Recital 12 Comprehensive criteria for TLPT providers

Conventional penetration tests provide a detailed and useful assessment of technical and configuration vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; often of a single system or environment in isolation, but unlike intelligence led red teammeans the testers, internal or external, contracted for, or assigned to, a TLPT; test, do not assess the full scenario of a targeted attack against an entire entity, including the complete scope of its people, processes and technologies. During the selection process of the TLPT providersmeans testers and threat intelligence providers;, financial entities should therefore ensure that those providers have the requisite skills to perform intelligence-led red teammeans the testers, internal or external, contracted for, or assigned to, a TLPT; tests, and not only penetration tests. It is therefore necessary to lay down comprehensive criteria for testers, both internal and external, and threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; providers, always external. Where the TLPT providersmeans testers and threat intelligence providers; belong to the same company, the staff assigned to a TLPT should be adequately separated.