Security programmes often look great on paper. But, post implementation, have you confirmed that:
- You’ve chosen the right measures?
- You’ve implemented them effectively?
- As your risks change with time, your defences remain effective?
Security or penetration testing can provide valuable insights.
DORA: digital operational resilience testing
‘Digital operational resilience testing’ is a DORA (Digital Operational Resilience Act) pillar – and for good reason.
Regular testing provides insights into potential entry points for cyber attacks. How might your defences be breached? This allows you to remediate vulnerabilities before attackers can exploit them and stay ahead of evolving threats.
Simulated attacks and red team testing also allow you to evaluate how well you can withstand and recover from a security incident. This can inform your incident response and business continuity plans, and help minimise downtime and damage from a real incident.
In other words, testing improves your operational resilience.
What is penetration testing?
Penetration testing entails a systematic process of probing for vulnerabilities in your systems.
It’s also known as ‘ethical hacking’: the ‘attackers’ act on your behalf to find and test weaknesses threat actors could exploit.
An experienced and qualified penetration tester can mimic the techniques used by criminals without causing damage. These tests can also be conducted outside business hours, or when networks and applications see the least use, minimising the impact on everyday operations.
After testing, you’ll receive a report that:
- Details any identified vulnerabilities;
- Where possible, demonstrates proof of concept; and
- Offers advice on how to mitigate identified vulnerabilities.
DORA requirements for penetration testing
DORA essentially sets out two levels of penetration testing:
- At least annual testing of ICT tools and systems.
- Advanced testing based on TLPT (threat-led penetration testing), carried out at least every three years, but competent authorities may request financial entities to increase or reduce this frequency.
The Regulation specifies that tests must use “a range of assessments, tests, methodologies, practices and tools” (Article 24(2)). Organisations must determine for themselves what to do to properly assess their defences and resilience measures, in line with the proportionality principle.
One thing worth bearing in mind is your ICT supply chain. If you’re a financial institution running a critical or important service in the Cloud, for example, you may need to contractually enforce (pass on) that requirement to your supplier(s).
Penetration testing scope under DORA
Suppose a financial entity asks you, an ICT service provider or vendor, to conduct a penetration test to comply with DORA. What now?
First, get clarity on the scope.
The scope should include any services or systems that support the financial entity’s critical or important functions. Also be clear on the type of test required: external infrastructure, internal infrastructure, web application, etc.
Finally, are there specific objectives you need to test for – whether certain information can be exfiltrated, for example?
Verify the testing scope with the financial entity before reaching out to a testing company.
Address your vulnerabilities with a DORA Security Penetration Test
Our subscription-based DORA Security Penetration Test will provide you with comprehensive reports and DORA-compliant recommendations, so that you can address any identified vulnerabilities.
The tests can include:
- Vulnerability scanning
- Web application testing
- External penetration testing
- Open-source intelligence gathering
- Scenario-based testing
- Phishing assessment
Work with one of the leading penetration testing organisations in Europe, offering one-to-one expert advice at any stage of the engagement.
The post A Guide to Meeting the DORA Penetration Testing Requirements appeared first on IT Governance Blog.