What to know about vulnerability scans and penetration testing under the Safeguards Rule.
5/19/2023 1:00 P.M.
Per the FTC regulations in the Safeguards Rule, financial organizations must perform a penetration test annually and a vulnerability scan 2x a year.
The rule says:
Section 314.d.2 (i) Annual penetration testing of your information systems determined each given year based on relevant identified risks in accordance with the risk assessment;
and (ii) Vulnerability assessments, including any systemic scans or reviews of information systems reasonably designed to identify publicly known security vulnerabilities in your information systems based on the risk assessment, at least every six months; and whenever there are material changes to your operations or business arrangements; and whenever there are circumstances you know or have reason to know may have a material impact on your information security program.
Under the Safeguards Rule, financial institutions are required to conduct vulnerability scans at least every six months, with a preference for quarterly scans. Vulnerability scans can evaluate the effectiveness of internal defenses, not just identify vulnerabilities. Make sure your vulnerability scans cover everything, from internal systems to external-facing applications and connected devices.
Vulnerability scanning is an ongoing process, and the focus should be on prioritizing and addressing vulnerabilities based on their severity. You should conduct these via a third party to ensure objectivity and thoroughness. It is crucial to partner with an experienced provider who can offer actionable recommendations based on the scan results.
The penetration test, too, should be conducted by an experienced third-party provider who can ensure objectivity and offer solutions to issues identified. In a penetration test, assessors attempt to bypass or overcome the security features of an information system. The initial test aims to identify weaknesses in the system’s versions and configurations, attempting to exploit them. Following the initial test, you should implement the necessary remediation measures, such as patches, upgrades, or configuration changes. The objective of the post-remediation test is to achieve a clean scan, ensuring defensibility during a potential audit.
You should conduct vulnerability scans and penetration tests based on risk assessments. Remember to also keep well-documented procedures for vulnerability scanning and penetration testing, which include how often you do it, what’s included, which tools you use, and who’s responsible.
How about continuous monitoring instead?
The regulations do create an exception to annual penetration testing and biannual vulnerability scans if the company is performing “continuous monitoring,” meaning you have dedicated and experienced staff that monitors the logs and activity by a system around-the-clock, 24/7/365.
According to the FTC’s Safeguards Rule, continuous monitoring refers to a system that performs three essential activities in a real-time, ongoing manner:
- Monitoring for security threats: The system must actively monitor and detect potential security threats to the network, systems, and sensitive customer information.
- Detection of misconfigured systems: Continuous monitoring should include the ability to identify and flag any misconfigured systems that may pose security risks.
- Vulnerability assessments: The system must conduct ongoing vulnerability assessments to identify any weaknesses or vulnerabilities in the network or systems. Most tools can help with monitoring for security threats, but lack in providing real-time, ongoing configuration scanning and vulnerability assessments.
Those that do all three can be cost-prohibitive for most small and medium-sized businesses (SMBs), which is why the FTC allows businesses to complete an annual penetration test and biannual vulnerability assessment as an alternative to continuous monitoring. Note that having EDR, MDR, or SIEM tools may not fully satisfy the “continuous monitoring” requirement per the Safeguards Rule. For SMBs, even vulnerability scanning can be expensive.
As the exclusive partner for educating and working with ACA members, TPx has provided discounted services, including vulnerability and penetration scanning, which can be paid in monthly increments instead of a lump sum. To get started, contact TPx at www.tpx.com/aca.