FCA Penetration Testing

Request a quote
01 Aug, 2020

FCA Penetration Testing

Compliance responsibilities of businesses cover various national, regional, and industry-specific laws and regulations. In our previous posts, we have discussed penetration testing and vulnerability scanning requirements for complying with ISO 27001 and PCI DSS and NIST 800-171. In this article, we will be discussing penetration testing for FCA and how BreachLock helps its clients in fulfilling the requirements.

Financial Conduct Authority (FCA) is a UK regulatory authority that is responsible for regulating financial service firms. Overall, it covers over 58,000 businesses employing 2.2 million individuals across the United Kingdom. For a financial service firm to operate in the UK, it must seek authorization from FCA first. This authorization process involves filling an IT Self-Assessment Questionnaire.

Role of IT Self-Assessment Questionnaire

The questionnaire consists of 6 sections and 26 questions. The possible answers can be yes, no, and not applicable. Answers to these questions help in deciding whether you need to fill the IT Controls Form, and if yes, which one?

A firm has to fill the Detailed IT Controls Form if:

  • the applicant firm is a bank or a multilateral trading facility
  • the applicant firm has answered “Yes” to any question in Section 2

An applicant firm has to fill the IT Controls Form if it has answered “Yes” to more than four questions in Section 4, 5, and 6. If an applicant firm answers “No” to all the questions in Section 1 or answers “Yes” to four or fewer questions in Section 4, 5, and 6, it does not need to fill either of the IT Control Forms. For this article, we are considering the requirements from the Detailed IT Controls Form.

Penetration Testing Requirements for FCA Authorization

The Detailed IT Controls Form has seven sections, and each section has a specified objective and requirements to achieve. Since we are focussing on penetration testing in this article, the following requirements are relevant:

Section RequirementDetails
Section 2: IT Risk Management2.04Whether a firm is regularly auditing IT systems and controls?
Section 3: Project and Change Management3.1.01A firm must have a tested system in place at least two weeks before it seeks authorization from FCA.
3.5.05A firm must complete and sign off testing at least two weeks before it seeks authorization from FCA.
3.6.01Whether a firm has reviewed its systems in the last 12 months or were they reviewed in 12 months before launch by internal/external audit or a qualified independent party?

(Requirement 3.6.02 expects an applicant firm to mention the frequency of reviews and audits.)

Section 5: Information Security Controls5.2Implementation of basic information security practices:

·        Encryption of sensitive data

·        Secure transmission of data

·        Implementation of firewalls, DMZs, and IPS

·        Data storage on removable media devices

·        Password protection and physical security

·        Installation of software and applications on firm computers

·        Implementation of firm-wide access level system

·        Separation between development, testing, and deployment environments

5.4Effective monitoring, reviewing, and testing of security

·        IDS, log analysis and reporting

·        Administrator access

·        Reviewing access level system twice a year and removal of unnecessary user access rights

·        Independent network penetration test and correcting weaknesses: Before launch and annually

(A firm must conduct independent internal and external penetration testing and confirm that vulnerabilities have been fixed at least two weeks before the launch.)

Section 8: Supporting Documents8.12A firm must attach their penetration testing report containing testing scope, results, planned frequency, and steps taken for mitigation of vulnerabilities.

 

How does BreachLock help?

It is clear from the above discussion that FCA expects financial service companies to perform penetration testing exercises at regular intervals. To meet FCA requirements, BreachLock offers end-to-end security testing that covers web applications, mobile applications, servers, networks, cloud environments, and APIs. While annual penetration testing is mandatory, FCA also expects firms to conduct penetration tests when there is a modification or change in the supporting network infrastructure. Through our cloud platform, our clients can order tests and re-tests with a few clicks. Our approach combines knowledge of human experts and AI-based automated tools to offer comprehensive penetration testing services to our clients. Get in touch with BreachLock experts today!