According to Article 12 and Paragraph 1 of KVKK, data controllers are obliged to take all necessary technical and administrative measures to prevent the unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data are stored in accordance with the law. These measures are detailed in the Personal Data Security Guide published by the Authority and specified in the notification phase to VERBIS.
First of all, it should be learned what the Penetration Test means in the Technical Measures table in the Personal Data Security Guide, and what kind of benefits the penetration test will provide to the organizations.
Penetration test is the security tests carried out by "authorized" persons and in a "legal" way in order to prevent the abuse of these vulnerabilities by malicious persons and to make the systems more secure by detecting logic errors and weaknesses in the information systems used.
With penetration tests, it is identified whether there is an illegal penetration in the information networks and evaluations are made according to the results of the tests regarding the security vulnerabilities and the related deficits are eliminated.
The main purpose in the penetration test is to take the general security image of the scanned system instantly. All the findings of this screening that warns the organization against all possible security threats may not indicate a serious threat. The important thing for organizations is to decide which of these findings poses a real threat to the system. The more important it is to have a penetration test, the more important it is to evaluate the results and take action accordingly. The common mistake made by the organizations is to only test / have the Penetration Test and examine the final report and close only the very urgent gaps.
Penetration test will make a great contribution to the organization for testing and auditing the effectiveness of the organization's security policies and controls, in-depth application of penetration test from inside and outside, systematizing the application of patches suitable for-vulnerabilities that are known, revealing the risks and threats existing in the organization's networks and systems, evaluation of the efficiency of network security devices such as firewalls, routers and web servers, providing a comprehensive plan by determining the actions that can be taken to prevent future attacks, attempts of penetration and abuse, identifying whether the existing software-hardware or network infrastructure needs a change or upgrade.
In order to have a high level of contribution to the work performed, the support of the management should be taken, a risk assessment should be made for each gap, and the closure of the gaps should be followed.
Checking and reporting security vulnerabilities in information systems of organizations by a third eye is one of the first steps of proactive security. No matter how much attention is paid to security, there are no limits to the techniques that attackers will use to abuse the system.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.