POL00362915 - Cyber Security Standard Penetration Testing and Vulnerability Scanning Standard - Policy

Evidence on official site

POL00362915
POL00362915

Post Office Limited - Document Classification: CONFIDENTIAL

@

Cyber Security Standard

Penetration Testing and
Vulnerability Scanning Standard

Version —- V1.3

INTERNAL Page 1 of 13 Penetration Testing and
ulnerability Scanning Standard v1.3
POL00362915
POL00362915

Post Office Limited - Document Classification: CONFIDENTIAL

1 Overview

1.1. Introduction by the Standard Owner.

1.2 Purpose ..

1.3. Application.
1.4 Application ......cccccccccccccececseeeeeseueeeseueeeesueeseseueeeeseeueeseeeeeeeueueseseueessuaeeesauees 4
2 Policy Framework ......ccccccseeeeseeeeeeeeeeeeeeeeeeeeeeeeeseeeeeeaeeeeeaaeeeeaaeeeeeaaeeesaaeeeeeaeesenee 6
21
2.2
3. Managing Penetration Testing and Vulnerability Scanning
3.1
3.2
3.3. Review...
3.4 Remediate .

4 Penetration Testing and Vulnerability Scanning

oornn

4.1 Penetration Testing

4.2 Vulnerability Testing

4.3. Penetration Test and Scanning Criteria ..........ccccccceeeeeeeeeeeeeeeeeeeeseeueeeeeeeeeneee 10
4.4 Additional RequireMent ...........ccccccseeeeeeeeeeessesseeneeeeeeeeeseeeeeeeseessesaaeeeeseeeee® 10
4.5 Payment Card Industry Data Security Standards (PCI DSS).........::sseeeeeeseeeenee 11
4.6 REMEMIALION 0.0... cette eee cece cence eee e eed EEE Eee eee eee eee e sees saaa eee e eee 11
4.7 Re-tests ANd SCANS 2... cceecceeeeeeeteeeeeeeeeeteeeeeeeeeeeeeeeeeeeeeteeeeeeeeeeeeeeeeeeeee 11
4.8 Penetration Test Document Set... ee teeter renee

4.9 Penetration Test Suppliers - Minimum Requirements.

5 Where to go for help.
5.1. Additional Policies and Standards

5.2 How to raise a concern

5.3 Who to contact for more information ......sccccsseceseeessteeettseeenteeeeneeeetaeeennes 13

6 Version Control & APProval......ccccccceceeseeeseeesssseeeeeeeeeseeeeeeeseeeseesessnaenenseeeeeeeeeeees 14

G1 Version CONtIOL....ssesssssesssscsseressssessessessessesssseesessessessessenseseessenessonensonaes 14

6.2 Standard Approval ........cccccccceccssceccsseeeeeseeeeeseueeeeseeeseeeeeeeeueueesueeeeseeeeeseuees 14
INTERNAL Page 2 of 13 Penetration Testing and

ulnerability Scanning Standard v1.3
POL00362915
POL00362915

Post Office Limited - Document Classification: CONFIDENTIAL

1 Overview

1.1 Introduction by the Standard Owner

Post Office is committed to protecting its employees, customers, Third Party Supply Chain
and information assets from damaging or illegal actions by individuals, either knowingly
or unknowingly. Post Office enables this through the development and deployment of
policies, standards and guidelines which are aligned to international best practices.
Effective cyber and information security is a team effort involving everyone in Post Office.

1.2 Purpose

The purpose of the Penetration Testing and Vulnerability Scanning Standard is to define a
structured and consistent approach when performing penetration and vulnerability tests
throughout the Post Office.

Cyber Security, together with the appropriate third-party, penetration tester, System
Owner and project management representatives (if applicable), will discuss and agree a
remediation plan for all critical, high and medium risk vulnerabilities discovered during
testing. In line with the Vulnerability Management Standard, the responsibility for ensuring
any identified vulnerabilities are remediated lies with the Business/Product Owner and/or
System Owner.

1.3 Core Principles

The objective of this standard is to achieve the following:

e Ensure the confidentiality, integrity and availability of Post Office data.

e Sets out the requirements for effective penetration testing and vulnerability
scanning.

e Manage assessment of vendor vulnerability notifications and patches.

Intelligently manage discovered vulnerabilities.

Avoid network and/or platform downtime.

Meet Post Offices’ contractual, legal and regulatory requirements.

Preserve corporate image and customer loyalty.

Protect operational platforms throughout Post Office.

Incorporate additional regulatory requirements, when appropriate.

Effective management and remediation of all material identified risks.

1.4 Application

This policy applies to Post Office permanent employees, temporary employees,
agency contractors, consultants and anyone else working on behalf of the Post Office
accessing Post Office data and aligns to the requirements of the Cyber and Information
Security Policy.

Post Office information assets and environments include, but are not limited to:

INTERNAL Page 3 of 13 Penetration Testing and
ulnerability Scanning Standard v1.3
POL00362915
POL00362915

Post Office Limited - Document Classification: CONFIDENTIAL

Critical business environments.

Business applications (including those under development).
Information assets and systems.

Network devices and communications.

Any Post Office web presence (including white labelled sites).

INTERNAL Page 4 of 13 Penetration Testing and
ulnerability Scanning Standard v1.3
POL00362915
POL00362915

Post Office Limited - Document Classification: CONFIDENTIAL

2 Policy Framework

2.1 Policy Framework

This standard forms part of the Cyber and Information Security Policy Set. This contains
controls that form part of the Information Technology Control Framework (ITCF) governed
by the overarching Post Office wide framework.

2.2 Who must comply?

Compliance with this standard is mandatory for all Post Office employees and applies
wherever in the world Post Offices business is undertaken. All third parties who do business
with Post Office, including consultants, suppliers and business and franchise partners, will
be required to agree contractually to this standard or have their own equivalent
policy/standard.

INTERNAL Page 5 of 13 Penetration Testing and
ulnerability Scanning Standard v1.3
POL00362915
POL00362915

Post Office Limited - Document Classification: CONFIDENTIAL

3 Managing Penetration Testing and Vulnerability
Scanning

3.1 Prepare and Schedule

Cyber Security will collate high level architectural designs, data flow diagrams and
questionnaires received from relevant third party suppliers and send to relevant party
undertaking the test or scan.

For penetration test and initial scans, scoping meeting(s) will be arranged with relevant
parties, including third party suppliers.

Cyber Security must review and agree any proposal with third party suppliers following
scoping meeting.

Third party suppliers must agree and sign off test dates and dependencies. Deviation to
arranged dates can lead to cancellation costs to Post Office.

Cyber Security schedules penetration tests for systems belonging to the Top 20 Suppliers
annually, regular vulnerability scans and penetration tests on new suppliers and systems
before go-live. System Owners are responsible for making sure their systems are tested
as per the Vulnerability Management Standard.

As part of Payment Card Industry Data Security Standard (PCI DSS) all Post Office systems
handling or processing payment cards must be penetration tested annually and scanned
quarterly.

3.2 Perform

The agreed partner must perform tests or scans and be operating under an agreed scope.

Cyber Security must receive notification of all vulnerabilities found during testing in the
form of a report. Vulnerabilities will be scored using the Common Vulnerability Scoring
System (CVSS) - see later section for details.

3.3 Review

Cyber Security will review the report and, if necessary, share the report with relevant third
party suppliers who manage the systems that have been penetration tested.

Cyber Security review all vulnerabilities with a CVSS score over 4.0 within the report and
discuss with the third party supplier. For details of CVSS scoring see section below.

Third party supplier produces an action plan to remediate the identified vulnerabilities
highlighted within the report.

3.4 Remediate

Once the actions detailed in the plan have been completed a re-test or scan of the system
must be undertaken to assure the effectiveness of the remediation.

INTERNAL Page 6 of 13 Penetration Testing and
ulnerability Scanning Standard v1.3
Post Office Limited - Document Classification: CONFIDENTIAL

Any outstanding critical/high/medium vulnerabilities not remediated are required to be reported to the Cyber
business/product owner and Project Manager (if part of a project being delivered).

POL00362915
POL00362915

Security Team,

“CVSS I Risk I JIRA I PenRiskI Risk I Risk I POLThreatScore I POL I Fixtimescalesif I Fix timescalesif
: Priority Score I Impact I Likelihood I (Riskimpact X Risk I Threat I discovered within I discovered in Live
vee ce ee ae Ny Likelihood) — Rating I project environment
04 Low Lowest Ao Ft Ft 1 verytow. I UN eo Rave cr eD: 60 Days
1 2to5 .
0.23.9 Low Low 2.0-5.0 2to5 1 2-5 : Low wine ee fee 60 Days

INTERNAL

Medium.

Medium

Page 7 of 13

Fix within 30 days of
go-live (Le By next
release) or will block
go-live.

Penetration Testing and
ulnerability Scanning Standard v1.3

Approved Exception Request
required if resolution is,
outside of timescales and
product wished to go-live

POL00362915
POL00362915

Post Office Limited - Document Classification: CONFIDENTIAL

4 Penetration Testing and Vulnerability Scanning

The main objective of penetration testing and scanning is to determine security
vulnerabilities within a system. A test or scan also tests Post Office’s third party suppliers’
information security compliance to ensure they are aligned to the policies and standards
produced and authorised by Post Office and best business practices as defined by industry
standards in regard to Cyber and Information Security systems.

4.1 Penetration Testing

Penetration testing of systems must be conducted based on their regulatory status (e.g.
PCI-DSS), criticality or risk profile. Key systems, and those covered by PCI DSS, must be
tested annually, along with all Internet facing systems. All other systems should be tested
based upon their risk profile. All systems must be tested on the occasion of either a
significant change or an incident that changes the threat landscape of the environment.

Detailed documentation of any components requested within the scope of the penetration
test must be made available to both the independent third-party tester and Cyber Security.
Failure to submit all necessary documentation when requested may impact the accuracy
of the scope and delay the submission of a proposal from the penetration test company,
which could then delay when the test is conducted. This may have a significant effect on
receiving sign-off from Cyber Security during the gating process.

This information will ensure the penetration test company understands how functionality
should work and whether results received are expected for the given scenario.

As part of the scoping process the responsible supplier (supplying the service) must
provide the penetration testers and Cyber Security with the appropriate documentation,
which may include:

« Anetwork diagram depicting all network segments and endpoints in scope for the
test.
e Data flow diagram(s) showing data classification levels.

4.2 Vulnerability Testing

Vulnerability testing may be undertaken as part of a penetration test, or through the use
of automated or manual tools. Typically these tests will take place at agreed, scheduled,
regular intervals to comply with regulatory requirements or risk profile. Following initial
scanning and ‘filtering’ of the results for accuracy, subsequent scans may be limited to
reporting only those new or remaining validated vulnerabilities, except where full reporting
is a regulatory requirement. For frequency requirements please see the Vulnerability
Management Standard

Externally facing systems must be scanned through an Internet hosted service which
provides the appropriate certification to meet regulatory requirements.

Internal scans must be conducted as ‘authenticated’ wherever possible.

All scans must result in the production of a list of all discovered vulnerabilities and must
be validated by the supplier being tested. Any dispute over the accuracy of the findings

INTERNAL Page 8 of 13 Penetration Testing and
ulnerability Scanning Standard v1.3
POL00362915

POL00362915

Post Office Limited - Document Classification: CONFIDENTIAL

must be referred to the third party conducting the scan or the vendor of the toolset

employed.
4.3 Penetration Test and Scanning Criteria
Activity Description Guidance Criteria (Not an exhaustive
Mandatory penetration test and Hist) External Interfaces.

vulnerability scan to be completed

Web Portals.

Wireless Network Analysis.

Critical Business Processes.

New Business Processes.

Confidential or Strictly Confidential

Data.

e Amending / New Third Parties or
Supplier Connections.

« Regulatory Compliance In-Scope.

e New Outsourcing Agreement.

e Handling or processing payment

card information.

Penetration test can be carried out at the e Internal changes only - no
next pre-scheduled date external connectivity involved.

¢ Internal Data.

e¢ Non-critical business process.

e No Regulatory Compliance aspects.
No penetration test required e Minor change not involving

interfaces or data movement.
Internal interfaces.

e Non-critical business process.

4.4

Additional Requirements

The following provides a non-exhaustive list of minimum requirements to be performed
and documented when preparing, scheduling and performing a penetration test or
vulnerability scan:

A Business Impact Assessment.

A Security and Threat Risk Assessment.

A Privacy Impact Assessment.

Questionnaire/s issued to the supplier and/or Project Manager as part of the
information gathering process, which must be completed before the scoping
meeting with the penetration test provider takes place.

A member of Cyber Security is to be engaged during all stages.

A qualified QSA is to be engaged where PCI DSS data/information is present within
the scope of the environment being tested.

A qualified technical individual/s with full working knowledge of the environment to
be tested (e.g. third party business supplier) must be involved to support the
systems during the testing process.

A representative of Post Office’s SISD supplier if requested by Post Office.

INTERNAL Page 9 of 13 Penetration Testing

ulnerability Scanning Standard

and
v1.3
POL00362915

POL00362915

Post Office Limited - Document Classification: CONFIDENTIAL

4.5 Payment Card Industry Data Security Standards (PCI DSS)

PCI SCC provides general guidance and guidelines for penetration testing. The guidance
focuses on the following:

e Penetration Testing Components: Understanding of the different components that
make up a penetration test and how this differs from a vulnerability scan including
scope, application and network-layer testing, segmentation checks, and social
engineering.

¢ Qualifications of a Penetration Tester: Determining the qualifications of a
penetration tester, whether internal or external, through their past experience and
certifications.

e Penetration Testing Methodologies: Detailed information related to the three
primary parts of a penetration test: pre-engagement, engagement, and post-
engagement.

e Penetration Testing Reporting Guidelines: Guidance for developing a
comprehensive penetration test report that includes the necessary information to
document the test as well as a checklist that can be used by the organization or the
assessor to verify whether the necessary content is included.

https://www.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-
vi_i.pdfeagreement=true&time= 1636046198816

4.6 Cyber Security Remediation

Following a penetration test or vulnerability scan, the supplier engaged to carry out such
tests is required to produce a detailed report highlighting and describing all vulnerabilities
discovered. An interim report is required within 24 hours of the test completing (in Excel
format) and a final full report is required within 5 working days (unless otherwise agreed
with Cyber Security) in PDF format.

The System Owner is responsible for making sure that all critical, high and medium
findings are remediated within an agreed timescale and before go live of a new system

4.7 Re-tests and Scans

Re-tests or scans are required to provide assurance that vulnerabilities discovered during
any penetration tests, ASV and/or VS‘s have been completely remediated. The schedule
for re-tests and scans must be agreed with Cyber Security to ensure they are completed
in a timely fashion.

Project Managers will engage with Cyber Security, third party suppliers and penetration
test service providers to schedule re-tests or scans.

4.8 Penetration Test Document Set

The penetration test document set is an operational document set that will be maintained
as part of the penetration test strategy. There are several discrete elements, each of which
may be updated as part of any change penetration test as provided below:

INTERNAL Page 10 of 13 Penetration Testing and
ulnerability Scanning Standard v1.3
POL00362915
POL00362915

Post Office Limited - Document Classification: CONFIDENTIAL

4.9

Business case funding.

Completed BIA and PIA.

Project penetration test scope (connections/gateways).

PCI scope document (if applicable).

Risks.

Findings.

Remediation/tracking plan

Transfer to operations (outstanding actions, risks, frequency).

Penetration Test Suppliers — Minimum Requirements

MUST be a member of the UK Government CREST scheme and, as such, provide personnel
who maintain one or more of the following certifications in relationship to the scope and
type of penetration testing required by Post Office to achieve assurance:

Offensive Security Certified Professional (OSCP).

Certified Ethical Hacker (CEH).

Global Information Assurance Certification (GIAC) Certifications (e.g., GIAC
Certified Penetration Tester (GPEN), GIAC Web Application Penetration Tester
(GWAPT), or GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)).
CREST Penetration Testing Certifications.

Communication Electronic Security Group (CESG) IT Health Check Service (CHECK)
certification.

INTERNAL Page 11 of 13 Penetration Testing and

ulnerability Scanning Standard v1.3
POL00362915
POL00362915

Post Office Limited - Document Classification: CONFIDENTIAL

5 Where to go for help

5.1 Additional Policies and Standards

This standard is part of the Cyber Security Policy framework. The full set can be found at:

__IRRELEVANT

5.2 How to raise a concern

Any Post Office employee who suspects something is wrong has a duty to:

e Discuss the matter fully with their Line Manager; or,
e Report their suspicions by contacting the IT Helpdesk

5.3 Who to contact for more information

If you need further information about this standard or wish to r
to this standard, please contact Cyber Security Team via

in relation

INTERNAL Page 12 of 13 Penetration Testing and
ulnerability Scanning Standard v1.3
POL00362915

POL00362915
Post Office Limited - Document Classification: CONFIDENTIAL
6 Version Control & Approval
6.1 Version Control
Date Version Updated by Change Details
02/05/2018 0.1 IT Security Changed to the new template for
policies

Changed to reflect the new Post
Office structure

First draft

23/05/2018 0.2 IT Security Updated post peer review

24/05/2018 0.3 IT Security Updated with further peer review
comments

28/05/2018 1.0 IT Security Final Approved Version

02/12/2021 1. Cyber Security Review with Richard Miller and
updated the section 3.4 and 4.5.

17/12/2012 1.1 Cyber Security Cyber Security Final Approved
Version

10/04/2023 1.2 Cyber Compliance Annual update and review. Wider
business input for UCF update
required.

25/04/2023 1.3 Cyber Compliance CSF approval for publication.

6.2 Standard Approval

Standard Owner: Chief Information Security Officer

Standard Author: Ehtsham Ali

Approved by CSF: 25/04/2023

Next review: 25/04/2024

INTERNAL Page 13 of 13 Penetration Testing and

ulnerability Scanning Standard v1.3