Home » Cybersecurity » Application Security » Red Team Operations: Reporting for compliance

Red Team Operations: Reporting for compliance

The growing compliance landscape

In recent years, the number of standards and regulations that organizations have to demonstrate compliance with has exploded. Previously, organizations have mainly needed to comply with industry-focused regulations (HIPAA, SOX and so on) or ones designed to protect certain types of sensitive information (like PCI-DSS and payment card information).

Recently, governments have been passing data privacy regulations and forcing organizations to take notice. The EU’s General Data Protection Regulation (GDPR) is an example of this. Under GDPR, any organization that is storing personally identifiable information (PII) of European citizens must be operating under a data protection policy functionally equivalent to GDPR, either at the company or national level. The scope of the GDPR and the much wider definition of what is considered protected PII caused a bit of a panic as organizations around the world tried to bring their policies into compliance.

The GDPR is far from the only privacy regulation in place. The California Consumer Privacy Act (CCPA) is one of the more famous regulations, but many other U.S. states have been passing individual laws in the absence of a national regulation. As a result, organizations may be required to demonstrate compliance with a large number of different regulations.

Designing the pentest

One commonality between many of these regulations is a requirement for organizations to perform regular testing to ensure that their current protections are adequate for protecting the customer data entrusted to them. While many of the requirements are for a penetration test, a Red Team assessment can provide a more accurate measure of an organization’s ability to adequately protect sensitive data.

As a result, a Red Team may be called upon to perform an assessment that is geared toward demonstrating an organization’s compliance with the regulation or identifying gaps that would need (Read more...)