Pen Testing is a Key Element of a Security Program, but How Do You Test the Test?
SPARK Institute, through the work of its Data Security Oversight Board (DSOB), developed guidelines for how record keepers can properly communicate with plan sponsors about highly sensitive Penetration Testing, or Pen Tests. These guidelines are not intended to provide recommendations on how to perform penetration tests or guarantee against a data breach or loss. Instead, these best practices outline what record keepers can do to share information that is extremely confidential with clients, and what those clients should expect as they evaluate a record keeper’s security programs.
“A Pen Test is performed to look for and highlight vulnerabilities in your defenses.” said Tim Rouse, Executive Director for the SPARK Institute. “So, clearly such information should only be disseminated on a Need to Know Basis,” he added. This is particularly important for recordkeepers who are responsible for protecting millions of participant records and billions of dollars in retirement savings. However, plan sponsors want to know that a record keeper is adequately protecting their employees’ data and accounts.
Some plan sponsors have even asked for copies of Pen Test results, which record keepers routinely decline to provide. SPARK’s DSOB has now provided these guidelines to help bridge the gap between record keepers and their clients. Although SPARK members consider the release of penetration test results to any external parties valid only in rare and exceptional situations, there is information record keepers can provide. At a minimum SPARK recommends sharing the type of testing conducted, date(s) of the testing, who performed the testing and an acknowledgement that any critical or high vulnerability findings were remediated or will be remediated by a certain date.
“We understand that clients rightfully want to know that their data is being effectively protected” said Doug Peterson, Chief Information Security Office for Empower and SPARK’s DSOB Chair. Peterson went on to say, “as an industry we should acknowledge that tests are being performed, how often, by who, that issues are being found and most importantly that these issues are being remediated.”
About The SPARK Institute
The SPARK Institute represents the interests of a broad-based cross section of retirement plan service providers and investment managers, including members that are banks, mutual fund companies, insurance companies, third party administrators, trade clearing firms and benefits consultants. Through the combined expertise of its member companies, the Institute provides research, education, testimony and comments on pending legislative and regulatory issues to members of Congress and relevant Government agency officials. Collectively, its members serve approximately 100 million participants in 401(k) and other defined contribution plans.