Penetration testing is performed for both the application and infrastructure annually. Results are evaluated and remediated according to risk rating.
This control is meant to formalize the way IllumiDesk prioritizes our penetration tests. The rating assignment mentioned in this control is detailed in a separate control linked below. It isn't feasible to test 100% of IllumiDesk systems and since penetration tests are meant to reduce risk to the organization, it makes sense that risk is the method we use for prioritizing which systems we test in a given year.
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting IllumiDesk.com and its subdomains. This may include third-party systems that support the business of IllumiDesk.com.
Senior Director of Security
Application Security Team - Hacker1 and External 3rd-Party vendor relationship
Red Team, Security - provide supplemental/enhanced penetration testing
Infrastructure - Responsible for infrastructure penetration testing
We will need to share our methodology for determining which systems to pen test and that methodology should align with the related control.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Application & Infrastructure Penetration Testing control issue.