CA-8: Penetration Testing

NIST Baseline: Low

Information resource owners, in coordination with Tarleton’s Office of Innovative Technology Solutions (OITS) Security Team, are responsible for ensuring that penetration testing is completed, based on risk management decisions.
Penetration testing should be conducted on a reoccurring basis on Internet websites and/or mobile applications that are exposed to the public internet that process or store sensitive, personally identifiable information (PII), or confidential information as required by Texas Government Code §2054.516(a)(2).
- The information gathered during penetration testing should be reported to the Tarleton Chief Information Security Officer (CISO) and/or the Tarleton OITS Security Team for assessing and managing security.
- An external network penetration test shall be conducted biennially (every two years) at a minimum in accordance with the Texas Department of Information Resources (DIR) Security Controls Catalog.