Click to return to BOL home page
Banker Store eCard Exchange Vendor Connect Career Connect Learning Connect Bankers Information Network
Home Compliance Lending Operations Security Marketing Technology/eBanking
Top Stories Bankers' Threads BOL Conferences CrimeDex Risk Management FREE Briefings Record Retention

   

















    Site Map

    Our Sponsors

    Home





Compliance Gurus
Lending Gurus
Operations Gurus
Security Gurus
Marketing Gurus
eBanking Gurus

Print Friendly! Email This Article! Discuss NOW!


Penetration Testing Requirements
Answer by Mary Beth Guard and Clayton Hoskinson, BOL Gurus

Question: Are there any requirements or criteria for Penetration testing? Can we perform the penetration testing ourselves? If we hire a third party vendor, should we require documentation saying they are authorized by the Regulators to perform the tests or that the testing will meet certain standards? Does the penetration testing requirement only apply to wired network or do we have to have penetration testing on the wireless as well?

Answer by Mary Beth Guard:
BIO AND CONTACT INFO
The Interagency Guidelines for Safeguarding Customer Information ("the InfoSec Guidelines") require each financial institution to put into place a program of appropriate administrative, technical and physical safeguards to protect customer information. Those safeguards may, depending upon the size of the institution, the nature of its information storage and usage, and other factors, include such things as intrusion detection systems, logical access controls and more. It is not enough to put those safeguards into place, however. The InfoSec Guidelines also require you to test the efficacy of the safeguards. Specifically, the Guidelines state that you should:

Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by your risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.


This would include penetration testing of your network, trying to get around firewalls (software and hardware), identifying weaknesses in passwords or other access codes.

Answer by Clayton Hoskinson:
BIO AND CONTACT INFO
To my knowledge there is no "authorization" from any federal or state regulatory agency for the pen-testing firms. Self-Testing is possible, as long as the institution can convince their regulators that the testing that was done was independent of the operations unit who administers that part of the operation. As to your question on testing of wired or wireless networks, there is certainly no exemption from the testing requirement for either wired or wireless networks.

First published on BankersOnline.com 1/6/03
Home | Compliance | Lending | Operations | Security | Marketing | Technology | eBanking
BOL Archives    Privacy Policy    Important Disclaimer   Recommend This Site !   Contact Us


BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.