External Penetration Test Sample Clauses
External Penetration Test. Included in the scope of this security assessment, is an external network penetration test. Contractor(s) security methodology should include more than a simple IP range scan testing of a variety of vulnerabilities. Going beyond the surface, Contractor(s) security professionals should apply advanced attacker tactics and techniques targeting the external infrastructure including routers, servers, VPNs, firewalls, and any other external services. However, in contrast with the external penetration test, the external vulnerability assessment focuses more on vulnerability discovery and remediation than exploitation and impact identification. Attacks that may be included in the external penetration test are listed below.
a. System Fingerprinting
b. Services Probing
c. Analysis and Identification of Attack Vectors (including social engineering)
d. Exploit Testing e. Authentication Attacks
External Penetration Test. For the External Pentation Test Report (EPT), the Contractor shall provide an independent third party to perform penetration testing and submit the results to the Department for review and approval at least sixty (60) Calendar Days after Contract Award or sixty (60) Calendar Days before any production data are required to be used in any lower environment.
1) Penetration testing must be performed by an independent third party when additions or changes to functionality impact the security framework, architecture or when a new vulnerability exists. Penetration Test Report results shall be supplied to the Department and any major or critical vulnerabilities mitigated.
2) The External Pentation Test Report (EPT) should only be submitted once per contract, unless these additions, changes were made then resubmission must be done at least sixty (60) Calendar Days prior to go-live of the project.