COI Report – Part VII
Page
215 of
425 39.1.4 A process must be established to track that vulnerabilities identified in a vulnerability assessment are addressed. 283 Safety reviews, evaluation and certification of vendor products must be carried out where feasible ............................................................................ 283
39.2.1 Code reviews and safety reviews .................................................................... 284 39.2.2 Evaluation and certification ........................................................................... 286 Penetration testing must be conducted regularly ......................................... 288
39.3.1 Penetration tests must be conducted regularly and following specified events on all CII, mission-critical and/or internet-facing systems ............................ 289 39.3.2 The scope of the penetration tests should extend to key assets and systems connected to the CII, mission-critical and/or internet-facing system in question........................................................................................................... 291 39.3.3 Penetration tests should also be conducted regularly on applications, systems and networks which may not be part of or connected to CII, mission-critical or internet-facing systems ................................................................................... 291 39.3.4 Penetration tests should be conducted outside of the regular schedule if a need to do so is indicated ........................................................................................ 292 39.3.5 Penetration tests should be conducted by persons with the appropriate levels of expertise .......................................................................................................... 292 39.3.6 A process must be established to track that vulnerabilities uncovered by a penetration test are addressed ........................................................................ 294 39.3.7 A more comprehensive penetration test of the SCM application should be conducted ........................................................................................................ 294 Red teaming should be carried out periodically .......................................... 294 Threat hunting must be considered .............................................................. 296
Share with your friends: 
