💼 11.4.1 A penetration testing methodology is defined, documented, and implemented by the entity.
- ID:
/frameworks/pci-dss-v4.0/11/04/01
Description​
Includes:
- Industry-accepted penetration testing approaches.
- Coverage for the entire CDE perimeter and critical systems.
- Testing from both inside and outside the network.
- Testing to validate any segmentation and scope-reduction controls.
- Application-layer penetration testing to identify, at a minimum, the vulnerabilities listed in Requirement 6.2.4.
- Network-layer penetration tests that encompass all components that support network functions as well as operating systems.
- Review and consideration of threats and vulnerabilities experienced in the last 12 months.
- Documented approach to assessing and addressing the risk posed by exploitable vulnerabilities and security weaknesses found during penetration testing.
- Retention of penetration testing results and remediation activities results for at least 12 months.
Similar​
- Sections
/frameworks/pci-dss-v3.2.1/11/03/frameworks/pci-dss-v4.0.1/11/04/01
- Internal
- ID:
dec-c-a7f9dfbc
- ID:
Similar Sections (Take Policies From)​
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 PCI DSS v3.2.1 → 💼 11.3 Implement a methodology for penetration testing. | 4 | no data | |||
| 💼 PCI DSS v4.0.1 → 💼 11.4.1 A penetration testing methodology is defined, documented, and implemented by the entity. | no data |
Similar Sections (Give Policies To)​
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 PCI DSS v3.2.1 → 💼 11.3 Implement a methodology for penetration testing. | 4 | no data | |||
| 💼 PCI DSS v4.0.1 → 💼 11.4.1 A penetration testing methodology is defined, documented, and implemented by the entity. | no data |
Sub Sections​
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|