Organizations should enforce policies that must be strictly adhered by all associated people to make penetration tests successful and maximize the vulnerability detection rate and fix the detected risks.
a. Port Scanning Policy:
1. Purpose and Scope: The purpose of this port scan is to get the information about the devices connected in the network and get verified from the security officer so that none of the irrelevant ports are open and to make companies devices more secure. This policy is applicable to the security officer having control over devices connected in the network.
2. Policy: This policy covers the guidelines for scanning the companies’ infor-mation …show more content…
The scanning process requires prior approval by the owner or administrator of the system.
Approved LAN and Desktop Support and Network Services staff may conduct a port map to resolve a service problem, as a part of normal system operations and maintenance, or to enhance the security of systems.
The Companies Security Officers performs a port map or scan to monitor compliance with this policy to perform security assessments, or to investi-gate security incidents.
Approved companies support staff shall perform an unauthorized port scan on a system in cases where directed by authority persons.
3. Enforcement: Violation of this policy or scanning the companies’ system without prior permission of the security officers could result in loss or limita-tions on use of information resources, as well as disciplinary and/or legal ac-tion, including termination of employment or referral for criminal prosecu-tion.
b. Vulnerability Assessment Policy:
1. Purpose: To permit authorized resources (from selected third party) to per-form vulnerability …show more content…
Roles and Responsibilities: Chief security Officer: Developing test proce-dures, performing periodic testing, documenting results and communicating vulnerabilities to the respective team leads, suggesting potential mitigation strategies.
5. Enforcement: Violation of the policy could result in loss or limitations on use of information resources, as well as disciplinary and/or legal action, includ-ing termination of employment or referral for criminal prosecution.
c. Password Policy: Upon exploiting the vulnerability of the target system the pen tester can extract the passwords and crack them to login to other systems. Hav-ing a strict password policy will help reduce this vulnerability.
1. Scope: This policy is designed to protect the organizational resources on the network by requiring strong passwords. This policy applies to all personnel who have any form of computer account on the organizational network. 2. Policy:
Organization should have password checker so that the employees know the strength of the password. There should be application to check that the old and new passwords are not similar. The feature of “remember password” should not be enabled.
Notification to change the password after 90 days should be