External applications come in three general forms and if they contain PII then you have a GDPR responsibility and they also require what Mr Houlden at the ICO called vulnerability assessments and penetration testing, although not necessarily by you. Discover its advantages, challenges, important key terms and where Often, attacks that can create denial-of-service conditions are disallowed. Nigel Hearne 18 May Your password has been sent to: Phishing — when a user is tricked into giving away their username and password — is one of the most common reasons for a data breach. In short you should really test the external infrastructure at least once a year as a minimum.
As of February 1,service providers will be required to conduct an annual penetration test and a semi-annual segmentation test.
PCI DSS v3.2 and the Penetration Testing Requirements for Service Providers
Sign in for existing members. What we know of course is that once disclosure is mandated when GDPR comes into force at the end of May then we will all hear about very many more companies being affected by data loss than we do today. If they receive the payroll details via a cloud based application or their own web portal you would also want to know it has had a full web application penetration test annually and conducted by a CREST approved penetration testing company to be reasonably sure that no external attackers or any of their other clients could manipulate the application and access the data. This was last published in June View all Information Security questions and answers. Determining the segmentation controls being utilized and defining the scope for testing of these controls.