Versions

 

OM-5.5.28

All licensees must perform penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least twice a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:

(a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;
(b) Include both Grey Box and Black Box testing in its scope;
(c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;
(d) Be performed by internal and external independent third parties which should be changed at least every two years; and
(e) Be performed on either the production environment or on non-production exact replicas of the production environment.
Added: July 2021