The Government has restated its commitment to delivering pensions dashboards in a written statement.
Conduct an IT Health Check or penetration test
Guidance for pension providers, schemes and integrated service providers (ISPs).
Overview
Purpose
An IT Health Check (ITHC) or penetration test is a series of controlled security tests and actions designed to identify security vulnerabilities that might be present in IT infrastructures, systems and applications. You need to conduct an ITHC or penetration test and report on its results and recommendations before you connect to the Pensions Dashboards Programme (PDP) ecosystem.
The ITHC or penetration test must comply with the PDP code of connection.
Read more about ITHC or penetration testing:
Who completes this step?
- security lead
For more information, read the full list of roles and responsibilities.
Who can conduct the ITHC or penetration test
Suppliers can be accredited by either or both CREST and CHECK.
The CREST-accredited suppliers’ service is called penetration testing.
The CHECK-accredited suppliers’ service is called the ITHC. These suppliers are all security-cleared, as their service is used by the public sector.
Before you begin
- Research and engage an independent organisation that is CHECK or CREST certified.
- Create an ITHC or penetration test plan with your CHECK or CREST supplier.
PDP recommend planning your ITHC or penetration test as soon as possible to avoid delays with connecting.
This guidance is also applicable to organisations with existing engagement with CHECK or CREST accredited suppliers.
ITHC focus areas
Focus areas should include:
- objective and scope
- planning and testing
- remediation and security posture validation
Back to top
1. Objective and scope
Any environment where live data will be used is in scope.
The scope as a minimum, must include the following areas as stated in the code of connection. The scope and objectives agreed with the CREST or CHECK supplier should be comprehensive and precise, to help identify security flaws, mitigate risk, validate compliance and performance.
The code of connection requires a single ITHC or penetration test report submission. If you already have multiple test reports that include assets in scope, they should be combined into a single report with any additional testing required.
You need to review all operational environments relevant to your organisation. This needs to include any assets, infrastructure and technology which are critical to business operations and in scope.
These are examples of what you may need to report, but it’s not an exhaustive list. Your technical team will be able to define what’s in scope.
External infrastructure testing
This includes internet-facing systems and all relevant assets that store, process or transmit live pension data. This includes all in-scope systems that provide services on the internet, for example web servers, domain name systems, and security systems such as firewalls.
External systems
Review data security configurations, TLS implementations, and vulnerabilities related to the Open Worldwide Application Security Project (OWASP) top 10, and other common vulnerabilities.
Firewalls
Review all in-scope firewall configurations and rules for potential weaknesses.
Review network segmentation and protection in place against common attack vectors.
Vulnerability scanning
Conduct manual and automated vulnerability scans to detect external vulnerabilities and attack vectors.
Internal infrastructure testing
This includes all in-scope internal assets that store, process or transmit live pension data. This includes, but is not limited to, applications, servers, file servers, databases and firewalls.
Database assessment
Assess the security configurations of all database systems across all relevant environments to ensure proper security measures, such as access controls and encryptions, are in place to protect data and prevent unauthorised access.
Vulnerability scanning
Conduct manual and automated vulnerability scans to detect internal vulnerabilities and attack vectors.
Server and network hardening
Review all relevant servers and network hardening across all environments to uncover and disable unnecessary ports and services. Additionally, ensure least privilege access is enforced.
Security gateway and configuration
Review internal security gateway configurations, including firewalls and other security appliances for proper rule enforcement, segmentation, and security controls implementation across all environments.
Wireless configuration (if in scope)
Evaluate wireless configurations across all relevant environments. Review authentication mechanisms and the segmentation of guest and corporate networks to ensure secure communication and access control. Confirm that the latest and most secure Wi-Fi encryption standard, WPA3, is in use.
Remote access
This includes all services that have access to in-scope assets that store, process or transmit live pension data.
VPN services
Evaluate any remote access systems in place that allow remote connection to in-scope assets. Where these solutions involve a VPN, all authentication methods should be tested.
Third-party access
Review all relevant access controls are in place. This includes, but is not limited to, authentication mechanisms and security measures for third-party integrations.
Applications and APIs
This comprises all in-scope applications and APIs that store, process or transmit live pension data.
Applications security testing
Conduct security assessments of all in-scope applications (web and others) following the OWASP top 10 standards to uncover vulnerabilities. Conduct static and dynamic application security testing (SAST and DAST) for vulnerabilities in code and runtime environments.
API assessment
Analyse all in-scope APIs for vulnerabilities.
Code review
Review all serverless functions and code for misconfigurations, insecure code and vulnerabilities.
Back to top
2. Planning and testing
Define rules of engagement, including establishing and ensuring proper communication with relevant stakeholders to acquire information needed for a successful ITHC or penetration test. This includes:
- security teams
- IT personnel
- legal compliance teams
Ensure engaged ITHC or penetration testing suppliers have the proper access to systems and information needed for testing and evaluation. This information should include network diagrams, system configurations, security policies and any other relevant documents. These will help your supplier understand your digital environment and identify potential weaknesses.
You may identify potential attack vectors and weaknesses in system design if you conduct an architectural review before testing begins.
Back to top
3. Remediation and security posture validation
At the end of the test, the engaged supplier should provide an in-depth report outlining all the findings, including the vulnerabilities found, possible effects, severity levels and guidance on remediation.
Security policies and standards may vary across different organisations, but they must adhere to the code of connection.
The Common Vulnerability Scoring System (CVSS) base scores should be included, using CVSS version 3.0 or above.
As a minimum, the report should:
- provide details of the individuals involved in the ITHC or penetration test
- communicate the background, scope and context of the ITHC or penetration test in full
- classify all identified vulnerabilities by both criticality and CVSS scores
- explain all identified vulnerabilities and their potential impact
- provide guidance on remediation of each vulnerability
All findings should include remediation plan, dates and responsible owners.
Next steps
Once you have got the results of the ITHC or penetration test, you need to submit the results.
Additional resources
- Code of connection
- CHECK IT Health Check testing
- CREST penetration testing
- National vulnerability database – vulnerability metrics
- CVSS version 4
Back to top
Support
If you are experiencing issues with the connection portal or have questions about the provided guidance, our support hub is here to help. You can visit PDP’s support hub to get assistance, raise new queries, or report incidents.
Changelog
Last updated:20/01/2025
20 January 2025
20 January 2025
- Added detail '1. Objective and scope' on what may be considered in scope with non-exhaustive examples.
- Added detail to '2. Planning and testing' on conducting an architectural review.
- Added detail to '3. Remediation and security posture validation' on the report requirements.
1 November 2024
1 November 2024
In the "Before you begin" section, added note on planning the ITHC or penetration test as soon as possible to avoid delays.