Introduction
anDREa is committed to protecting the security of its business information in the face of incidents and unwanted events and has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2013, the international standard for information security.
The purpose of this document is to describe anDREa’s Pentest Program.
This document will be updated at least annually and when significant change happens.
Pentest Program
External Pentest process
Schedule
- At least once a year a pen-test must be completed
- Major changes that impact the Azure DRE Shared Tenant security boundaries might trigger an ad-hoc pen-test
- If a scheduled pen-test should take place within six months of an ad-hoc pen-test and no security boundary changed, a pen-test can be skipped but must be logged in Policy Exceptions
- Every year a pen-test will take place in the 1st quarter, but must be completed before March 31st.
- On or before December 1st the CTO will provide the scope and target areas.
- On or before March 15th the pentest must be completed.
- On or before June 1st the results, findings and recommendation must be presented to anDREa’s Management Team and Dev-Team
Procedure
Review & Risk Analysis
- The CTO examines and performs a risk analysis with dev-team and members of CST on but not limited to the following documents:
- Architecture
- Risk and Incident findings
- The CTO will assess risks based on interviews with the following roles:
- MT
- (Core) Support Team
- Service Provider
- Representatives
- The CTO will
- Update the documentations in Documents for Pentester
- Create sub folder of Pen-Test > General > Dossiers
Request for Proposal (RFP) (optional, but at least every three years)
Meeting with pentester
Explain:
- The purpose of the Pentest
- The responsibility and duties of Pentesters
- Give access to and provide instructions:
- Documents for Pen-Tester
- Sub folder of Pen-Test > General > Dossiers
Fact finding & Reporting by Pentester
- PenTester logs findings and report in sub folder of Pen-Test > General > Dossiers
Review & Analysis
- CTO reviews findings and recommendations with dev-team and CST
Report findings and recommendations
- CTO with MT and decide on actions
- Actions will be logged in Risk, Incidents and Treatment Plan Register
- When there are no more follow-up questions
- CTO removes Pen-Tester from Pen-Test Teams
- CTO updates Approvers > Audits and informs relevant stakeholders
Internal Pen-Test process
Schedule
- Internal Pen-Test are ad-hoc driven and must occur when:
- Major change has been implemented that impact security boundaries
- Suspected unknown weakness
- Reported unknown weakness
Procedure
Review & Risk Analysis
- The CTO examines and performs a risk analysis with dev-team and members of CST on but not limited to the following documents:
- Architecture
- Risk and Incident findings
- The CTO will assess risks based on interviews with the following roles:
- MT
- (Core) Support Team
- Service Provider
- Representatives
- The CTO will
- Update the documentations in Documents for Pen-Tester
- Create sub folder of Pen-Test > General > Dossiers
- Assign one or more pen-testers
Pen-testers
- The internal pen-tester(s) writes a plan, this must include:
- Approach & methodology
Meeting with pen-tester(s)
- Explain:
- The purpose of the Pen-Test
- The responsibility and duties of Pen-Testers
- Give access to and provide instructions:
- Documents for Pen-Tester
- Sub folder of Pen-Test > General > Dossiers
Fact finding & Reporting by Pen-Tester
- Pen-Tester logs findings and report in sub folder of Pen-Test > General > Dossiers
Review & Analysis
- CTO reviews findings and recommendations with dev-team and CST
Report findings and recommendations
- CTO with MT and decide on actions
- Actions will be logged in Risk, Incidents and Treatment Plan Register
- When there are no more follow-up questions
- CTO removes Pen-Tester from Pen-Test Teams
- CTO updates Approvers > Audits and informs relevant stakeholders
Access to Pentest Results
- All Security Officers of a Tenant can request the CTO for access the Pen-Test Reports
- People with an account on support.mydre.org and part of the group Approver have access: https://support.mydre.org/portal/en/kb/approvers/audits