Ambersail has provided high quality penetration testing services to Exact Mortgages for some time. Testing is comprehensive and reporting is excellent. The Ambersail team are all extremely helpful and available whenever we need them – even for the simplest of advice. We continue to find Ambersail’s services very useful.
Head Of IT, Exact Mortgages.
What Is FCA Penetration Testing?
The FCA or Financial Conduct Authority expects companies in the UK financial sector to perform penetration testing on a periodic basis. This includes banks, financial services and FinTech companies.
Penetration Testing should be performed by an experienced and independent party. Also, it should review networks and applications that support financial services.
You will find that Penetration Testing is required in the documentation that must be submitted to the FCA. For example the Detailed IT Controls Form where it features heavily in Section 8.
FCA Penetration Testing should be performed at least annually or after a modification to the network that supports financial services.
FCA Penetration Testing Specialists
Understanding what needs to be tested is very important. We therefore help you identify all areas of the network that need to be included in the test. Getting the scope right is key to an accurate test that meets with what the FCA wants.
Testing is thorough and based on industry recognised standards such as ISO27001/2 and OWASP. We know that many test systems are ‘live’ environments supporting key business functions. As a result, testing is carefully coordinated to minimise any disruption.
Test reports produced are easy to understand. Any Issues are clearly documented with advice on how to fix. This is backed up by walkthroughs and further retests if required. These are designed to get you in a position to demonstrate how secure your financial services are to the FCA.
You can expect:
- Guidance on meeting FCA penetration testing requirements. For example, what to include in the scope.
- Great value services. Very competitive prices.
- Flexible testing. We are ready to go as required.
- An experienced, independent, CREST certified testing team.
- Testing follows recognised standards such as CREST, OWASP and ISO 27001/2.
- UK based. Direct access to our testing team.
- Easy to understand reports with clear advice for fixing any issues.
- Walkthroughs of results and retests to confirm fixes have been made.
Contact us to get started.
How Does Testing Satisfy The FCA?
The FCA expects testing is being performed for networks and web applications. This consists of Penetration Testing and Vulnerability Assessment. Additionally, the FCA will need to know what gets tested. Who performs the Penetration Testing. When testing takes place.
You will find that the FCA’s Detailed IT Controls Form contains requirements that can be addressed by Ambersail’s penetration testing service. This includes the following requirements:
- 2.04: Are IT systems and controls subject to regular audit by an independent and qualified audit function.
- 3.6.01: Independence of auditor.
- 3.1.01: Systems are required to be in place and tested at least two weeks before the date you hope to be authorised.
- 3.5.04: All bugs that could cause data errors or unacceptable performance resolved before the system went live.
- 5.2: Security Practices.
- 5.4: Security Monitoring.
- 8.12: Penetration test results.