Entire section Custom print Link Text Only Rich Text Print
  Versions

 

CRA-5.8.13G

All licensees must perform vulnerability assessment and penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least twice a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:

(a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;
(b) Include both Grey Box and Black Box testing in its scope;
(c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;
(d) Be performed internally at periodic intervals by employees having adequate expertise and competency in such testing;
(e) Be performed, twice a year, by external independent third parties who are rotated out at least every two years; and
(f) Be performed on either the production environment or on non-production exact replicas of the production environment.
Added: April 2023