ASC/X9 - ANSI X9.111
Penetration Testing within the Financial Services Industry
|Publication Date:||28 February 2018|
This standard specifies recommended processes for conducting penetration testing with financial service organizations. This standard describes a framework for specifying, describing and conducting penetration testing, and then relating the results of the penetration testing. This standard allows an entity interested in obtaining penetration testing services to identify the objects to be tested, specify a level of testing to occur, and to set a minimal set of testing expectations.
This standard provides conceptual framework for describing penetration testing, including:
- Roles and Responsibilities of participants
- Types of penetration test
- A generalized penetration testing cycle
- General testing methodologies / techniques
- Limitations of Penetration testing
- Ranking of methodologies, bases of testing effort (testing levels)
- Engagement and scope of work considerations
- Test Report guidelines
- Testing requirements
- Security of the testing environment
- General practices and methodologies
- Tester expertise
The following areas are explicitly out of the scope of this document as they highly depend on the specifics of the components/products used by the system (e.g., operating system, software applications, and machine architecture) and/or tester expertise, or the activity is not directly related to the process of penetration testing and does not fit the test framework:
- Local configuration audits
- Forensic analysis (e.g., evaluation of targets, review of local forensic evidence of penetration, chains of evidence)
- Specific exploit techniques
- Interpretation of results (e.g., pass/fail rating)
- Validation of penetration test service providers
- Testing of backup procedures (successful business continuity)
The audience for this standard includes:
- Financial service organizations who wish to engage an internal group or an external agency for a penetration test. Understanding the rules of engagement to specify, negotiate and accept a penetration test equally applies to both internal groups and external agencies.
- Service providers offering penetration testing to another internal group or an external customer. Understanding the rules of engagement to propose, negotiate and provide a penetration test equally applies to both internal and external customers.
- Security professionals relying on the penetration test. Understanding the rules of engagement to review, interpret and accept the penetration test reports equally applies to both internal departments and external assessors and auditors.
- System developers, application developers, system administrators, and service business owners can benefit from an understanding of how penetration test methods can be applied to test the IT resources under their responsibility.
Note: ISO/TR 13569 [2.1], ISO/IEC 27004 [2.3], ISO/IEC 27005 [2.4] and ISO/IEC 27006 [2.5] all mention penetration testing; as does the Payment Card Industry Data Security Standard (PCI DSS).
This standard is organized and should be used as follows:
Section 5 - Significance of Penetration Test Activity should be used by financial services organizations and professionals who are relatively new to penetration testing for gaining an understanding of pen testing. Pen testing is a component of a risk assessment, and at the same time one must realize the inherent limitations of penetration testing.
Section 6 - Penetration Testing Framework should be used by financial services organizations and penetration test service providers to establish a mutual understanding and common terms for the overall process.
Section 7 - Specification of Penetration Test should be used by financial services organizations and penetration test service providers during the execution of the actual penetration test. Relying parties should use this section to gain an understanding of the Target of Evaluation (TOE) and the Penetration Testing Parameters.
Section 8 - Engagement Considerations should be used by financial services organizations and penetration test service providers to establish the penetration engagement agreement. Note that this applies equally whether the service provider is an internal group (e.g. Red Team) or an external agency (e.g. third party). This model is similar to auditing performed by either internal auditors or external audit professionals.
Section 9 - Penetration Test Activity should be used by the penetration test service providers during the execution of the penetration test for quality assurance to ensure consistent, comparable and actionable results, and by the financial service organization for managing the project.
Section 10 - Reporting should be used by the penetration test service provider to generate and submit their report to the financial service organization. Financial service organizations should use this section to review and accept the penetration test report. Relying parties should use this section to review and interpret the penetration report. Note the penetration report is normally provided to an internally independent or external relying party by the financial service organization without interaction by the penetration test service provider.
Section 11 - Penetration Testing Support Activities should be used by the penetration test service providers during the execution of the penetration test for quality assurance to ensure consistent, comparable and actionable results. This section provides support activities in addition to those discussed in sections 9 and 10.
Note that this standard may be used by other industries beyond financial service organizations.
A penetration test is a targeted approach to determine whether various goals and objectives can be achieved by unauthorized personnel. It is not a vulnerability scan, and does not attempt to enumerate all possible vulnerabilities. If it is believed vulnerabilities may exist, a security assessment and a hardening exercise should be performed before engaging a penetration tester. A penetration test is used to determine whether systems and assets are appropriately protected.