COI Report – Part VII
Page
291 of
425 39.3.2 The scope of the penetration tests should extend to key assets and systems connected to the CII, mission-critical and/or internet-facing system in question 845. Similar to the recommendation at section 817 (pg 281) above, we recommend that a) The scope of the penetration tests should be extended to key assets and systems connected to the CII, mission-critical and/or internet- facing system in question. In other words, all essential components of a system (such
as in the case of SCM, the application, database and middleware such as the Citrix servers) should be included in the scope of the penetration test. This would cohere with the CCoP, which provides that CII owners shall ensure that the scope of a penetration test includes penetration tests of the CII’s hosts, networks and applications. b) There should be clarity and clear communication within the organisation on the IT infrastructure which are to be subject to penetration tests as part of the penetration tests conducted on CII, mission-critical and/or internet-facing systems.
39.3.3 Penetration tests should also be conducted regularly on applications, systems and networks which may not be part of or connected to CII, mission-critical or internet-facing systems 846. Dan recommended that organisations should conduct regular and vigorous penetration tests to ensure that vulnerabilities within their systems and networks are discovered and fixed, especially for mission-critical systems. This indicates that,
more generally, penetration tests should be conducted periodically even for non-mission-critical applications, systems and networks, and we would recommend this. As mentioned in paragraph 827 (pg 285) above, penetration testing should also be builtin as part of safety reviews conducted on systems,
especially older, legacy systems.
