GR-12.2.3

Location:

Versions

Past version: Effective from 01 Jul 2021 to 31 Dec 2021
To view other versions open the versions tab on the right

All licensees must perform penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least twice a year. These tests must be conducted each year in June and December simulating real world cyber attacks on the technology environment and must:

(a) Follow a risk-based approach based on an internationally recognised methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;

(b) Include both Grey Box and Black Box testing in its scope;

(c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;

(d) Be performed by external, independent third parties which must be changed at least every two years; and

(e) Be performed on either the production environment or on non-production exact replicas of the production environment.

Added: July 2021