diff --git a/source/standards/how-to-do-penetration-tests.html.md.erb b/source/standards/how-to-do-penetration-tests.html.md.erb index ec261534..2cebd885 100644 --- a/source/standards/how-to-do-penetration-tests.html.md.erb +++ b/source/standards/how-to-do-penetration-tests.html.md.erb @@ -1,14 +1,16 @@ --- title: How to arrange and manage penetration tests -last_reviewed_on: 2023-11-20 +last_reviewed_on: 2024-06-27 review_in: 6 months --- # <%= current_page.data.title %> -You should aim to run [penetration tests](https://www.gov.uk/service-manual/technology/vulnerability-and-penetration-testing) on your service at least every 12 months. You must discuss all significant changes with the GDS [Information Security] IA team. You must agree with the [Information Security] IA team when you will test and the scope of the tests. They will also assist with the procurement of external tests through an approved third party through the [National Cyber Security Centre (NCSC) CHECK scheme]. Alternatively, with the agreement of the IA team, a member of the [COD Cyber] Team can carry them out internally, depending on the requirements. +You should aim to run [penetration tests](https://www.gov.uk/service-manual/technology/vulnerability-and-penetration-testing) on your service at least every 12 months. You must discuss all significant changes with the GDS [Information Security][] team. You must agree with the [Information Security][] team when you will test and the scope of the tests. They will also assist with the procurement of external tests through an approved third party through the [National Cyber Security Centre (NCSC) CHECK scheme]. Alternatively, with the agreement of the Info Sec team, a member of the [COD Cyber] Team can carry them out internally, depending on the requirements. -You may need to schedule additional testing if you make significant changes to your service. You should meet with the IA team regularly to discuss ongoing changes. +Information Security are working on a GDS-level contract for ITHC services, which should make obtaining an ITHC for your service a more streamlined process. + +You may need to schedule additional testing if you make significant changes to your service. You should meet with the Info Sec team regularly to discuss ongoing changes. A significant change could be when you: @@ -47,9 +49,9 @@ Before testing, you should define and agree: ## Schedule a test -To schedule a test, [Information Security] IA team. +To schedule a test, [Information Security][] team. -If you plan to test any application, you must contact the IA team at least 3 months in advance so they can organise the procurement for you. +If you plan to test any application, you must contact the Info Sec team at least 3 months in advance so they can organise the procurement (or call-off against the existing framework) for you. If you are planning to ask the [COD Cyber] team to perform a test, you will need to enter the information listed in the [scope your test section](#scope-your-test) and the [prepare for your test section](#prepare-for-your-test) into a Rules of Engagement document, where a scope can be agreed and signed off by both parties. As with an external company, you should give at least 3 months' notice to make sure you can schedule the test at a time that suits project timelines.