Penetration Testing

Penetration Testing is an active way to test your organization's security and whether or not it effectively protects your sensitive data from threats.

If a threat assessment has yet to be performed for your organization, the first step will be to identify the security threats your organization faces, their impact and probability. This assessment determines the penetration testing services that are needed.

After a threat assessment, penetration testing actively tests specific security practices in place at your organization. The testing can include:

*Physical infiltration of premises and secure areas
*Technical infiltration of networks and information systems
*Social Engineering susceptibility testing
*Software vulnerability testing

Also known as a security assessment, a penetration test will identify vulnerabilities in your organization and provide suggestions on how to fix them. Without an independent penetration test, there is no way to verify that the security that is currently in place within your organization is effective. Additionally, in order to be compliant with certain industry standards one has to have their practices and policies independently verified.

Some of the standards typically verified in a penetration test include:

*PCI - Payment Card Industry Data Security Requirements. This standard applies to e-commerce applications that store, process, or transmit credit card data over the Internet. It's compliance must be independently verified.
*ISACA - Information Systems Audit and Control Association, this organization has set standards for information security
*CHECK - CESG IS Health Check, a UK based standard
*OSSTMM - Open Source Security Testing Methodology Manual standard.
*OWASP - Open Web Application Security Project standards.
Penetration testing must be conducted regularly in order to show due diligence and reduce liability due to loss, damage, or theft of sensitive data; protect against corporate espionage, and ensure validity of security practices.