💼 11.3 Implement a methodology for penetration testing.
-
Contextual name: 💼 11.3 Implement a methodology for penetration testing.
-
ID:
/frameworks/pci-dss-v3.2.1/11/03 -
Located in: 💼 11 Regularly test security systems and processes.
Description​
Includes the following:
- Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
- Includes coverage for the entire CDE perimeter and critical systems
- Includes testing from both inside and outside the network
- Includes testing to validate any segmentation and scope-reduction controls
- Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
- Defines network-layer penetration tests to include components that support network functions as well as operating systems
- Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
- Specifies retention of penetration testing results and remediation activities results.
Similar​
- Sections
/frameworks/pci-dss-v4.0/11/04/01
- Internal
- ID:
dec-c-3cd8dff5
- ID:
Similar Sections (Take Policies From)​
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| 💼 PCI DSS v4.0 → 💼 11.4.1 A penetration testing methodology is defined, documented, and implemented by the entity. |
Similar Sections (Give Policies To)​
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| 💼 PCI DSS v4.0 → 💼 11.4.1 A penetration testing methodology is defined, documented, and implemented by the entity. |