Penetration Testing and Technical Security Assessments (SP 800-115)

  • Conduct at least annual penetration tests for:

    • Internet-facing systems

    • Business-critical applications

    • Post-incident or high-risk changes

  • Follow five-phase methodology:

    1. Planning & Reconnaissance

    2. Scanning & Enumeration

    3. Vulnerability Assessment

    4. Exploitation

    5. Post-Assessment Reporting & Lessons Learned

Reference:

SP 800-115 https://www.nist.gov/privacy-framework/nist-sp-800-115

PreviousPatch and Remediation Management (SP 800-40r4)NextReporting and Communication

Last updated