The Inner Circle

 View Only
  • 1.  Clarification on TVM-06 Penetration Test Frequency

    Posted 17 days ago

    To implement TVM-06 "Define, implement and evaluate processes procedures and technical measures for the periodic performance of penetration testing by independent third parties." of CSA star(CCMv4.0.5).

    For the CSP which having more than 50 Cloud products, If the CSP were defining the frequency of Penetration Testing as a 3 year cycle,
    Penetration Testing will be performed on all 50 products on a batch by batch basis within the 3 year cycle and the cycle continues. Finally all the products will be done a Penetration Test once in 3 years by the independent third party.

    As the periodicity is not mentioned in the control TVM-06, a reasonable periodicity seems to be acceptable for us.

    Will this process satisfy the control TVM-06?

    Please give reference to the industry best practices to implement the control TVM-06.

    Mano Bharathi

  • 2.  RE: Clarification on TVM-06 Penetration Test Frequency

    This message was posted by a user wishing to remain anonymous
    Posted 13 days ago
    This message was posted by a user wishing to remain anonymous

    As per  control 5.1.1 of 27017:2015, the cloud service provider should augment its information security policy to address the provision and use of its cloud services.  One of the elements that is taken into account is the lifecycle management of cloud service customer accounts;   Pen test can be linked to the product that is  to a customer, since not all products are  for all customers.

    Since it is   stated in the policy, which is issued by the Top Management,  the risks would have assessed before issuance of Policy.   However, compensatory controls  is to be implemented.

    Hence the process meets the requirement of  the control.