should have an outside review of your implemented controls to confirm they are sufficient to mitigate the identified risks. You should also implement a vulnerability management program to identify potential hardware and software vulnerabilities. Your risk assessment, policies, and procedures should be updated based on the results of the controls review and vulnerability assessment.

Maturity Level 3

Description

  • You have a comprehensive asset-based risk assessment, which is updated regularly.
  • You have an effective vulnerability management program in place and have documented evidence it is working.
  • You have an effective update management policy and procedures.
  • You have an effective change management policy and procedures.

Do I need an internal pentest?

Yes, an internal penetration test would serve as a valuable method of auditing your vulnerability management program and will also help you identify potential weaknesses in your change management and update management policies and procedures.

Conclusion

I realize this is an over simplification, but the point is an internal penetration test will not provide significant value unless you have a mature information security program in place. Instead, consider either a vulnerability assessment or getting outside help developing an information security program, depending on your maturity level.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s