diff --git a/source/standards/how-to-do-penetration-tests.html.md.erb b/source/standards/how-to-do-penetration-tests.html.md.erb index b1e6ce29..33ac06c9 100644 --- a/source/standards/how-to-do-penetration-tests.html.md.erb +++ b/source/standards/how-to-do-penetration-tests.html.md.erb @@ -1,6 +1,6 @@ --- title: How to arrange and manage penetration tests -last_reviewed_on: 2024-06-27 +last_reviewed_on: 2025-02-27 review_in: 6 months --- @@ -8,17 +8,17 @@ review_in: 6 months You should aim to run [penetration tests](https://www.gov.uk/service-manual/technology/vulnerability-and-penetration-testing) on your service at least every 12 months. You must discuss all significant changes with the GDS [Information Security][] team. You must agree with the [Information Security][] team when you will test and the scope of the tests. They will also assist with the procurement of external tests through an approved third party through the [National Cyber Security Centre (NCSC) CHECK scheme]. Alternatively, with the agreement of the Info Sec team, a member of the [COD Cyber] Team can carry them out internally, depending on the requirements. -Information Security are working on a GDS-level contract for ITHC services, which should make obtaining an ITHC for your service a more streamlined process. +Information Security have a GDS-level contract for ITHC services, which should make obtaining an ITHC for your service a more streamlined process. -You may need to schedule additional testing if you make significant changes to your service. You should meet with the Info Sec team regularly to discuss ongoing changes. +You might need to schedule additional testing if you make significant changes to your service. You should meet with the Information Security team regularly to discuss ongoing changes. A significant change could be when you: -A significant change could be when you: -change a cloud service provider -change stored data, for example if you introduce new data which can be classified as personal data under [GDPR] -add a third-party partner, for example, a database processor or email provider (especially if the third-party partner is processing personal data) -implement significant application changes or new features +* change a cloud service provider +* change stored data, for example if you introduce new data which can be classified as personal data under [GDPR] +* implement significant application changes or new features + +You might need to use CSPs to assess the addition of a third-party partner, for example, a database processor or email provider (especially if the third-party partner is processing personal data) ## Scope your test @@ -36,7 +36,7 @@ An IT Health Check or security review can include: * red team engagements * vulnerability scans -Before testing, you should define and agree: +Before arranging a test you should consult with the Information Security team on: * the beginning and end test dates. This will be an agreement between the team and the tester(s) based on the size of the project, rather than dictated to them * the areas you want the tester to target, for example, bypassing authentication @@ -71,16 +71,16 @@ To prepare your test environment you should: * notify your service providers in advance, for example by [emailing GOV.UK PaaS Support](mailto:gov-uk-paas-support@digital.cabinet-office.gov.uk) - note that in most cases AWS do not require advance permission for penetration tests on your applications * give the tester a distribution list of approved report recipients -Prior to the test, it may be beneficial to meet the lead tester and the GDS IA Team to discuss the test and confirm that all the prerequisites and necessary access are in place +Prior to the test, it may be beneficial to meet the lead tester and the Information Security team to discuss the test and confirm that all the prerequisites and necessary access are in place ## During the Test -The lead tester should draw your attention and that of the [Information Security] IA team to any critical vulnerabilities immediately identified +The lead tester should draw your attention and that of the [Information Security] team to any critical vulnerabilities immediately identified -It is advisable to meet at the end of each day with the lead tester and the IA Team to discuss findings and the progress of the test. +It is advisable to meet at the end of each day with the lead tester and the Information Security team to discuss findings and the progress of the test. ## What to do after testing -After your test, you should meet with the GDS IA team to discuss and triage (risk assess) the test results. You can then prioritise work to mitigate any issues identified in the test and schedule a retest if needed. +After your test, you should meet with the Information Security team to discuss and triage (risk assess) the test results. You can then prioritise work to mitigate any issues identified in the test and schedule a retest if needed. Teams should work with the [COD Cyber] team, who can give advice, consult on fixing any issues and take appropriate further action when required.