Leveraging Penetration Testing for Internal Audits
I'm part of an internal audit organization. We are looking for continuous improvement of our risk penetration and risk assessments. Have you heard about any organization that currently use penetration testing as part of their formal audits?
Independent penetration testing is more commonly mandated by external bodies to achieve accreditation. For example, Government organisations mandate that partners must meet certain standards, with independent verification, in order to be able to exchange sensitive data.
However, I've worked with a number of organisations that perform their own internal penetration testing, and web application testing, activities. After all, understanding threat actors, assets and attack vectors is the key to successfully understanding the risk in any environment.
Therefore, there are a great deal of positives to come from incorporating these testing techniques. Particularly, during the discovery phase of your risk assessments. The results can be incorporated in to risk documents e.g. RMADS and risk registers.
The associated challenges are no different from many other security-related tasks. It can prove to be a difficult balancing act between security and operational efficiency. Broad stakeholder engagement, and effective internal communication, is very important to ensure these efforts are adopted successfully in any organisation. Senior level support, as always, is also key.
Yes , we use pen testing methods as a part of testing, especially web applications. We record and share our results as needed but use these for audit to show we are testing that controls are effective and find any controls that might need adjusted.