Abstracts

The presentation shows how security testing can be carried out in such a way that the requirements of relevant regulations are met. This will be illustrated using the example of the EU regulation ‘Digital Operations Resiliency Act (DORA)’, which aims to strengthen the resilience, reliability and continuity of financial services in the EU and must be implemented in the financial sector by 17 January 2025.

This regulation imposes new requirements on service providers (and third-party providers of their critical services) to prevent, mitigate and reduce the impact of disruptions to digital operational services provided by financial organisations.<

Specifically, it requires:

• Establish an annual security testing programme (e.g. network security testing, penetration testing, web app testing, social engineering, etc.) conducted by certified and experienced internal or external auditors.
• Conduct an Advanced Threat Led Penetration Test (TLPT) for critical infrastructures and services at least once every three years. This must be carried out by certified and experienced internal or external auditors.
• Include third-party ICT providers of critical services in the scope of the TLPT.
• Ensure that all issues identified through re-testing or revalidation are resolved.
• Utilise an external threat intelligence function.
• Provide certification reports, summaries of findings and remediation plans to the relevant authorities upon completion of the TLPT.

Practical, tool-based application examples will be used to show how these challenges can be overcome as part of a comprehensive security testing methodology.

In particular, we consider the following questions:

• How does DORA influence the requirements and approach to IT security testing?
• How can organisations meet DORA requirements while maintaining effective IT security testing?
• What measures and controls are required to verify the resilience of digital operations according to DORA requirements through IT security testing ?