12 new national NIS2 framework versions published! Read more ->
Cyberday back to normal - related blog
1. The digital operational resilience testing programme referred to in Article 24 shall provide, in accordance with the criteria set out in Article 4(2), for the execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing.
2. Central securities depositories and central counterparties shall perform vulnerability assessments before any deployment or redeployment of new or existing applications and infrastructure components, and ICT services supporting critical or important functions of the financial entity.
3. Microenterprises shall perform the tests referred to in paragraph 1 by combining a risk-based approach with a strategic planning of ICT testing, by duly considering the need to maintain a balanced approach between the scale of resources and the time to be allocated to the ICT testing provided for in this Article, on the one hand, and the urgency, type of risk, criticality of information assets and of services provided, as well as any other relevant factor, including the financial entity’s ability to take calculated risks, on the other hand.
Organization's resilience testing programme is prepared for providing all the necessary supporting expert work for the chosen resilience testing operations. This may include e.g. performance testing, end-to-end testing, penetration testing or source code reviews.
Related resilience testing operations can e.g. include vulnerability scans, other scanning software use, network security assements, physical security reviews or other kinds of gap analyses.
The organization regularly conducts a vulnerability scan, which searches for vulnerabilities found on computers, workstations, mobile devices, networks or applications. It is important to scan even after significant changes.
It should be noted that vulnerable source code can be from operating system software, server applications, user applications, as well as from the firmware application as well as from drivers, BIOS and separate management interfaces (e.g. iLo , iDrac). In addition to software errors, vulnerabilities occur from configuration errors and old practices, such as the use of outdated encryption algorithms.
Static scans on code are the first step in detecting risky vulnerabilities. However, once a service has been deployed, it is vulnerable to new types of attacks (e.g., cross-site scripting or authentication issues). These can be identified by penetration testing.
.png)
