Back to Dashboard
Req 11: Test Security of Systems and Networks Regularly
Perform regular vulnerability scans and penetration tests.
Responsibility
Shared
Compliance Status
At Risk
25%Overview
Security systems and processes must be tested regularly to ensure they are effective. This requirement mandates regular vulnerability scanning, penetration testing, and intrusion detection/prevention monitoring.
Key Actions for Compliance
A non-exhaustive list of actions your organization should take to meet this requirement.
- Implement a process for internal and external network vulnerability scans at least quarterly.
- Perform external and internal penetration testing at least annually.
- Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network.
- Implement a change-detection mechanism to alert personnel to unauthorized modification of critical system files.
Testing Procedures (Simplified)
How auditors may verify that this requirement is met.
- Review vulnerability scan reports to verify they are performed at least quarterly.
- Examine penetration test reports to confirm they are performed at least annually.
- Verify that intrusion-detection/prevention systems are in place and configured to alert personnel to suspected threats.