Article 4
Organisational arrangements for financial entities
1. Financial entities shall appoint a control team lead which shall be responsible for the day-to-day management of the TLPT and the decisions and actions of the control team.
2. Financial entities shall establish organisational and procedural measures to ensure that:
|
(a) |
access to information pertaining to any planned or ongoing TLPT is limited on a need-to-know basis to the control team, the management body, the testers, the threat intelligence provider and the TLPT authority; |
|
(b) |
the control team consults the test managers prior to involving any member of the blue team in a TLPT; |
|
(c) |
the control team is informed of any detection of the TLPT by staff members of the financial entity or of its third-party service providers; in case of escalation of the resulting incident response, where needed, the control team contains such escalation; |
|
(d) |
arrangements relating to the secrecy of the TLPT, applicable to staff of the financial entity, to the staff of the ICT third party service providers concerned, to testers and to the threat intelligence provider are in place; |
|
(e) |
the control team provides any information pertaining to the TLPT to the test managers upon request; |
|
(f) |
where possible, parties involved in the TLPT refer to it by code name only. |