Penetration Test for Industrial Regulation Compliance
"Theoretically we could choose not to implement certain new standards, or at least spread their implementation over a longer period. However, this might be damaging to Hong Kong's position as an international financial centre...", pointed out by Joseph Yam of HKMA in one of his speeches in 2006. Even enterprises in non-financial sectors, sooner or later, would be required to comply with certain industrial regulations.
HiTRUST consultation team assists clients to obtain industrial regulation compliance status like, Hong Kong Monetary Authority Guideline, Visa Card CISP and MasterCard SDP Standard. HiTRUST consultants will conduct a review on the IT infrastructure and its operation in accordance with the polices, guidance notes or regulations issued by the governing association or government agencies. The review also involves interview with relevant personnel in the enterprise, existing policies and procedures appraisal, network tests, and site visits.
HiTRUST consultants will collect system configuration parameters from IT personnel, and examine the overall IT infrastructure and identify different system and network components. Based on the above findings, the consultants will then identify important system vulnerabilities and mis-configuration. Such works include:
 Network scanning |
| Software patch level review |
| Firewall rulesets review |
| IDS (Intrusion Detection System) setting review |
| Anti-virus system review |
| Physical security review |
| Change management review |
| Internet application testing on: |
- Authentication
- Encryption
- Session management
- Input manipulation
- Output manipulation
- Interpreter injection (eg. SQL injection)
- Error Handling
- Administration Interface
- Denial of Service Attack
- Information Leakage
|
Re-Assessment
According to statistics, 79% of enterprises fail to meet the requirements at their first time assessment. HiTRUST consultants would guide customer to implement proposed solution and the network will be re-assessed for the purposes of obtaining accreditation.
Top 10 Failure Reasons
Taking Visa Card CISP and MasterCard SDP Standard as the example, the following table shows the top 10 reasons that enterprises fail to meet the requirement when they are firstly assessed:
| PCI Requirement |
Percentage of
Assessments
Failing
|
Requirement 3: Protect stored data. |
79% |
Requirement 11: Regularly test security systems and processes. |
74% |
Requirement 8: Assign a unique ID to each person with
computer access. |
71% |
Requirement 10: Track and monitor all access to network
resources and cardholder data. |
71% |
Requirement 1: Install and maintain a firewall configuration
to protect data. |
66% |
Requirement 2: Do not use vendor-supplied defaults for
system passwords and other security parameters. |
62% |
Requirement 12: Maintain a policy that addresses information
security. |
60% |
Requirement 9: Restrict physical access to cardholder data. |
59% |
Requirement 6: Develop and maintain secure systems and
applications. |
56% |
Requirement 4: Encrypt transmission of cardholder data and
sensitive information across public networks. |
45% |
Want more advice? Contact Us.
Back to Penetration Test >>
|
