800-53|CA-8

Title

PENETRATION TESTING

Description

The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components].

Supplemental

Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies. Organizations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls. A standard method for penetration testing includes, for example: (i) pretest analysis based on full knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organizations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organizational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing.

Reference Item Details

Related: SA-12

Category: SECURITY ASSESSMENT AND AUTHORIZATION

Family: SECURITY ASSESSMENT AND AUTHORIZATION

Priority: P2

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
MS.DEFENDER.4.1v2 - A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency. At a minimum, credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) SHALL be blocked.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.4.2v1 - The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams chat, and Devices.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.4.3v1 - The action for the custom policy SHOULD be set to block sharing sensitive information with everyone.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.4.5v1 - A list of apps that are restricted from accessing files protected by DLP policy SHOULD be defined.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.4.6v1 - The custom policy SHOULD include an action to block access to sensitivemicrosoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.EXO.4.3v1 - The DMARC point of contact for aggregate reports SHALL include `[email protected]`.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.4.4v1 - An agency point of contact SHOULD be included for aggregate and failure reports.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.8.1v2 - A DLP solution SHALL be used.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.8.2v2 - The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.8.3v1 - The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.8.4v1 - At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.16.1v1 - At a minimum, the following alerts SHALL be enabled:microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.SHAREPOINT.1.1v1 - External sharing for SharePoint SHALL be limited to Existing guests or Only people in your organization.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.1.2v1 - External sharing for OneDrive SHALL be limited to Existing guests or Only people in your organization.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.1.3v1 - External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.1.4v1 - Guest access SHALL be limited to the email the invitation was sent to.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.2.1v1 - File and folder default sharing scope SHALL be set to Specific people (only the people the user specifies).microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.3.1v1 - Expiration days for Anyone links SHALL be set to 30 days or less.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.TEAMS.5.2v1 - Agencies SHOULD only allow installation of third-party apps approved by the agency.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
MS.TEAMS.5.3v1 - Agencies SHOULD only allow installation of custom apps approved by the agency.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
MS.TEAMS.6.1v1 - A DLP solution SHALL be enabled. The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
MS.TEAMS.6.2v1 - The DLP solution SHALL protect personally identifiable information (PII)microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0