On 3 April 2018, the Global Financial Markets Association (GFMA) published A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry. The framework provides a guide for the development of a cyber security penetration testing framework comprising of a four phased testing lifecycle:
- Threat intelligence phase – a firm’s internal intelligence should be augmented by government agencies and sector level financial industry resources. Final threat intelligence scenarios should be approved by regulators, where applicable;
- Planning phase – test activities should be prioritised and scheduled according to threat intelligence and regulator input in planning the scope of the exercise;
- Testing phase – testing should begin after operational planning and attack methodologies are agreed upon; and
- Analysis and response phase – this phase includes the development of executive / technical reports and associated firm responses.