Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Penetration tests requirement removed from Operations Security but remains in Risk Management Policy #43

Open
Sean-Klein opened this issue Nov 7, 2024 · 4 comments
Open

Penetration tests requirement removed from Operations Security but remains in Risk Management Policy #43

Sean-Klein opened this issue Nov 7, 2024 · 4 comments
Assignees
@pepicrft
Labels
p1 Must do

Comments

@Sean-Klein
Copy link

While reviewing your policies to see how you handled Vanta templates with the requirement for yearly penetrations tests, I noticed you removed this from the Operations Security Policy. Was it your intention to keep the yearly requirement for a penetration test in your Risk Management Policy? If this was an oversight, I wanted to draw your attention to it.

Risk Management Policy

Risks are assessed and ranked according to their impact and their likelihood of occurrence. A formal Risk Assessment, and network penetration tests, will be performed at least annually and shall take into consideration the results of any technical vulnerability management activities performed in accordance with the Operations Security Policy.
@pepicrft pepicrft self-assigned this Jan 6, 2025
@pepicrft
Copy link
Contributor

pepicrft commented Jan 6, 2025

It was an oversight. Should it be in "Operations Security Policy" instead of "Risk Management Policy"? Or should it be in both?

@pepicrft pepicrft added the p1 Must do label Jan 6, 2025
@Sean-Klein
Copy link
Author

I was thinking you wanted to remove the requirement for penetration tests from your policies because you removed it from Operations Security Policy. I was bringing it to your attention that you probably want to remove it from Risk Management Policy too.

@pepicrft
Copy link
Contributor

pepicrft commented Jan 6, 2025

Not really, it wasn't intentional. The "Operations Security Policy" that we established followed Vanta's recommendation, which doesn't include any note about penetration tests. We'd like to perform them yearly, so would you recommend in that case to add them to the "Operations Security Policy".

Also.. how did you come across our policies @Sean-Klein. I believe we never interacted before.

@Sean-Klein
Copy link
Author

If you open the original template for Vanta's Operation Security Policy, you will see how Penetration Tests were included. If you are planning to continue with this approach, you probably want to add it back as it was in the original template and referenced by the Risk Management Policy.

How did I come across your polices? I stumbled upon your GitHub repository from an internet search looking for examples of policies I am in the process of implementing for my work. When I noticed a potential oversight while reviewing some of your policies, I reached out to you out of courtesy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pepicrft pepicrft

Labels
p1 Must do
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pepicrft @Sean-Klein