Hi Mano,
Your syllogism with regards to the frequency of penetration testing defined as an 'open variable' in the TVM-06 is correct.
The
CCMv4 Auditing Guidelines for TVM-06 stipulate that:
Auditing Guidelines
1. Examine policy for adequacy, currency, and effectiveness.
2. Determine if the process for defining frequency of penetration testing is defined.
3. Determine if the process for selection of independent third parties is defined, and
evaluated.
According to the above point 2, from an auditor's perspective, control requirement in relation to 'frequency' is met when there exists a process for defining one. Therefore, frequency is not bound by a fixed time period value.
Similarly would recommend to consult the CCMv4 auditing guidelines for other CCM controls of interest.
The CCMv4 auditing guidelines have been developed by experienced, active, eligible to the task auditors & should be used as reference for compliance-relevant inquiries to the CCM.
Best regards,
Lefteris
------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------
Original Message:
Sent: Nov 08, 2022 05:29:27 AM
From: Mano Bharathi
Subject: Clarification on TVM-06 Penetration Test Frequency
To implement TVM-06 "Define, implement and evaluate processes procedures and technical measures for the periodic performance of penetration testing by independent third parties." of CSA star(CCMv4.0.5).
For the CSP which having more than 50 Cloud products, If the CSP were defining the frequency of Penetration Testing as a 3 year cycle,
Penetration Testing will be performed on all 50 products on a batch by batch basis within the 3 year cycle and the cycle continues. Finally all the products will be done a Penetration Test once in 3 years by the independent third party.
As the periodicity is not mentioned in the control TVM-06, a reasonable periodicity seems to be acceptable for us.
Questions:
Will this process satisfy the control TVM-06?
Please give reference to the industry best practices to implement the control TVM-06.
------------------------------
Mano Bharathi
Unknown
Unknown
------------------------------