Pop Quiz: When is Pen Testing a Compliance Requirement?

penetration testWe live in a world where organizations are required to pen test their IT systems and networks.


Do you know when penetration testing is required?

Or when it’s industry standard?

Or when it’s just a good idea?

Penetration testing, sometimes called ethical hacking, simulates real-world ways hackers can compromise network and IT assets.

The FFIEC’s IT Examination Handbook defines penetration testing as, “The process of using approved, qualified personnel to conduct real-world attacks against a system to identify and correct security weaknesses before they are discovered and exploited by others.”

Of course, pen testing is only one of many ways to test the effectiveness of implemented security controls. And a pen test can have different goals depending on the company’s risk tolerance.

However, several laws, regulations, and compliance schemes now call for it.

It’s like pen testing suddenly became one of the popular kids in the class.


On February 1, 2018, penetration testing got upgraded from a recommended practice to a requirement in certain situations.  Specifically, PCI DSS Requirement now states, “If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.”

NY Cybersecurity Requirements for Financial Services Companies

The New York State Department of Financial Services cybersecurity regulation, 23 NYCRR 500, defines a penetration test (Sec. 500.01(h)) and requires an annual test based on risk (Sec. 500.05).


The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule requires financial institutions to take reasonable steps to secure customer data, but it does not require anything prescriptive like a pen test.

However, the FTC’s proposed amendments (published in March 2019) call for regular security testing and specifically discuss pen testing:

Proposed paragraph (j) would define “penetration testing” as a “test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems.”  This term is used in proposed section 314.4(d)(2), which requires financial institutions to continually monitor the effectiveness of their safeguards or to engage in annual penetration testing. The primary example of penetration testing is where a security expert uses common techniques in an attempt to breach the security of a financial institution’s information system. As set forth in the proposed definition, this includes attempts where the penetration tester is acting as an outsider who must penetrate the system without any initial access to the system, and attempts where the tester acts as someone with limited access to the system—such as a contractor or employee—and tries to access information that such an insider is not authorized to access. The Commission believes that there is currently a commonly understood definition of these services and that this definition provides sufficient guidance to understand the requirements of the proposed amendments.


Section 404 of the Sarbanes-Oxley Act (SOX) says that publicly-traded companies must establish, document, test, and maintain internal controls and procedures for financial reporting. Pen testing is one way to test controls, but it’s not required.

Hong Kong and Singapore Financial Services Guidance

The Hong Kong Monetary Authority and the Monetary Authority of Singapore have various publications recommending penetration testing.  Penetration testing appears to be more “highly encouraged” than required.


FedRAMP, a federal government authorization program for cloud service providers, mandates penetration testing.  Penetration testing guidelines are specific and including specific attack vectors and social engineering.


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule requires periodic technical evaluations in order to test security controls.  Pen testing is not outright required, but it’s one of the limited number of ways to satisfy the requirement.

Bonus questions!

Do you know which framework …

  • contains pen tester licensing and certification requirements;
  • specifies manual vs. automated testing;
  • mandates internal vs. external testing;
  • states whether port scanning alone is sufficient;
  • makes the extent of the testing dependent on a risk analysis;
  • says the frequency of the test is based on the level of risk associated with the system;
  • says the frequency of the test is annual;
  • details how the findings should be documented?

Do you know what type of organizations are “covered entities” or otherwise subject to each of these compliance frameworks?

If you do, then hurry on up here. You should be teaching this class.

The author, Colleen H. Johnson, JD, is a senior legal analyst at Sera-Brynn, a Virginia-based cyber risk management firm.