The Global Financial Markets Association published a set of principles to guide the development of a commonly accepted framework for cybersecurity penetration testing. Penetration testing serves as one of the foremost tools in enabling a robust security program for financial institutions. Such testing allows firms to evaluate their systems and the controls that protect them in order to identify and remediate vulnerabilities, thereby strengthening their infrastructure against cyber threats.
A number of jurisdictions around the world already leverage penetration testing in their regulatory regime. The goal of the GFMA proposal is not to compete with existing frameworks but rather to coordinate their development and use to ensure that financial institutions are able to safely, securely and efficiently comply with their supervisory requirements. The GFMA penetration testing framework is similarly aligned with the G-7’s broader recommendations on how institutions can conduct effective cybersecurity assessments, promoting safe and effective testing methods.
Suggestions for first steps:
- Agreeing upon independent governance and assurance standards sponsored by an existing, identified voluntary international industry consensus standards body;
- Identifying qualification standards to rigorously certify individual assessors, teams of assessors and assessor organizations, all of which are equally accessible for in-house resources as well as third-party vendors; and
- Identifying quality standards for the technical delivery, evidence collection and reporting for all associated assessment methodologies to ensure they are performed to appropriate levels.