I'd say no to using the AOC in place of a pen test. You may have multiple pen tests needing to be reviewed annually, e.g. corporate network pen test (all internet-facing IP addresses), Product-specific pen tests (each website / application has different functions and vulnerabilities), and security testing of on-premises software.
You will want to request a summary of each of these showing that an external / third party pen tester performed a test, validate the scope, and see how many Critical / High / Med / Low vulnerabilities were found. The vendor should provide an attestation that all findings were remediated within SLA, or show that any findings which were unable to be remediated within their agreed SLA have been entered in a tracker or risk register. You may also choose to open a risk item in your tracker for any of these hanging chads, coming back 3 or 6 months later to confirm closure.
Happy to answer further questions, if this isn't clear. KW
Kate Wakefield CISSP, CIPT, CRISC
Director of GRC
Original Message:
Sent: 8/22/2024 5:34:00 PM
From: Premika Mishra
Subject: RE: Incident Response team vs Third Party Risk Management team
Participation from the TPRM team is important to understanding the breach's scope, the systems affected, and coordinating response efforts with the Incident Response (IR) team. TPRM needs to identify the cause of the breach and evaluate the third party's measures to prevent future occurrences. While the IR team handles the immediate response and recovery, the TPRM team focuses on assessing and managing the risks associated with third-party vendors.