OM-5.2 OM-5.2 Internet Security
OM-5.2.1
Licensees providing internet financial services must regularly test their systems against security breaches and verify the robustness of the security controls in place. These tests must be conducted by security professionals, such as ethical hackers, that provide penetration testing services and a vulnerability assessment of the system.January 2014OM-5.2.2
The penetration testing referred to in Paragraph OM-5.2.1, must be conducted each year in June and December.
January 2014OM-5.2.3
The vulnerability assessment report, along with the steps taken to mitigate the risks must be maintained by the
licensee for a 5-year period from the date of testing and must be provided to the CBB within two months following the end of the month where the testing took place, i.e. for the June test, the report must be submitted at the latest by 31st August and for the December test, by 28th February (see Section BR-1.6).January 2014
