Document Comparison
infosupp_11_3_penetration_testing.pdf
→
information_supplement_11.3.pdf
97% similar
4 → 4
Pages
1184 → 1180
Words
5
Content Changes
Content Changes
5 content changes. 4 administrative changes (dates, page numbers) hidden.
Added
p. 3
• Quarterly testing for presence of wireless access points (11.1)
Removed
p. 3
• Annual testing of controls to identify vulnerabilities and stop unauthorized access (11.1)
Modified
p. 3
• Annual review of security policies (policies that need to be updated may identify new risks in an organization) (12.1.3) Documentation from all of the above should be evaluated, and threats and vulnerabilities found as part of the normal assessment processes should be considered for inclusion.
• Annual review of security policies (Policies that need to be updated may identify new risks in an organization.) (12.1.3) Documentation from all of the above should be evaluated, and threats and vulnerabilities identified as part of the normal assessment processes should be considered for inclusion.
Modified
p. 3
Methodology Once the threats and vulnerabilities have been evaluated, design the testing to address the risks identified throughout the environment. The penetration test should be appropriate for the complexity and size of an organization. All locations of cardholder data, all key applications that store, process, or transmit cardholder data, all key network connections, and all key access points should be included. The penetration tests should attempt to exploit vulnerabilities and weaknesses throughout the cardholder data environment, attempting to penetrate both …
Methodology Once the threats and vulnerabilities have been evaluated, design the testing to address the risks identified throughout the environment. The penetration test should be appropriate for the complexity and size of an organization. All locations of cardholder data, all key applications that store, process, or transmit cardholder data, all key network connections, and all key access points should be included. The penetration tests should attempt to exploit vulnerabilities and weaknesses throughout the cardholder data environment, attempting to penetrate both …
Modified
p. 4
• With respect to PCI compliance, testing of vulnerabilities or mis-configurations that may lead to DoS attacks which target resource (network/server) availability should not be taken into consideration by the penetration testing since these vulnerabilities would not lead to compromise of cardholder data.
• With respect to PCI compliance, testing of vulnerabilities or misconfigurations that may lead to DoS attacks which target resource (network/server) availability should not be taken into consideration by the penetration testing since these vulnerabilities would not lead to compromise of cardholder data.