Security Testing and Red-Teaming Policy

The Security Testing and Red-Teaming Policy (P40) establishes a comprehensive framework for ongoing assessment and validation of the organization’s cybersecurity measures. Its principal aim is to ensure compliance with regulations like NIS2 Article 21(2)(f), which mandates formal and structured processes to evaluate the effectiveness of cybersecurity risk-management activities. By introducing regular vulnerability scans, annual penetration testing for critical systems, and periodic red-team simulations, the policy ensures proactive identification of weaknesses that standard operational controls might not detect. The scope of the policy is broad, encompassing all critical information systems, applications, and supporting infrastructure within the organization. Importantly, it also covers physical security aspects, such as social engineering and physical penetration tests where relevant, to provide a holistic approach to organizational protection. All internal security teams, external testing firms, and pertinent system or application owners are bound by its requirements. Testing activities are carefully regulated, requiring authorization and adherence to defined rules to prevent disruption and ensure safety. Roles and responsibilities are explicitly detailed to maintain accountability and streamline processes. The Security Testing Coordinator, appointed by the CISO, oversees the planning, execution, and reporting of all security testing activities. Internal teams collaborate in both defensive and testing roles, while red teams or penetration testers (internal or third-party) execute controlled attack scenarios within agreed parameters. System owners ensure timely remediation of identified issues, and management integrates findings into the broader risk management and compliance reporting processes. The policy places strong emphasis on detailed governance: every test is preceded by a scope and rules of engagement definition, strict authorization procedures, and rigorous reporting. It underscores the importance of safe data handling, requiring that any real data accessed be kept confidential and only anonymized details included in reports. Remediation is mandatory and tracked, with retesting to verify fixes. The policy also extends to supplier and third-party systems when relevant, ensuring alignment across the supply chain. Continuous improvement is a notable theme: lessons from recurring findings must influence policy, configuration standards, and incident response plans. Training programs for IT, development, and management staff are mandated to foster awareness, reinforce operational discipline, and maintain vigilance against emerging threats. All testing activities are logged and periodically audited to confirm effectiveness, fulfillment of regulatory duties, and timely closure of remediation actions. Reviews are scheduled annually or after major incidents, ensuring the policy remains current with the dynamic threat landscape.