Back

Define the test requirements for each testing program.


CONTROL ID
13177
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a testing program., CC ID: 00654

This Control has the following implementation support Control(s):
  • Include test requirements for the use of human subjects in the testing program., CC ID: 16222


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • When creating and using a test card, it is necessary to clarify the purpose and establish a system to manage the test card at the time of card creation and from the start to the end of card usage. (P107.12. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The FI should trace the requirements during the testing phase, and ensure each requirement is covered by appropriate test cases. (§ 5.7.2, Technology Risk Management Guidelines, January 2021)
  • It is essential for the FI to establish a comprehensive strategy to perform application security validation and testing. The FI may use a mixture of static, dynamic and interactive application security testing methods (refer to Annex A on Application Security Testing) to validate the security of the… (§ 6.1.6, Technology Risk Management Guidelines, January 2021)
  • security testing (including reviews) to identify vulnerabilities and confirm information security requirements have been met. The nature of testing would be commensurate with the scope of the change and the sensitivity and criticality of the impacted information asset (refer to Attachment H for exam… (47(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Under CPS 234, an APRA-regulated entity must annually review and test its information security response plans to ensure they remain effective and fit-for-purpose. It is important that the success criteria for such tests are clearly defined, including the circumstances under which re-testing would be… (74., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • It is important that success criteria for tests are clearly defined, including the circumstances under which re-testing would be required. Test results would be reported to the appropriate governing body or individual, with associated follow-up actions formally tracked and reported. (81., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Under CPS 234, an APRA-regulated entity must ensure that testing is conducted by appropriately skilled and functionally independent specialists. For an APRA-regulated entity to have confidence in the quality of testing, it is important that testers are sufficiently independent in order to provide a … (82., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • The nature of testing would be a function of the type of control, and would typically consider a variety of testing approaches informed by contemporary industry practices (refer to Attachment G for further guidance). (80., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Where an APRA-regulated entity's information assets are managed by a related party or a third party, and the APRA-regulated entity is reliant on that party's information security control testing, the APRA-regulated entity must assess whether the nature and frequency of testing of controls in respect… (28., Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • the criticality and sensitivity of the information asset; (27.(b), Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • the risks associated with exposure to environments where the APRA-regulated entity is unable to enforce its information security policies; and (27.(d), Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • Financial institutions should ensure that tests of security measures are conducted in the event of changes to infrastructure, processes or procedures and if changes are made because of major operational or security incidents or due to the release of new or significantly changed internet-facing criti… (3.4.6 45, Final Report EBA Guidelines on ICT and security risk management)
  • Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise contro… (CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program, CIS Controls, V8)
  • In contrast, a deficiency in the operation of a control exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively. A service organization may be able to corr… (¶ 3.102, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the service auditor has identified design deficiencies, the service auditor generally would not test the operating effectiveness of those controls. However, in certain circumstances, report users may expect management to identify the control in the description and may expect the service auditor t… (¶ 3.109, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • may include testing relied on in an evaluation under section 3555; and (§ 3554(b)(5)(B), Federal Information Security Modernization Act of 2014)
  • Determine whether the institution relies on proxy testing. (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12:8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Document whether the institution has demonstrated, through an effective testing program, that it can meet its testing objectives, including those defined by management, the FFIEC, and applicable regulatory authorities. (TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Proxy testing. (App A Objective 10.2.g, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Confidentiality, integrity, and availability of the institution's information. (App A Objective 10.2.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Validate specifications and requirements for testability. (T0393, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Determine whether executable code testing should be performed to find vulnerabilities not identified by previous reviews, analysis, or testing and, if so, which types of testing should be used. (PW.8.1, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • Validate specifications and requirements for testability. (T0393, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)