Penetration Test Benefits

here are some of the Main Penetration Test Benefits:

Improvement of security:

•General improvement of the effectiveness of information security with controls implemented to address real proven vulnerabilities;

•Independent review of your information security management system;

•Increased awareness of security and how controls can be circumvented and vulnerabilities exploited;

•Advice provided to address identified security problems.

Good governance:

•Awareness and empowerment of personnel regarding information security;

•Decrease of lawsuit risks against upper management in virtue of the ‘‘due care’’ and the ‘‘due diligence’’ principles;

•The opportunity to identify the weaknesses and to provide corrections;

•If linked with a good Information Security Management System (ISMS) the opportunity to increase of the accountability of top management for information security.

Helps in the effort to be conformant with:

• ISO standards;

• OECD (Organization for Economic Co-operation and Development) principles;

• Industry standards, example: PCI-DSS (Payment Card Industry Data Security Standard), Basel II (for the banking industry);

• National and regional laws.

•Customer contractual requirements.

Cost management:

•Decision makers often ask to justify the profitability of projects or security control and demand concrete and measurable return-benefits. A new financial evaluation concept has emerged to treat specifically the information security field: Return on Security Investment (ROSI). ROSI is a concept derived from Return on Investment (ROI). It can be interpreted as a security controls financial profit taking into account its total cost over a given period of time.

•Understanding the clear risks by analyzing the results of a well constructed penetration test can help in the selection of the correct and most effective controls which will address the real business risks and issues.

Customer and partner assurance:

•Differentiation provides a competitive advantage for the organization;

•Satisfaction of requirements of customer and/or other stakeholders;

•Meeting customer contractual obligations;

•Consolidating confidence of customers, suppliers and partners of the organization.

Reference: PECB, certified lead penetration test professional