BRSA Compliant Penetration Test
The banking and finance sector is one of the sectors most exposed to cyber attacks, and these attacks often cause financial and reputational losses.
Because With the "Communiqué on the Principles to be Taken as a Basis in the Management of Information Systems in Banks" published by the BRSA, dated 24.07.2012 and numbered B.02.1.BDK.0.77.00.00/010.06.02-1, including the management of the risks and security gaps that the bank information systems may be exposed to, The minimum procedures and principles to be taken as a basis in the management of the information systems used by banks in the performance of their activities have been regulated.
As stated in the third paragraph (ç) of the article 7 titled "Establishment and management of the security control process" of the second part of the communiqué titled "Risk Management Regarding Information Systems";
“Processes are established to ensure that the reliability and consistency of information systems are regularly reviewed. In this framework, infiltration tests are conducted at regular intervals by independent teams that do not have any executive duty to fulfill the requirements of security-related provisions. Current developments and new vulnerabilities in the field of security are followed, necessary software updates are made, and necessary patches are applied.”
Penetration tests have been made mandatory for the banking sector.
Since the types of cyber attacks that can be carried out against information systems show a rapid development and change, the frequency of the penetration test, which is required to be carried out at regular intervals and made compulsory by the provision in the third paragraph of the article 7 of the relevant communiqué published with the Decision of the Banking Regulation and Supervision Agency. It was decided that it should be done at least once a year.
With this decision, all institutions operating in the banking sector that need high security; networks, systems, hardware, software and users must be tested in line with various scenarios subject to certain conditions approved by the BRSA, and the data obtained after the tests must be presented in a report. Thus, the vulnerabilities and possible security risks of the information systems in the institution have been identified and it becomes possible to initiate studies to close the identified vulnerabilities.
How to Perform BRSA Compliant Penetration Test?
According to the circular issued by the BRSA, the studies to be carried out within the scope of penetration tests consist of at least the following headings:
- External Network Penetration Test
- Communication Infrastructure and Active Devices
- Domain and User Computers
- DNS Services
- Email Services
- Database Systems
- Web Applications
- Wireless Network Systems
- Decommissioning Tests
- Social Engineering Tests
- Internal network (intranet) Penetration Test
- Mobile Apps
- Cash Machine (ATM) Systems
- Source Code Analysis