Compliance Penetration Testing

CREST is an international, not-for-profit, membership body representing the cybersecurity industry. It requires members to undergo a rigorous accreditation that holds operating standards, personnel, testing approaches, and data security to the highest standard. Bishop Fox is a CREST-accredited service provider.

The Digital Operational Resilience Act (DORA) is an EU regulation aimed at ensuring financial institutions and their third-party providers are equipped to protect, detect, contain, recover and repair their capabilities against ICT-related incidents. Bishop Fox offers robust Red Team services specifically designed to meet your advanced threat-led penetration testing (TLPT) needs, aligned to the TIBER-EU framework.

The General Data Protection Regulation (GDPR) is an EU regulation that concerns data protection and privacy for EU citizens. Article 32 of the GDPR requires organizations to have a process for regularly assessing and evaluating the effectiveness of data security measures. Regular network, cloud, and/or application penetration testing satisfies this requirement.

The Health Insurance Portability and Accountability Act (HIPAA) mandates that security measures are in place for protected health information (PHI) data. Depending on network architecture, regular network, cloud, and application penetration testing are critical for evaluating how an organization adheres to the strict privacy, security, and breach notification rules of HIPAA.

ISO 27001 covers the management of information security risks, policies, objectives, roles, responsibilities, and more. This standard mandates management of technical vulnerabilities and system security testing to identify and mitigate vulnerabilities in information security systems, which can be satisfied by network, cloud, and application penetration testing.

Many organizations voluntarily leverage the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) as an anchor to their security program. Regular network, cloud, and/or application penetration testing are extremely useful in strategically contributing to the five core NIST functions of identify, protect, detect, respond, and recover.

The Open Worldwide Application Security Project (OWASP) is one of the preeminent non-profit resources in the domain of software security. The OWASP Application Security Verification Standard (ASVS) and the OWASP Top Ten are commonly used standards that customers desire and Bishop Fox can execute on during application and/or cloud penetration testing services.

The Payment Card Industry Data Security Standard (PCI DSS) requires penetration testing at least annually and upon any significant environment changes. This can include external and internal network testing, cloud testing, or application testing approaches depending on architecture. Requirements state penetration testing should be performed.

SOC 2 is a common security framework that specifies how organizations should protect customer data. Though technically not a requirement to pass a SOC 2 audit, Penetration testing is a common step towards achieving SOC 2 compliance, as it touches on many of the trust service principal that the evaluation is based on.

Application security testing services to satisfy compliance requirements for data hosted and processed by web applications.

Cloud security testing services to satisfy compliance requirements for data hosted in AWS, Azure, GCP, and Kubernetes.

External and internal penetration testing services to satisfy compliance requirements for data that exists in on-premise environments.

Bishop Fox's world-class Red Team puts your organization to the ultimate test, satisfying the most stringent requirements for advanced threat-led penetration testing (TLPT), along with purple teaming and table top exercises so you're prepared for anything.

Bishop Fox is an App Defense Alliance (ADA) authorized assessor. Test your applications and ensure the security of user data while receiving your CASA letter of assessment.

Bishop Fox is a PCI DSS approved scanning vendor (ASV). Satisfy your PCI 11.2.2 quarterly external vulnerability scanning requirements with confidence. Available as an add-on.