GR-12.2.3

Entire section

Custom print

Link

Text Only

Rich Text

Print

Location:

Versions

Jul 01 2021 - Dec 31 2021
Jan 01 2022

PSPs, AISPs, and PISPs must perform penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least twice a year and all other licensees offering services through digital means must perform such tests at least once a year. The tests must be conducted simulating real world cyber-attacks on the technology environment and must:

(a) Follow a risk-based approach based on an internationally recognised methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;

(b) Include both Grey Box and Black Box testing in its scope;

(c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;

(d) Be performed by external, independent third parties which must be changed at least every two years; and

(e) Be performed on either the production environment or on non-production exact replicas of the production environment.

Amended: January 2022
Added: July 2021