Regulatory Compliance Testing
We ensure your organisation meets the stringent demands of national and international regulations
LRQA is an approved Threat Intelligence provider across regulatory frameworks including CBEST and GBEST
Ensuring compliance with cyber security standards is increasingly complex. As the cyber technologies integrated into everyday business practices evolve, so does the legislation that governs them. On top of this, today’s globalised world means that business operations often span multiple jurisdictions.
Staying proactive and abreast of legislation requires dedicated expertise that can exceed workforce capabilities. However, a lack of focus on security or compliance can open your organisation to security breaches, non-compliance and potential fines. To mitigate risks, you must navigate complexities, adapt to evolving legislation and invest in cyber security measures. LRQA can help. Our Regulatory Compliance Testing services are designed to ensure your organisation meets the stringent demands of national and international regulations.
Our approach to Regulatory Compliance Testing
Our services will help protect your businesses by quantifying your risk, identifying vulnerabilities and assessing technology to deliver practical solutions that enable compliance with cyber security legislation and frameworks.
Risk identification
We undertake a thorough assessment of your organisation’s systems and infrastructure.
Expert insight
Our experts possess the certifications and knowledge you need to understand the standards you must comply with.
Remedial advice
We provide robust and actionable remedial advice for all levels of vulnerability.
Debrief
We provide detailed reports in a digestible format. All our tests come with a business debrief as standard.
Our Regulatory Compliance Testing services
CBEST Assessments
Created by the Bank of England and supported by CREST, CBEST testing assessments make significant use of Cyber Threat Intelligence, deliver sophisticated Red Team style assessments and provide incident response maturity assessments.
CBEST engagements are unique when compared to many other types of assessments because they can only be instigated by the Bank of England. The Bank of England is involved in the scoping of the assessments and determines which types of assets and systems comprise the test scope. The threat intelligence used to determine the testing approaches is augmented by GCHQ.
CBEST requires organisations to commission a threat intelligence gathering exercise by a CBEST-approved threat intelligence provider. This exercise:
- Reviews geopolitical threats
- Reviews tactics, techniques and procedures (TTPs) of threat actors known to be targeting similar types of organisations.
- Reviews open-source intelligence relating to your organisation.
- Gathers and reviews closed-source intelligence relevant to your organisation.
- Creates a series of scenarios that reflect real-world threats.
- Includes TTPs to be simulated, goals to be executed and targets to be pursued.
LRQA is one of only a handful of CBEST-approved service providers to be accredited by both CREST and the Bank of England as CBEST Penetration Testing providers and CBEST Threat Intelligence providers. We have extensive experience with CBEST testing and a full team of CBEST-certified individuals who hold CREST CCSAS, CCSAM and CCTIM certifications.
We have also developed our state-of-the-art custom tooling to mimic sophisticated threat actors that are known to be prevalent within the financial services sector. This toolset is unique within the industry and is one of the reasons why LRQA’s team has been highly successful in supporting organisations’ intelligence-led assurance strategies.
STAR-FS
STAR-FS assessments are similar to CBEST engagements as they both leverage the concepts of Red Teaming and utilise threat intelligence to simulate the tactics, techniques and procedures of threat actors against financial institutions. However, STAR-FS assessments are designed to allow for a lighter or optional involvement of the Regulator.
STAR-FS requires organisations to commission Threat Intelligence Services from a STAR-FS-approved Threat Intelligence provider. Several threat scenarios are defined and then utilised by an Intelligence-led Penetration Testing team to simulate real-world attacks.
STAR-FS engagements must be structured in four main components:
Initiation: to define the scope and select the providers for the subsequent components. LRQA will ensure a dedicated project manager oversees every part of the engagement and a full RACI model will be put in place for all stakeholders. Communications, escalations, risk management and debriefs/reporting needs will be fully discussed and agreed upon.
Threat intelligence exercise: to develop threat scenarios and agree on a plan to be handed over to the penetration testing service provider. The experience gathered on CBEST engagements allows us to identify real-world scenarios to help organisations identify and understand where gaps are.
Penetration testing: Our threat intelligence-led Penetration Testing services are delivered with the support of state-of-the-art custom tooling to simulate sophisticated threat actors that are known to be prevalent within the Financial Services Sector.
Reporting: Our reports have been designed to inform both senior stakeholders and technical teams within engineering, operations and the detect and response functions. Remediation guidance, regulator debriefs and executive debriefs are delivered with pragmatic advice in a collaborative and supportive manner.
LRQA is accredited by CREST to deliver Threat Intelligence Led Penetration Testing for Financial Services under the STAR-FS scheme. We have a full team of CBEST-certified individuals who hold CREST CCSAS, CCSAM and CCTIM certifications. When we engage in threat intelligence-led services, we can deliver a true reflection of the types of TTPs that threat groups are known to be leveraging.
iCAST – Intelligence-Led Cyber Security Testing
iCAST is an intelligence-led framework, introduced by the Hong Kong Monetary Authority (HKMA). It is an innovative regulatory requirement that does not just rely on a strategy that is focused on Penetration Testing alone. The focus of the iCast framework is to deliver a threat intelligence-based scenario test, with the testing element focusing on Red Teaming.
Threat Intelligence phase
This includes reviewing open-source intelligence relating to an organisation, defining scenarios that reflect real work attack vectors, reviewing TTPs of likely threat actors and providing a list of actionable intelligence to confirm the right approach for the Red Team phase.
Reviewing and defining phase
We help you define the likely scenarios for the Red Teaming phase. The iCAST framework encourages organisations to define a list of key assets that are trying to protect and use the output of the threat intelligence to define what tactics and approaches should be used to carry out the attack phase of the assessment. During this phase, we will launch various attacks such as phishing or insider threats to mimic real work threat actors.
Attack replay phase
We work closely with your Blue Team and re-create some of the scenarios to see how the defensive layer of your organisation was able to react to the testing phase.
General Data Protection Regulation (GDPR) Compliance
The right approach to information security is critical to achieving GDPR compliance. For many organisations, this requires a significant revision of their security strategy and tactics as GDPR requires you to implement a risk-based framework. This framework includes the correct governance structure, policies and operational practices in addition to monitoring, detection and incident response.
LRQA can help you with GDPR compliance by providing:
- Gap assessments against the GDPR standards for information security and incident response practices, to produce a roadmap to compliance.
- Monitoring services to support the information security and incident response aspects of GDPR.
TIBER EU
Threat Intelligence-based Ethical Red Teaming (TIBER-EU) is a framework launched by the European Central Bank (ECB) to deliver a controlled, bespoke, intelligence-led Red Team test of your critical live production systems.
LRQA provide all elements of the Threat Intelligence and Red Team testing requirements. Our cyber security threat intelligence capabilities allow us to execute broad, intelligence-based targeting exercises, of the kind typically undertaken by real-world threat actors as they prepare for their attack.
Our objective is to draw a picture of the target organisation, through the lens of an attacker. This approach allows us to design and deliver testing scenarios for a TIBER test. Our experts not only shape the tests through the production of the key TIBER intelligence documents but also provide added value to your organisation by reducing uncertainty while aiding in identifying threats and opportunities that will reduce the risk of a real attack.
I-CIRT
Canada’s Office of the Superintendent of Financial Institutions (OSFI) created the Intelligence-led Cyber Resilience Testing (I-CRT) framework to simulate relevant real-world threats. The framework assesses cyber resilience, using independent suppliers, to help systemically important and internationally active insurance groups identify areas where they could be vulnerable to cyber-attacks.
Our I-CRT service has been developed to provide insight and assurance through the simulation of real-world threat actors using known TTPs to assess and enhance your organisation’s security posture.
I-CRT requires organisations to commission a Threat Intelligence Service Provider to conduct a threat intelligence gathering exercise. We are an approved Threat Intelligence provider across regulatory frameworks and can deliver the following:
- Intelligence on geo-political threats known to be operating in the sector and sub-sector
- TTPs of threat actors known to be targeting similar types of organisations
- Open Source Intelligence (OSINT) relating to your organisation
- Closed source intelligence relevant to your organisation
MAS TRM
MAS TRM (Monetary Authority of Singapore Technology Risk Management) is a comprehensive set of guidelines from the Monetary Authority of Singapore aimed at helping Financial Institutions improve their cyber resilience and establish sound and robust technology management practices.
We help you analyse your security posture against the MAS TRM guidelines and identify gaps and areas of improvement. Our MAS TRM compliance experts conduct workshops with stakeholders through different stages of the engagement. The workshops are designed for top-level management, decision-makers and risk owners. Our experts identify the systems, applications, infrastructure and technologies that are used by your organisation to deliver services to your customers and therefore in the scope of the MAS TRM Guidelines.
We review your policies, procedures and process documents to see how well they align with the MAS TRM Guidelines to determine compliance and identify gaps and potential areas of improvement.
IMDA
The Infocomm Media Development Authority (IMDA) in Singapore put a process in place to help companies develop more secure platforms by offering their customer a reduction in subscription costs by complying with their regulation.
For any technology solution providers who want to be listed as an IMDA pre-approved solution of the ‘SMEs Go Digital’ Programme, their solution needs to be approved by IMDA and one of the assessment criteria is to conduct a vulnerability assessment by a qualified third party. One of the criteria for that engagement is to engage a CREST-certified company like LRQA.
Benefits of being listed as an IMDA pre-approved solution of the ‘SMEs Go Digital’ programme:
- A Singaporean SME that uses your application can apply to receive a Productivity and Solution Grant to subsidise up to 80% of the cost of using the platform
- Your solution or platform will have some technical assurance against it to minimise service impact or data theft, ensuring your solution is more resilient against a cyberattack.
- A detailed vulnerability assessment report detailing the risks you need to manage and LRQA’s recommendations on how to rectify discovered technical vulnerabilities
PDPA
The Personal Data Protection Act (PDPA) in Singapore requires organisations to implement reasonable security measures to protect personal data in their possession.
The right approach to information security is critical to achieving PDPA compliance. For many organisations, this requires a significant revision of their security strategy and tactics as PDPA requires organisations to implement a risk-based framework. This framework includes the correct governance structure, policies and operational practices in addition to monitoring, detection and incident response.
LRQA can help you with PDPA compliance by providing:
- Gap assessments against the PDPA standards for information security and incident response practices, to produce a roadmap to compliance.
- Monitoring services to support the information security and incident response aspects of PDPA.
NYDFS
As a recognised covered entity by the New York State Department of Financial Services (NYDFS), some organisations fall under a mandatory compliance requirement to protect Non-public Information (NPI). To do this, you must be following the NYDFS Cyber Security regulation, known as 23 NYCRR 500.
The regulation covers many elements of cyber security which means that it’s essential to review whether your current security posture complies with the relatively new regulatory standard.
LRQA helps you with measures necessary for NYDFS cyber security compliance via:
- A gap assessment against the 23 NYCRR 500 regulation to identify compliance gaps and recommend remediations producing a roadmap to compliance.
- CISO services to create or support your organisation’s information security program and NYDFS cyber security requirements.
- Writing or updating your policies and working with you on the NYDFS-associated documentation library.
- Penetration testing and vulnerability scanning to allow you the view a criminal threat actor would have of your technologies and platforms.
AASE
The Association of Banks in Singapore (ABS) issued the AASE Adversarial Attack Simulation Exercise (AASE) framework, which leverages threat intelligence and red teaming activity. Although AASE is a framework as opposed to regulation, LRQA can provide full spectrum services to align with these requirements.
GLBA
The Gramm Leach Bliley Act (GLBA) was enacted by the Federal Trade Commission of the USA and requires financial services organisations to adhere to a series of security requirements, designed to protect non-public personal information.
LRQA can deliver assurance activities and Managed Detection and Response services that are specifically aligned with the requirements of this act.
Award-winning expertise
Our cyber security team continues to achieve multiple vendor certifications, highly respected industry accreditations and international accolades, demonstrating the breadth, depth and impact of their services.
Why work with us?
Specialist expertise
Our cyber security experts hold multiple vendor certifications and accreditations as well as highly respected industry accreditations from CREST, the PCI SSC, ISC2, BCI, Chartered Institute of IT, and NCSC CHECK.
Industry leadership
We lead and shape industry on advisory boards and councils including the PCI SSC Global Executive Assessor Roundtable and CREST councils in the Americas, Asia, EMEA and the UK. We are certified by a range of governing bodies including the payment card industry and are approved as a Qualified Security Assessor.
Everywhere you are
Operating in over 55 countries, with more than 250 dedicated cyber security specialists and over 300 highly qualified information security auditors across the world, we can provide a local service with a globally consistent dedication to excellence.
Award winners
We have been recognised for the breadth and depth of our services – including the TEISS Award for Best Penetration Testing Service in 2024, Enterprise Threat Detection and Cloud Security awards at the Security Excellence Awards 2024 and the Stratus Award for Best Managed Cloud Security Service.
The world leader in CREST accreditations
We are proud to be the only organisation in the world with a full suite of accreditations from The Council of Registered Ethical Security Testers (CREST).
Our team of consultants have achieved the highest accreditations for Penetration Testing, Red Teaming, Incident Response services and Threat Intelligence. In addition, we were also the first organisation to be CREST accredited for our Security Operation Centre services.
