Recital 16 ICT security testing

It is necessary to ensure that software means the part of an electronic information system which consists of computer code; packages that financial entitiesas defined in Article 2, points (a) to (t) referred to in Title II of this Regulation acquire and develop are effectively and securely integrated into the existing ICT environment, in accordance with established business and information security objectives. Financial entitiesas defined in Article 2, points (a) to (t) should therefore thoroughly evaluate such software means the part of an electronic information system which consists of computer code; packages. For that purpose, and to identify vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and potential security gaps within both software means the part of an electronic information system which consists of computer code; packages and the broader ICT systems, financial entitiesas defined in Article 2, points (a) to (t) should carry out ICT security testing. To assess the integrity of the software means the part of an electronic information system which consists of computer code; and to ensure that the use of that software means the part of an electronic information system which consists of computer code; does not pose ICT security risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, financial entitiesas defined in Article 2, points (a) to (t) should also review source codes of software means the part of an electronic information system which consists of computer code; acquired, including, where feasible, of proprietary software means the part of an electronic information system which consists of computer code; provided by ICT third-party service providers means an undertaking providing ICT services;, using both static and dynamic testing methods.