ANSI X9.111:2018

This standard specifies recommended processes for conducting penetration testing with financial service organizations. This standard describes a framework for specifying, describing and conducting penetration testing, and then relating the results of the penetration testing. This standard allows an entity interested in obtaining penetration testing services to identify the objects to be tested, specify a level of testing to occur, and to set a minimal set of testing expectations. Included in this standard are: A conceptual framework for describing penetration testing, including Roles and Responsibilities of participants, Types of penetration test, A generalized penetration testing cycle, General testing methodologies / techniques, Limitations of Penetration testing, Ranking of methodologies, bases of testing effort (testing levels) Engagement and scope of work considerations Test Report guidelines Testing requirements, Security of the testing environment, General practices and methodologies, Tester expertise