The next type of assessment in order of complexity is a compliance – based penetration test.
These are the most common penetration tests as they are government- and industry-mandated requirements based on a compliance framework the entire organization operates under.
While there are many industry-specific compliance frameworks, the most common would likely be Payment Card Industry Data Security Standard (PCI DSS), a framework dictated by payment card companies that retailers processing card-based payments must comply with.
However, a number of other standards exist such as the Defense Information Systems Agency Security Technical Implementation Guides (DISA STIG), Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act (FISMA), and others.
In some cases, a corporate client may request an assessment, or ask to see the results of the most recent assessment for various reasons. Whether ad-hoc or mandated, these sorts of assessments are collectively called compliance-based penetration tests, or simply “compliance assessments” or “compliance checks”.
A compliance test often begins with a vulnerability assessment. In the case of PCI compliance auditing, a vulnerability assessment, when performed properly, can satisfy several of the base requirements, including “2. Do not use vendor-supplied defaults for system passwords and other security parameters” (for example, with tools from the Password Attacks menu category), “11. Regularly test security systems and processes” (with tools from the Database Assessment category) and others.
Some requirements, such as “9. Restrict physical access to cardholder data” and “12. Maintain a policy that addresses information security for all personnel” don’t seem to lend themselves to traditional tool-based vulnerability assessment and require additional creativity and testing.