A Penetration Test simulates an attack on IT systems. During the testing, the team attempts to find and exploit vulnerabilities to determine what information and access is able to be gained. This is designed to mimic the actions of an attacker exploiting weaknesses in network security without the usual risks.
Internal Penetration testing allows organisations to test if an attacker had the equivalent of internal access how they may have access to perform unauthorised data disclosure, misuse, alteration or destruction of confidential information, including Non-Public Personal Information (NPPI).
The internal network (file servers, workstations, etc.) of the organisation is exposed to threats such as external intruders, after breaching perimeter defences, or malicious insiders attempting to access or damage sensitive information or IT resources. Therefore organisations are encouraged to use penetration testing to test the internal network at least as frequently as they do the external perimeter.
Best Practice recommends that each organisation perform an Internal Penetration Test as part of their regular Security Program in order to ensure the security of their internal network defenses.