Exercises: Security Compliance and Governance

Exercise 40.1: Compliance Framework Mapping

Create a comparison matrix of PCI DSS, HIPAA, SOC 2, and ISO 27001. For each framework, document:

  1. Issuing body and legal basis (law, regulation, contractual, voluntary)
  2. Who must comply (scope of applicability)
  3. Specific security testing requirements
  4. Testing frequency requirements
  5. Tester qualification requirements
  6. Penalties for non-compliance
  7. Audit/certification process

Present your matrix in a table and write a one-paragraph summary of the key differences.

Exercise 40.2: PCI DSS Scope Determination

A retail company has the following network architecture:

  • Store Network (10.1.0.0/24): Point-of-sale terminals, store workstations
  • Payment Processing (10.2.0.0/24): Payment gateway server, tokenization server
  • Corporate Office (10.3.0.0/24): Accounting, HR, executive workstations
  • E-commerce (10.4.0.0/24): Web servers, application servers, database
  • Development (10.5.0.0/24): Developer workstations, CI/CD servers, test databases
  • Guest Wi-Fi (10.6.0.0/24): Customer Wi-Fi in stores

For each network segment, determine: 1. Whether it is in PCI DSS scope (CDE, connected-to, or out-of-scope) 2. What segmentation controls would be needed to reduce scope 3. What penetration testing would be required for each segment

Exercise 40.3: HIPAA Risk Analysis Integration

You have completed a penetration test of MedSecure and found the ten vulnerabilities listed in Section 39.1.2. For each finding, map it to:

  1. The specific HIPAA Security Rule safeguard it violates (cite the section number)
  2. The risk to ePHI (what patient data could be compromised)
  3. The likelihood of exploitation (Low/Medium/High)
  4. The impact if exploited (Low/Medium/High)
  5. Recommended safeguard improvements

Present this as a risk analysis table suitable for inclusion in MedSecure's HIPAA risk assessment documentation.

Exercise 40.4: SOC 2 Evidence Preparation

You are conducting a penetration test for a SaaS company preparing for their SOC 2 Type II audit. The auditor has requested evidence for the following trust service criteria:

  • CC6.1: Access Controls
  • CC6.6: System Boundary Protection
  • CC7.1: Detection and Monitoring
  • CC7.2: Incident Response
  • CC8.1: Change Management

For each criterion, describe: 1. What penetration testing evidence would be relevant 2. How to structure findings to support the auditor's review 3. What positive observations (controls that worked) you would document 4. How to present findings that indicate control failures

Exercise 40.5: NIST CSF Mapping

Map the following penetration testing activities to NIST CSF 2.0 functions and categories:

  1. External network reconnaissance and port scanning
  2. Web application vulnerability assessment
  3. Active Directory password spraying attack
  4. Network segmentation validation
  5. Phishing simulation campaign
  6. Cloud IAM configuration review
  7. Incident response tabletop exercise
  8. Vulnerability remediation verification retest

For each activity, identify the CSF function(s), category, and subcategory it supports.

Exercise 40.6: CIS Controls Assessment

Using CIS Controls v8.1, assess your home lab environment (or a fictional small business environment) against the following controls:

  • Control 1: Inventory and Control of Enterprise Assets
  • Control 4: Secure Configuration of Enterprise Assets and Software
  • Control 7: Continuous Vulnerability Management
  • Control 8: Audit Log Management
  • Control 18: Penetration Testing

For each control, rate implementation as: Not Implemented, Partially Implemented, or Fully Implemented. Provide evidence for your assessment and recommend improvements.

Exercise 40.7: Security Maturity Assessment

Using the five-level maturity model from Section 40.4.1, assess the security maturity of a fictional organization based on the following observations:

  • They conduct annual penetration tests (started two years ago)
  • Vulnerability scanning runs monthly, but results are not consistently remediated
  • Security policies exist but were last updated three years ago
  • A two-person security team reports to the IT director
  • No formal risk register or risk management process
  • Patch management is ad hoc (patches applied "when we have time")
  • Security awareness training is conducted annually (30-minute online module)
  • No incident response plan or tabletop exercises

Assign a maturity level, justify your assessment, and create a roadmap to advance to the next maturity level.

Exercise 40.8: GRC Integration Plan

Design a plan for integrating penetration testing results into a GRC program. Specify:

  1. How findings will be imported into the risk register (format, process, timing)
  2. How findings will be tracked through remediation (SLAs, ownership, escalation)
  3. How findings will be mapped to compliance frameworks (PCI DSS, HIPAA, SOC 2)
  4. What metrics will be reported to leadership (dashboards, trends, KPIs)
  5. How retesting results will update the risk register

Include a sample risk register entry for the MedSecure F-001 SQL injection finding.

Exercise 40.9: GDPR Penetration Testing Considerations

You are a US-based penetration testing firm engaged to test a European company's web application that processes EU personal data. Address the following:

  1. What GDPR obligations arise from your role as a data processor?
  2. Draft the key clauses of a Data Processing Agreement (DPA) for this engagement
  3. How should you handle personal data encountered during testing?
  4. What additional documentation or controls are needed compared to a non-GDPR engagement?
  5. What are the data transfer considerations if testing data is stored in the US?

Exercise 40.10: NIS2 Impact Analysis

Research the NIS2 Directive and create an impact analysis for a medium-sized hospital in Germany. Address:

  1. Does the hospital qualify as an "essential" or "important" entity? Why?
  2. What specific cybersecurity measures does NIS2 Article 21 require?
  3. What security testing obligations arise from NIS2?
  4. What incident reporting obligations apply?
  5. What penalties could the hospital face for non-compliance?
  6. How should the hospital's penetration testing program be structured to meet NIS2 requirements?

Exercise 40.11: DORA Compliance Assessment

A European bank needs to establish a DORA-compliant digital operational resilience testing program. Design the program by addressing:

  1. What basic testing requirements apply to all financial entities under DORA?
  2. Does this bank need to conduct Threat-Led Penetration Testing (TLPT)? Under what conditions?
  3. How often must TLPT be conducted?
  4. What are the requirements for TLPT providers (threat intelligence and red team)?
  5. What is the TIBER-EU framework and how does it relate to DORA TLPT?
  6. How should results be shared with the competent authority?

Exercise 40.12: Compliance-Driven Pentest Scoping

You receive three RFPs. For each, determine the compliance-specific scoping requirements:

RFP 1: A US hospital needing to demonstrate HIPAA compliance RFP 2: A European online retailer subject to PCI DSS and GDPR RFP 3: A UK-based bank subject to PCI DSS, FCA regulations, and DORA

For each RFP, specify: 1. Which compliance frameworks drive the testing requirements 2. What specific testing must be included 3. What methodology is required or recommended 4. What tester qualifications are needed 5. What special reporting or evidence requirements exist

Exercise 40.13: Risk Acceptance Documentation

MedSecure's CISO has decided to accept the risk of the TLS 1.0 finding (F-008) because the legacy internal application cannot be upgraded within the next 12 months. Draft a formal risk acceptance document that includes:

  1. Finding description and current risk rating
  2. Business justification for risk acceptance
  3. Compensating controls in place
  4. Residual risk assessment
  5. Review date and conditions for re-evaluation
  6. Approval signatures required
  7. Monitoring requirements during the acceptance period

Exercise 40.14: Board-Level Security Metrics

Design a quarterly security metrics dashboard for MedSecure's board of directors. Include:

  1. Key metrics to track (at least 8)
  2. Visualization recommendations for each metric (chart type, thresholds, targets)
  3. How penetration testing results feed into each metric
  4. Trend indicators (improving, stable, declining)
  5. Benchmark sources (industry comparisons)

Mock up the dashboard layout (can be hand-drawn or described in detail).

Exercise 40.15: Multi-Regulation Compliance Test Plan

A fintech company based in New York with European customers must comply with PCI DSS, NY DFS 23 NYCRR 500, SOC 2, and GDPR. Design a single penetration testing engagement that satisfies all four frameworks:

  1. Define the scope that covers all regulatory requirements
  2. Identify methodology requirements from each framework
  3. Create a testing checklist that maps test cases to regulatory requirements
  4. Specify reporting format and content to satisfy all four audiences (PCI QSA, NY DFS examiner, SOC 2 auditor, GDPR DPA)
  5. Determine tester qualification requirements

Exercise 40.16: Compliance Failure Analysis

Research the 2013 Target breach in detail. Write a 500-word analysis addressing:

  1. What PCI DSS requirements were Target compliant with at the time of breach?
  2. What security failures existed despite PCI compliance?
  3. How did the attackers exploit gaps between compliance and actual security?
  4. What lessons does this teach about the relationship between compliance and security?
  5. How could penetration testing have identified the gaps that led to the breach?

Exercise 40.17: International Regulatory Comparison

Compare the cybersecurity regulatory approaches of three countries/regions: - United States (sectoral approach: HIPAA, PCI DSS, GLBA, state laws) - European Union (comprehensive approach: GDPR, NIS2, DORA) - Singapore (Cybersecurity Act)

For each, assess: 1. Regulatory philosophy (prescriptive vs. risk-based) 2. Security testing requirements 3. Enforcement mechanisms and penalties 4. Impact on penetration testing market and practice

Exercise 40.18: Three Lines of Defense Exercise

For MedSecure's penetration testing program, identify specific roles and responsibilities for each line of defense:

First Line (Operations): - Who receives pentest findings? - Who is responsible for remediation? - What SLAs should apply?

Second Line (Risk/Compliance): - Who commissions pentests? - Who reviews reports? - Who tracks remediation metrics?

Third Line (Internal Audit): - How does audit validate the pentest program? - What should audit independently test? - How does audit report to the board?

Create an RACI (Responsible, Accountable, Consulted, Informed) matrix for the penetration testing lifecycle across all three lines.