Question

If an accredited intermediary creates a new infrastructure, e.g. a new AWS account, for each ADR that they are collecting data for, does each account need a penetration test performed on it to comply with the ‘Vulnerability Management’ requirement in Schedule 2 Part 2 of the CDR Rules? It should be noted that each new ADR infrastructure is created from the same build template that has previously been assessed during penetration testing of other ADR infrastructure.

Answer

Whether a penetration test is required for each account will depend on the extent to which the new configuration is consistent with the build template.

If it is built to the same design and consistent then it would be ok to rely on previous testing, subject to being within accepted testing/reporting time frames.

However, if each account has a different way of interacting with a data recipient, or data recipients have flexibility/freedom in configuring the build then depending on the way used it may introduce different vulnerabilities and will therefore require penetration testing.

For further guidance, please see CDR supplementary accreditation guidelines - information security.