G7 Fundamental Elements for Threat-LED Penetration Testing

The HM Treasury has published a third guidance drafted by the G7 Cyber Expert Group entitled G7 Fundamental Elements for Threat-LED Penetration Testing. The guidance is part of a collection of documents, the so-called „G7 Fundamental Elements series“, provided by the Group to assist firms, supervisory authorities, and third parties alike in their handling and monitoring of cyber security risks.
This particular guidance was obviously already developed in 2018 – although not published in the UK until now. It is intended to assist financial market participants in their assessment of their cyber resilience through simulation of cyber attacks and provides guidance to competent authorities „considering the use of Threat-Led Penetration Testing (TLPT) within their jurisdictions“.
Besides some general issues discussed in the document such as
– what is Threat-Led Penetration Testing?,
– what is the purpose or intention of TLPTs, or
– who are TLPTs suitable for?,
the guidance describes in detail the steps involved in Threat-Led Penetration Testing and the assignment of roles and responsibilities along the way. The key steps involved are briefly outlined below:
(1) The determination of the scope of the TLPTs, the definition and implementation of specific risk management measures to mitigate any possible risks resulting from the testing, and the development of a framework to assess and categorize any vulnerabilities appearing in the course of a test;
(2) The selection of an adequate threat intelligence and penetration testing provider for the performance of the tests and the issues that shall be considered in this context, e.g. specific regulatory requirements as to the selection or location of such testing provider;
(3) The setting up of the threat intelligence tailored to the company, that is the communication of information to the testing provider as to the key functions and systems in scope of the tests to develop a company and testing profile and the agreement on deliverables to be expected by the testing provider. In this context, the Expert Group also describes the competencies threat intelligence and penetration testing provider shall be able to demonstrate;
(4) The actual performance of penetration tests, including the drafting of a corresponding test plan, the determination and documentation of the testing methodologies to be used, the performance of the tests, and the documentation of the test results; and
*(5) The conclusion of the tests which should by any means include the communication of the test results to relevant stakeholders and the assessment of the results for purposes of performing any necessary system, function, or security enhancements within entities.