Lately, VAPT has become an industrial security standard to ensure that your company’s IT infrastructure is safe and secure from cyber-attacks. Although it might seem like a single process, it is not. VA, short for Vulnerability Assessment, is typically an automated process for discovering the security loopholes and vulnerabilities in a system. On the other hand, PT, short for Penetration Testing, goes a step further from the VA. It helps in understanding the impact of each vulnerability by attempting to exploit it.
Nowadays many standards and regulations require you to perform VAPT in India on your network, web application, etc. to pass their assessment. The scope of VAPT may vary for each assessment depending on the type of industry and the standard/regulation you need to comply with. This article talks about such standards/regulations which require carrying out VAPT as a part of their process. Let’s get started.
1. HIPAA (For Healthcare Companies/Applications)
HIPAA stands for Health Insurance Portability and Accountability Act and it helps in data security and protection of patient health information by enforcing the required security controls to achieve confidentiality, integrity, and availability.
As per the official website,
“HIPAA is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.”
Even though HIPAA does not mention the VAPT in the act explicitly, it does need a risk analysis assessment which, essentially, involves covered entities to test their security controls. Additionally, NIST has released a special recommendation for HIPAA which states that,
“Conduct trusted penetration testing of the effectiveness of security controls in place, if reasonable and appropriate. This validates your exposure to actual vulnerabilities.”
2. PCI DSS (For Financial Organizations/Applications)
The Payment Card Industry Data Security Standard (PCI DSS) is the security standard that must be followed by all the merchants who store, process, and transmit cardholder data. It ensures that the cardholder’s data is safe and secure from the bad actors. You can follow the detailed guide on security audit testing in India.
Although PCI DSS has been there for years, they have included penetration testing recently into the process. The PCI DSS 3.2 differentiates between a vulnerability scan (requirement 11.2) and a penetration test (requirement 11.3), both of which are necessary for PCI DSS compliance. The scope of the tests includes everything that can impact the security of Cardholder Data Environment (CDE) and should be examined for vulnerabilities. If the system is completely isolated from the CDE and does not affect the integrity of the CDE, then it can be included as an out-of-scope item.
3. RBI Guidelines for Basic Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBS)
With the IT revolution, banks have become dependent on IT for their day-to-day operations. As a result, there has been increasing cyber-attacks on the financial sector including banks. This calls for a strong cybersecurity strategy to be in place to safeguard their IT infra from such cyber-attacks. Thus, it led the Reserve Bank of India (RBI) to create a basic cyber security framework that needs to be abided by all Urban Cooperative Banks (UCBs).
Even though the framework does not specifically define the need for VAPT as part of the process, it requires identifying weak/vulnerable areas in IT systems and processes which can be generally achieved by VAPT. As per the RBI guidelines:
“Identify weak/vulnerable areas in IT systems and processes. Put in place a suitable Cyber Security System to address them. A proper record should be kept of the entire process to enable supervisory assessment.”
4. SEBI Cyber Security & Cyber Resilience Framework for Stock Brokers / Depository Participants
Like RBI, the Securities and Exchange Board of India (SEBI) has also released Cyber Security & Cyber Resilience framework to ensure that entities have robust cybersecurity frameworks in place. Needless to say that all Stock Brokers and Depository Participants registered with SEBI are required to comply with this framework.
The framework specifically mentions the need of carrying out Vulnerability Assessment and Penetration Testing (VAPT) in Annexure–1. It requires all Stock Brokers and Depositories to conduct regular vulnerability assessments of the IT infra exposed to the internet.
Regarding penetration testing, the framework states that,
“Stock Brokers / Depository Participants with systems publicly available over the internet should also carry out penetration tests, at least once a year, in order to conduct an in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks that are exposed to the internet.”
Not only that it also mentions the need to perform VAPT before introducing new systems.
In addition, Stock Brokers / Depository Participants should perform vulnerability scanning and conduct penetration testing prior to the commissioning of a new system that is accessible over the internet.
5. Tools for Building SOC (VAPT Required)
Security Operation Centres (SOCs) have become an integral part of today’s cyber defense strategies. They help monitor and prevent threats in real-time. To build an effective and high-functioning SOC, there is a need to select the right combination of tools and the right people. When it comes to the tools, it is recommended to invest in Vulnerability scanners and penetration testing tools that enable security analysts to hunt for security vulnerabilities and discover unknown flaws inside your organization’s network.
6. VAPT for ISO 27001 Compliance
Vulnerability Assessment and Penetration Testing (VAPT) is an essential component of ISO/IEC 27001:2013 Information Security Management System (ISMS). ISO 27001 control objective A12.6 (Technical Vulnerability Management) states that,
“Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.”
Winding Up
In conclusion, performing VAPT has become or will become an essential part of many standards and regulations. If you are still wondering whether you should do it or not. Well, you should. Regular VAPT will help your organization to find the security flaws in the IT infra and hence protect it from cyber breaches.