11.5 Network intrusions and unexpected file changes are detected and responded to.

This requirement focuses on implementing mechanisms to detect and respond to network intrusions and unauthorized file changes. It ensures that organizations use intrusion detection/prevention techniques to monitor network traffic and change-detection mechanisms to identify unauthorized modifications to critical files, allowing them to detect and respond to potential security breaches in a timely manner.

Sub-requirements:

11.5. Penetration testing is performed to identify exploitable vulnerabilities.

Ensure that penetration tests are conducted at least annually and after significant changes, and that findings are remediated.

https://WithPCI.com

Sub-requirements

Test Points

Moderate-High (4.3)

Implementation Difficulty

Control Types

Technical

Process

Technical: 2

Process: 3

Key Risks

Unidentified exploitable vulnerabilities

Missed or delayed remediation

Scope creep due to poor segmentation

Frequently Asked Questions

How often must penetration tests be performed?

At least annually and after significant changes to the environment.

What is the difference between penetration testing and vulnerability scanning?

Penetration testing simulates real-world attacks to exploit vulnerabilities, while scanning identifies potential vulnerabilities.

Who should perform penetration tests?

Qualified internal or external testers who are independent of the systems being tested.

How are test findings remediated?

Findings are tracked, prioritized, and addressed before retesting.

How is evidence of penetration testing retained?

Through test reports, remediation logs, and documentation of retesting.

Common QSA Questions

Can you provide your penetration testing reports and remediation records?

Yes, we maintain all reports and logs of remediation activities.

How do you ensure tests are performed after significant changes?

We tie penetration testing to our change management process.

How are findings tracked and retested?

We use a tracking system and require retesting to verify remediation.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.