Читать книгу CompTIA Pentest+ Certification For Dummies - Glen E. Clarke - Страница 83

When performing a penetration test for compliance reasons, you want to be aware of how a regulation can alter how the penetration test is performed due to restrictions on the regulation. Following are some examples of restrictions that could exist with compliance-based assessments:

 Location restrictions: You may find that depending on the type of compliance-based assessment, there may be strict rules on visitors to a particular location.

 Country limitations: Depending on the types of regulations, there could be strict rules on access to information and handling of information based on laws in a particular country.

 Tool restrictions: You may find that to be compliant you are limited to the tools that can be used during an assessment. For example, there could be strict rules on the types of testing, such as not being allowed to do a DoS attack.

 Local laws: You should review the local laws where the penetration test is being performed to ensure you are not breaking any laws.

 Local government requirements: The local government may have strict requirements on the organization being tested depending on the industry. For example, the healthcare industry has strict requirements surrounding the privacy of patient data.

It is important to stress that there are clearly defined objectives based on regulations. For example, if the organization is processing credit cards, the organization must be compliant with PCI DSS by following the objectives and requirements set by PCI DSS. (You can view the Requirements and Security Assessment Procedures document at https://www.pcisecuritystandards.org/document_library.)