What happens when your employee is also your company’s penetration tester?
One of your employees is a Certified Penetration Tester (CPT). Can the organization use this employee to perform its external and application penetration testing?
Yes, the PCI DSS does allow companies to pen test themselves, providing they meet the testing, qualification, methodology, organizational independence, segmentation testing, etc., requirements laid out in other parts of Requirement 11.3.
An organizational employee who’s also its penetration tester can present problems.
The assessing QSA will ultimately determine whether they will accept that penetration tester’s report. If the tester has just run automated tools, for example, that is generally not enough to pass muster.
The biggest challenge, however, in having your own employee conduct your organization’s penetration test is that the tester has to be “organizationally independent,” meaning they cannot have any IT administrative or support duties whatsoever outside of the test. (Most of the time the tester in question reports to an IT organization, which does not provide the necessary independence.)
So, if after reading this you realize that your employee is not a fit for the penetration testing role, I recommend you read the following post about “The Top 5 Questions to Ask a Prospective Penetration Tester.”
Subscribe to this blog for additional payment security tips.