Resilience testing

You must test all critical ICT systems and applications at least yearly.
Yes, you read this correctly.
Let’s understand what it means in reality.

As part of the ICT risk management framework, you should have a sound and comprehensive digital operational resilience testing programme. The testing aims to assess preparedness for ICT-related incidents, identify weaknesses and gaps, and promptly implement corrective controls.

This process does not work without a risk-based approach, considering the evolving landscape of ICT risks and any specific risks the financial institution faces. The organisation shall ensure that tests are undertaken by independent parties, whether internal or external. When it is an external party, it is easier to use, but it comes with a price tag. The test conducted by an internal resource is cheaper, but the organisation should ensure that conflicts of interest are avoided throughout the design and execution phases of the test.

The testing methodology must include the full range of appropriate tests and be broadly split into security and continuity testing.
Security tests include:

• vulnerability assessments and scans
• open source analyses
• network security assessments
• gap analyses
• physical security reviews
• questionnaires and scanning software solutions
• source code reviews where feasible
• scenario-based tests
• compatibility testing
• performance testing
• end-to-end testing
• penetration testing

When to perform those tests? As usual - it depends, but an organisation should use the risk-based approach to manage this activity. For example, some financial institutes (central securities depositories and central counterparties) shall perform vulnerability assessments before any deployment or redeployment of new or existing services supporting the critical functions, applications and infrastructure components.

Some of the most significant institutes will be required to conduct threat-led penetration tests, also known as the Red Team penetration tests. Threat-led penetration testing shall cover at least a financial entity's critical functions and services and shall be performed on live production systems supporting such functions. The precise scope of threat-led penetration testing, based on assessing critical functions and services, must be determined by financial entities and validated by competent authorities.
Once the test is completed, the tester will submit the results to the financial institution and competent authorities. Competent authorities shall validate the documentation and issue an attestation.

Business Continuity and Disaster Recovery testing.
Financial entities shall identify all relevant underlying ICT processes, systems and technologies supporting critical functions and services, including functions and services outsourced or contracted to ICT third-party service providers.
An organisation should have comprehensive business continuity policies and disaster and recovery plans as an integral part of the operational business continuity policy. The objective is a prompt recovery after ICT-related incidents, particularly cyber-attacks, by limiting damage and prioritising the safe resumption of activities.

Financial entities shall implement, maintain and periodically test appropriate ICT business continuity plans, notably about critical or important functions outsourced or contracted through arrangements with ICT third-party service providers.
Organisation should test BCP/DR at least yearly and after substantive changes to the ICT systems as part of their comprehensive ICT risk management.

The testing results should be documented and followed up to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.

For more details, check out our testing services here.
Need help defining and implementing pragmatic Business Continuity plans with Disaster Recovery capabilities? Contact us.