This message was posted by a user wishing to remain anonymous
As per control 5.1.1 of 27017:2015, the cloud service provider should augment its information security policy to address the provision and use of its cloud services. One of the elements that is taken into account is the lifecycle management of cloud service customer accounts; Pen test can be linked to the product that is to a customer, since not all products are for all customers.
Since it is stated in the policy, which is issued by the Top Management, the risks would have assessed before issuance of Policy. However, compensatory controls is to be implemented.
Hence the process meets the requirement of the control.
Original Message:
Sent: Nov 08, 2022 05:29:27 AM
From: Mano Bharathi
Subject: Clarification on TVM-06 Penetration Test Frequency
To implement TVM-06 "Define, implement and evaluate processes procedures and technical measures for the periodic performance of penetration testing by independent third parties." of CSA star(CCMv4.0.5).
For the CSP which having more than 50 Cloud products, If the CSP were defining the frequency of Penetration Testing as a 3 year cycle,
Penetration Testing will be performed on all 50 products on a batch by batch basis within the 3 year cycle and the cycle continues. Finally all the products will be done a Penetration Test once in 3 years by the independent third party.
As the periodicity is not mentioned in the control TVM-06, a reasonable periodicity seems to be acceptable for us.
Questions:
Will this process satisfy the control TVM-06?
Please give reference to the industry best practices to implement the control TVM-06.
------------------------------
Mano Bharathi
Unknown
Unknown
------------------------------