Sample Penetration Testing
Policy Template

Author: Rich Selvidge, CISSP / Last Updated: 11/20/22

Reviewed By: Michael Swanagan, CISSP, CISA, CISM

View Our: Editorial Process

Overview

A penetration test is a simulated cyber-attack that seeks to identify security gaps including misconfigurations, software vulnerabilities, access security flaws, and business logic flaws.

In general, the process attempts to exploit security weaknesses to gain access, modify functionality, or corrupt the business logic of the target system. This includes compromising the confidentiality, integrity, or availability (known as the CIA Triad) of the systems and data that {Company Name} depends on for its business operations.

Careful consideration is taken during the pen testing process to avoid creating additional risk to {Company Name}.

Read More: Types Of Penetration Testing

Purpose

A penetration testing policy framework document provides guidance for managing a penetration testing program and performing penetration testing activities with the goal of improving defensive IT security for {Company Name}’s infrastructure, systems, services, and applications.

This document defines the roles and responsibilities of {Company Name}’s executives, managers, and IT security team personnel as well as external third-party security service providers.

This document also outlines a set of penetration testing activity terminology, definitions, scopes, limitations, and procedures that should be applied to ensure reliable and effective penetration test activities.

This policy document also describes the high-level goals of {Company Name}’s penetration testing program as well as any formal requirements defined by {Company Name}’s responsibilities to its customers and partners through contracts, service level agreements, or compliance standards, and specific penetration testing activities that should be conducted to meet these goals and requirements.

Scope

The general scope of this policy applies to all equipment owned and/or operated by {Company Name}, and to employees connecting to any {Company Name}-owned network domains or cloud applications managed by {Company Name}.

Defining the general scope of this policy ensures that penetration test activities are focused on relevant components and safeguard {Company Name} against violating authorized system boundaries.

All penetration testing activity conducted on equipment owned or controlled by {Company Name} must conform to all national and regional laws that govern the physical location of the asset and the nature of the data, as well as any acceptable use policy limitations imposed by the contracts and agreements between {Company Name} and third-party infrastructure service providers and application licenses.

It should also be noted that this policy document does not provide a comprehensive definition of all scenarios, terminology, and activities that may be encountered during penetration testing activities.

Therefore, all parties should also use their best judgment when performing pen testing activities and communication should be used to clarify any potentially conflicting situations.

Policy Goals

The primary goal of {Company Name}’s penetration testing program is to identify security gaps impacting the Confidentiality, Integrity, and Availability (CIA Triad) of all systems and data used by {Company Name}.

Ultimately, the discovery of vulnerabilities shall facilitate risk remediation in line with internal corporate governance objectives.

This includes meeting both internal risk objectives and external IT security standards including PCI-DSS for merchant payment processing and SOC-2 for the protection of customer personal data, <List Additional Compliance Frameworks>.

General Penetration Testing Terminology

• Activity – refers to individual penetration testing processes that are conducted by the penetration testing team.
• Engagement – a set of multiple penetration testing activities that comprise a single test defined by a specific service level agreement (SLA) and rules of engagement (RoE) documents and resulting in a single report.
• Target – any asset, infrastructure, device, network, application, or data that is within the scope of a particular penetration testing engagement.
• White box tests – refer to tests conducted by those with knowledge of the internal workings of target systems.
• Grey box tests – refers to tests conducted by those with some limited knowledge of the internal workings of target systems.
• Black box tests – refer to tests conducted by those with no knowledge of internal workings.
• Service level agreement (SLA) – a document related to a single penetration testing engagement that contains the level of service expected and may include metrics by which service is measured.
• Rules of Engagement (RoE) – a document related to a single penetration testing engagement that contains the formal approvals, authorizations, scope, and other general guidelines or formal objectives necessary to execute a penetration testing engagement.
• External tests – security testing conducted from outside <Company Names>’s network security perimeter.
• Internal tests – security testing conducted from inside <Company Names>’s network security perimeter.
• CIA Triad – refers to fundamental IT security components of Confidentiality, Integrity, and Availability.

Penetration Testing Engagement Types

{Company Name}’s penetration testing program will include the categories of testing engagements described below.

Network Testing

Network penetration testing is to identify any exposed vulnerabilities and security weaknesses in <Company Names>’s network infrastructure that includes but is not limited to servers, firewalls, switches, routers, printers, workstations, security appliances, peripherals, and any software applications, services, or APIs within <Company Names>’s network environment.

Both internal and external activities shall be performed as separate engagements.

Additionally, network penetration testing activities may include credentialed and non-credentialed testing activities to provide increased protection against attacks that may happen from sensitive internal network positions.

The high-level goals of network penetration testing should include testing all potential MITRE CVE vulnerabilities and attempting to evaluate the resilience against known attacker TTP included in the MITRE ATT&CK framework.

Web Application Testing

Web application penetration testing is to identify any vulnerability, security flaws, or threats in web applications owned by <Company Names>. Activities may use any known malicious attacks on the application including both manual and automated penetration testing activities.

The high-level goals of web-application penetration testing should include all vulnerabilities listed in the OWASP Top Ten web-application vulnerabilities, MITRE CWE software weaknesses, and attempt to evaluate the application’s resilience against known attacker TTP included in the MITRE ATT&CK framework.

Wireless testing

Wireless penetration tests seek to assess <Company Names>’s wireless network security for all of the CIA Triad components. Targets should include any workstations, laptops, tablets, smartphones, and printers, as well as any other peripherals and IoT devices. Testing activities should also comprehensively include all wireless protocols used by <Company Names>’s infrastructure.

Wireless penetration testing should verify that wireless access points (AP) are segmented with respect to guest wireless networks and internal corporate wireless networks. This includes testing that <Company Names>’s wireless access points appropriately restrict access to <Company Names>’s corporate wireless networks and that no information about <Company Names>’s internal network can be accessed by attackers.

Other high-level goals of wireless penetration testing are to ensure that all data passing over the wireless channels is protected from discovery by an attacker, that wireless networks are reliable and available, and that data passing over the wireless network cannot be modified by an attacker.

Social Engineering

Social engineering penetration testing is to increase security assurances to <Company Names>’s to business operations by testing personnel resilience to social engineering attacks and providing user awareness training where weaknesses are uncovered.

Social engineering penetration testing should include both technical and non-technical attempts to persuade or trick <Company Names>’s staff into performing actions that may reveal sensitive information. This should include both directly providing the sensitive information to an attacker, or performing actions that may result in giving an attacker access to sensitive information such as executing files provided by an attacker.

The high-level goal of social engineering pen testing activities is to educate personnel about the potential implications of the actions they perform in their day-to-day duties, and the various contexts in which a cyber-attack may involve them.

Physical Testing

Physical penetration testing seeks to gain access to restricted physical locations within <Company Names>’s buildings, critical IT infrastructure, systems, data, or employees.

The primary benefit of a physical penetration test is to expose weaknesses and vulnerabilities in physical controls including but not limited to locks, elevators, barriers, surveillance cameras or systems, and access control technologies such as access card readers and biometric scanners.

The high-level goal of physical penetration testing is to eliminate security weaknesses that provide unauthorized physical access to <Company Names>’s assets.