CTPAT Breakdown: 4.3

Item 4.3

CTPAT Members using network systems must regularly test
the security of their IT infrastructure. If vulnerabilities are
found, corrective actions must be implemented as soon as

Implementation Guidelines

A secure computer network is of paramount importance to a business,
and ensuring that it is protected requires testing on a regular basis. This
can be done by scheduling vulnerability scans. Just like a security guard
checks for open doors and windows at a business, a vulnerability scan
(VS) identifies openings on your computers (open ports and IP
addresses), their operating systems, and software through which a
hacker could gain access to the company’s IT system. The VS does this by
comparing the results of its scan against a database of known
vulnerabilities and produces a correction report for the business to act
upon. There are many free and commercial versions of vulnerability
scanners available.
The frequency of the testing will depend on various factors including the
company’s business model and level of risk. For example, companies
should run these tests whenever there are changes to a business’s
network infrastructure. However, cyber-attacks are increasing among all
sizes of businesses, and this needs to be considered when designing a
testing plan

So IT has to test all devices for vulnerabilities and fix them.


IT would have to deploy a vulnerability scanner such as OpenVAS. Nodes you have to be in each network segment to bypass any firewall restrictions. Testing would also have to be conducted from a remote location to test public access.

Other Programs

  • PCI-DSS: 11

Bookmark the permalink.

Comments are closed.