Penetration testing should have clearly defined goals and scope. The goals may include, e.g., testing continuity plans and capabilities, assessing security controls or identifying security weaknesses. The scope can be defined as follows:
- - Identify critical parts of the information system that should be prioritized during testing.
- - Identify individual systems or components that are so vital they must be excluded from testing.
Vital systems or components that could be excluded, e.g., include those essential for maintaining critical organizational services or those unable to withstand the stress of a penetration test.
During the planning phase, it is important to involve relevant stakeholders in advance. This often means informing external system monitoring providers prior to testing, though it may not be necessary to inform users or system management personnel.
Penetration testing should be conducted regularly, at least annually. It should be performed both from outside the organization's network perimeter and from within. Testing from the outside simulates an external attack (black box and white box), while testing from the inside simulates potential threats from compromised clients/servers or malicious insiders (grey box).
The results of penetration tests should always be documented.
