Document Code: NeftalyP351
Approved By: Chief Executive Officer (CEO)
Date Approved: 31 October 2025
Review Date: 30 November 2026
Policy Owner: Neftaly Chief Human Human Capital, NeftalyCHCR
NeftalyP351-1 Policy Statement
NeftalyP351-1-1 Neftaly is committed to maintaining the integrity, security, and resilience of its digital, operational, and organizational systems. The Neftaly Human Capital Penetration Management Policy (NeftalyP351) defines the framework for performing penetration testing, managing vulnerabilities, and securing Neftaly information assets from unauthorized access or cyber threats.
This policy ensures that all penetration testing and related security assessments are conducted ethically, consistently, and in compliance with Neftaly’s governance standards and international best practices for cybersecurity.
NeftalyP351-2 Purpose
The purpose of this policy is to:
- NeftalyP351-2-1 Establish clear guidelines for conducting penetration testing within Neftaly’s digital infrastructure.
- NeftalyP351-2-2 Identify, assess, and mitigate potential vulnerabilities in Neftaly systems and applications.
- NeftalyP351-2-3 Protect Neftaly’s data, intellectual property, and Human Capital information from cyber threats.
- NeftalyP351-2-4 Ensure compliance with Neftaly’s confidentiality, data protection, and risk management frameworks.
- NeftalyP351-2-5 Define responsibilities for authorization, execution, and reporting of penetration tests.
NeftalyP351-3 Scope
This policy applies to:
- NeftalyP351-3-1 All Neftaly Royals, Deputy Chiefs, Officers, and Human Capital involved in IT, cybersecurity, and data management.
- NeftalyP351-3-2 All Neftaly-owned systems, networks, applications, databases, and digital platforms.
- NeftalyP351-3-3 Any external consultants or partners authorized to conduct penetration testing on Neftaly systems.
NeftalyP351-4 Definitions
- NeftalyP351-4-1 Penetration Testing (Pentest): A controlled, authorized simulation of a cyberattack to evaluate system vulnerabilities and security posture.
- NeftalyP351-4-2 Vulnerability Assessment: The process of identifying weaknesses in systems before they can be exploited.
- NeftalyP351-4-3 Ethical Hacker: A certified cybersecurity professional authorized by Neftaly to perform penetration testing.
- NeftalyP351-4-4 Remediation: The corrective action taken to eliminate or reduce identified vulnerabilities.
- NeftalyP351-4-5 Incident Response Team (IRT): A group responsible for managing and responding to cybersecurity incidents or test outcomes.
NeftalyP351-5 Guiding Principles
NeftalyP351-5-1 Authorization First: All penetration testing must be approved by the CEO and CHCO before initiation.
NeftalyP351-5-2 Confidentiality: All test results and findings are confidential and accessible only to authorized personnel.
NeftalyP351-5-3 Integrity: Testing must not disrupt normal operations or compromise data integrity.
NeftalyP351-5-4 Accountability: All findings must be documented and corrective actions tracked to completion.
NeftalyP351-5-5 Compliance: All testing activities must align with Neftaly’s Data Management Policy (NeftalyP137) and Confidentiality Policy (NeftalyP108).
NeftalyP351-5-6 Continuous Improvement: Security practices and protocols must evolve based on test outcomes and threat intelligence.
NeftalyP351-6 Roles and Responsibilities
| Role | Responsibilities |
|---|---|
| CEO | Authorizes penetration testing initiatives and approves final reports. |
| CHCO | Oversees testing activities, ensures compliance with Human Capital data protection, and coordinates response plans. |
| Royal Directors | Ensure departmental systems are available and compliant during tests. |
| Deputy Chiefs / Officers | Support testing processes, provide access to systems, and implement remediation actions. |
| IT Security Team / Ethical Hackers | Conduct penetration testing, document findings, and recommend corrective measures. |
| Governance Office | Maintain records, reports, and compliance documentation. |
NeftalyP351-7 Procedures
NeftalyP351-7-1 Planning and Authorization
NeftalyP351-7-1-1 A Penetration Test Request Form (NeftalyF351-01) must be submitted to the CHCO for review.
NeftalyP351-7-1-2 The CHCO and CEO must approve the request, specifying the scope, duration, and test boundaries.
NeftalyP351-7-1-3 The IT Security Team or approved vendor will be briefed on authorized parameters.
NeftalyP351-7-2 Execution of Testing
NeftalyP351-7-2-1 The testing team conducts vulnerability scans and controlled exploits based on approved scope.
NeftalyP351-7-2-2 Activities must not affect live operations, data integrity, or confidential information.
NeftalyP351-7-2-3 Any detected critical vulnerability must be reported immediately to the CHCO and Royal Director.
NeftalyP351-7-3 Reporting and Documentation
NeftalyP351-7-3-1 The testing team prepares a Penetration Testing Report (NeftalyD351-01) summarizing findings, severity levels, and recommended actions.
NeftalyP351-7-3-2 Reports are reviewed by the CHCO and Governance Office.
NeftalyP351-7-3-3 Results are confidential and shared only with relevant Royal Divisions.
NeftalyP351-7-4 Remediation and Follow-Up
NeftalyP351-7-4-1 Each Royal Director must ensure identified vulnerabilities are corrected within specified timeframes.
NeftalyP351-7-4-2 A Remediation Report (NeftalyD351-02) must be submitted to confirm completion of corrective actions.
NeftalyP351-7-4-3 Follow-up testing may be scheduled to verify successful remediation.
NeftalyP351-7-5 Review and Continuous Improvement
NeftalyP351-7-5-1 The CHCO conducts post-assessment reviews to evaluate process effectiveness.
NeftalyP351-7-5-2 Lessons learned are documented to enhance Neftaly’s cybersecurity readiness.
NeftalyP351-7-5-3 Policy updates are recommended based on evolving threats or audit findings.
NeftalyP351-8 Processes
| Stage | Action | Responsible Person | Output Document |
|---|---|---|---|
| Request | Submit testing request | Royal Director / IT Officer | NeftalyF351-01 |
| Authorization | Approve and define scope | CHCO / CEO | Authorization Record |
| Execution | Perform penetration test | IT Security Team | NeftalyD351-01 |
| Remediation | Implement corrective actions | Royal Director / Deputy Chief | NeftalyD351-02 |
| Verification | Review and close findings | CHCO / Governance Office | Audit Report |
NeftalyP351-9 Templates, Documents, and Forms
| Code | Name | Purpose |
|---|---|---|
| NeftalyF351-01 | Penetration Test Request Form | Submitted to initiate approval for testing. |
| NeftalyD351-01 | Penetration Testing Report | Summarizes test results, vulnerabilities, and recommendations. |
| NeftalyD351-02 | Remediation Report | Documents actions taken to address vulnerabilities. |
NeftalyP351-10 Compliance
- NeftalyP351-10-1 All penetration testing must comply with Neftaly Data Management Policy (NeftalyP137), Confidentiality Policy (NeftalyP108), and IT Access Policy (NeftalyP004).
- NeftalyP351-10-2 Unauthorized testing or sharing of results is a serious breach of policy and may result in disciplinary action or legal consequences.
- NeftalyP351-10-3 External testers must sign a Non-Disclosure Agreement (NeftalyP321) prior to engagement.
NeftalyP351-11 Monitoring and Review
NeftalyP351-11-1 The CHCO and Governance Office will review all penetration test outcomes and policy compliance annually. Trends, weaknesses, and improvements will be reported to the CEO and Royal Board Committee (NeftalyP431).
NeftalyP351-12 Approval
Policy Owner:
Neftaly Chief Human Capital Officer (CHCO)
Approved By:
Neftaly Malatjie
Chief Executive Officer