Internal Pci
Being a QSAC (Qualified Security Assessor Company), our clients frequently ask if they can achieve their continuing PCI penetration testing requirements in-house. This depends on a few variables.
An organisation’s requirement for administering a yearly external and internal penetration test that also includes application testing is covered by PCI DSS requirement 11.3. This is different than the PCI DSS 11.2 requirement that deals with an organisation’s requirement for running internal and external vulnerability scans quarterly, which must be run internally or by an ASV (Approved Scanning Vendor) respectively. Each of these activities must also be performed either when changes take place in the applications, which includes upgrades, network, and infrastructure of the organisation, or at the mandated intervals.
From a technical perspective there are key differences in these requirements as well. To determine the magnitude of the issues and full business impact, the penetration test tries to take advantage of the vulnerabilities by exploiting them, while noted issues are just identified and reported by the vulnerability assessment. The penetration testing must include application layer tests, and is more manual and comprehensive as compared to the vulnerability scans.
The yearly penetration test does not need to be conducted by a party external to the organisation according to the guidance supplied from the PCI SSC. The testing, however, needs to be completed by a party that is well qualified, who is organisationally separate from the management of the systems being tested. All in-scope locations should be included in the penetration test, and the test should be appropriate for the size and intricacy of the organisation. Results from either black box or white box penetration testing approaches should be documented, with all systems and networks in the cardholder data environment included in the scope of the testing. Smaller organisations that have only limited resources could have some difficulty in demonstrating their adherence to these requirements.
Outsourcing these requirements to an organisation that can deliver comprehensive independent results and that is also wholly focused on the delivery of these professional services is usually preferred by larger organisations. Penetration testing should not only be conducted to meet compliance obligations. What this testing should do is lead to an improved security posture, and this is believed by many to be best accomplished by seeking the services of a firm which specializes in this field.
About the Author:
Sense of Security is Australia’s premier provider of a range of IT security and risk management solutions. Its services include IT security reviews, penetration testing, audit and PCI compliance. Sense of Security provides PCI compliance services through its team of QSA’s to many of the countries leading organisations.
Article Source: ArticlesBase.com – Who Should Handle Your PCI Penetration Testing?
Diamond PCI Internal Modem
|
|
TYCO Wireless Internal Antenna For Intel Mini PCI Card $1.66 |
|
|
ZOOM 3030 56K Internal PCI V.92/V.90 Modem PCI Internal $1.99 |
|
|
NEW INTERNAL USB HUB PCI HOST CONTROLLER CARD 4+1 PORTS $7.74 |
|
|
Encore 8 Channel VIA 7.1 PCI Internal Sound Audio Card $13.95 |
|
|
4+1 PORTS INTERNAL USB 2.0 HUB PCI HOST CONTROLLER CARD $7.74 |
|
|
Dell 5T596 05T596 V.92 56K PCI Internal Modem $15.00 |
|
|
fast SATA II 1 Internal, 1 External ports PCI-e Card $13.99 |
|
|
4 FireWire 1394a ports PCI Express PCIe Card 1 internal $19.99 |
|
|
2 Internal, 2 External SATA 2 PCI CONTROLLER CARD NEW $33.95 |
|
|
PCI to 4-Ports Internal SATA Host RAID Card – SIL3114 $20.38 |
|
|
Hauppauge 1183 WinTV HVR-1600 Internal PCI Dual TV Tuner/Video Recorder Media Center Kit $94.99 The Hauppauge 1183 WinTV HVR-1600 Internal PCI Dual TV Tuner/Video Recorder Media Center Kit includes dual TV tuners to let you watch both digital and analog television on your PC, in a window or full screen. With PVR software and built-in hardware for MPEG-2 encoding, you can also record television onto your computer for viewing later without slowing down your computer. .caption { font-family:… |
|
|
Western Digital 160 GB Caviar Blue SATA 7200 RPM 8 MB Cache Bulk/OEM Desktop Hard Drive WD1600AAJS $29.99 Cool, quiet and fast. WD Caviar SE drives offer superior performance and reliability, making them ideal for business and family desktops…. |
|
|
PCI FireWire IEEE 1394 3 + 1 Port Card + 4/6 Pin Cable $4.99 Get your data faster! Add FireWire capability to your computer with this PCI expansion card. Connect external or internal components. Supports Plug & Play/hot-swapping, & connection of up to 63 peripherals! This card features a universal PCI connector: works with 3.3 or 5 volt slots. The card is intended for 32-bit PCI slots, although it *may* work in a 64-bit slot as well. Check your motherboard’… |
|
|
Belkin USB 2.0 Hi-Speed 3-Port ( 2 external & 1 internal ports) PCI Card $4.49 BELKIN F5U219, USB 2.0 HIGH SPEED 2 PORT PCI CARD… |
|
|
CRP level before PCI predicts clopidogrel benefit: a year of clopidogrel cut the risk of atherosclerotic events in those with elevated CRP pre-angioplasty.(Cardiovascular … An article from: Internal Medicine News $5.95 This digital document is an article from Internal Medicine News, published by International Medical News Group on April 1, 2005. The length of the article is 763 words. The page length shown above is based on a typical 300-word page. The article is delivered in HTML format and is available in your Amazon.com Digital Locker immediately after purchase. You can view it with any web browser.Citation D… |
