BRSA Compliant Penetration Test

As stated in the third paragraph (ç) of the article 7 titled "Establishment and management of the security control process" of the second part of the communiqué titled "Risk Management Regarding Information Systems"; 

“Processes are established to ensure that the reliability and consistency of information systems are regularly reviewed. In this framework, infiltration tests are conducted at regular intervals by independent teams that do not have any executive duty to fulfill the requirements of security-related provisions. Current developments and new vulnerabilities in the field of security are followed, necessary software updates are made, and necessary patches are applied.” 

Penetration tests have been made mandatory for the banking sector.

Since the types of cyber attacks that can be carried out against information systems show a rapid development and change, the frequency of the penetration test, which is required to be carried out at regular intervals and made compulsory by the provision in the third paragraph of the article 7 of the relevant communiqué published with the Decision of the Banking Regulation and Supervision Agency. It was decided that it should be done at least once a year.

With this decision, all institutions operating in the banking sector that need high security; networks, systems, hardware, software and users must be tested in line with various scenarios subject to certain conditions approved by the BRSA, and the data obtained after the tests must be presented in a report. Thus, the vulnerabilities and possible security risks of the information systems in the institution have been identified and it becomes possible to initiate studies to close the identified vulnerabilities. 

How to Perform BRSA Compliant Penetration Test? 

According to the circular issued by the BRSA, the studies to be carried out within the scope of penetration tests consist of at least the following headings: