Customer Security Testing Policy
Last updated: November 2024
FINBOURNE’s information security team will, at the Customer’s request, participate and cooperate in Customer performed threat-led penetration testing (“Customer TLPT”) subject to the conditions set forth in this policy.
Mandatory Requirements
1. The Customer must:
1.1. no less than 30 days prior to the intended start date of Customer TLPT, provide to FINBOURNE full details of the scope of Customer TLPT, and FINBOURNE may, in its sole discretion, refuse or delay the areas in scope;
1.2. provide to FINBOURNE the contact telephone number of an employee of the Customer who can be contacted at any time for the duration of the Customer TLPT;
1.3. use testers for the carrying out of Customer TLPT in accordance with Article 28 of Digital Operational Resilience Act (DORA) including, but not limited to testers with an industry standard accreditation relating to penetration testing or vulnerability assessment. The Customer must provide to FINBOURNE details of the tester engaged prior to the commencement of Customer TLPT;
1.4. exclude FINBOURNE’s third party vendors from Customer TLPT;
1.5. identify all requests (where possible) sent to the Software platform as part of Customer TLPT using the header (or other technology appropriate annotation): metadata “x-fbn-pentest-[Customer]” (where ‘Customer’ is replaced with the testing Customer’s name or identifier);
1.6. perform any port and vulnerability scanning in non-aggressive mode only; and
1.7. immediately notify FINBOURNE in the event that the Customer identifies a vulnerability, successful compromise or attack during Customer TLPT, providing full details regarding the nature of the vulnerability and/ or how the compromise was achieved.
2. The Customer must not:
2.1. include any activities in Customer TLPT that could reasonably be expected to have an adverse impact on the Services or other customers of FINBOURNE;
2.2. expose FINBOURNE to illegality during Customer TLPT;
2.3. upload, install or deploy malware or malicious software to the Services or servers during Customer TLPT;
2.4. attempt Denial of Service (DoS) attacks or utilise any tools or services in a manner that performs Denial of Service (DoS) attacks or simulations, or any “load testing” against the Services;
2.5. manipulate, influence, deceive, impersonate, or engage in other forms of social engineering targeting FINBOURNE staff or subcontractors at any time;
2.6. use screen scraping technology (outside the purpose of capturing a single screen to report a bug or documenting the unexpected behaviour of a cloud application);
2.7. use Customer TLPT for benchmarking or competitive intelligence;
2.8. initiate, cause or otherwise actively exfiltrate information from the platform that could contain internal FINBOURNE information (e.g. logs, configuration, secrets, credentials) or data from or about other FINBOURNE customers. The Customer must immediately notify FINBOURNE if a method for accessing such information is identified;
2.9. attempt to exploit discovered vulnerabilities, beyond what is necessary to determine whether the vulnerability allows unauthorized access or other malicious acts; and
2.10. seek to intentionally break the tenancy separation between the Customer and other FINBOURNE customers where the Customer’s data is hosted in a multitenant environment.
3. At FINBOURNE’s request, the Customer shall immediately cease, and cause Customer staff to cease all Customer TLPT activities which FINBOURNE believes, in its sole discretion, pose a material harm to the functionality, security, integrity, or availability of FINBOURNE or any other FINBOURNE customers’, services, systems, operations or any content, data, or applications in such services.
Frequency
4. The Customer may only conduct Customer TLPT once every three (3) years unless required by the Competent Authority, and the period in which Customer TLPT may be conducted is not to extend beyond ten (10) consecutive calendar days, unless otherwise agreed in advance by FINBOURNE.
Confidentiality
5. All information related to Customer TLPT (including, without limitation, the findings of any Customer TLPT, and all plans, documents, and information related to the Customer TLPT) is deemed Confidential Information (“Customer TLPT Confidential Information”). The Customer may only use Customer TLPT Confidential Information for the purposes of determining whether the Services meet the Customer’s security requirements, and the Customer may not disclose Customer TLPT Confidential Information to any third party. Customer TLPT Confidential Information may be used by FINBOURNE for research and development purposes to update, improve, and remediate findings related to the Services.
Fees
6. The Customer shall be responsible for all fees relating to Customer TLPT.
Completion of Customer TLPT
7. On completion of Customer TLPT:
7.1. the Customer must provide to FINBOURNE a copy of all findings; and
7.2. all materials and reports relating to Customer TLPT must be deleted, save that the Customer may retain a copy of the Customer TLPT report subject to the confidentiality obligations set out in the Customer’s agreement with FINBOURNE.
8. FINBOURNE shall use reasonable endeavours to review any report provided by the Customer and provide feedback and remediation timescales for any relevant issues as identified by FINBOURNE.
Liability
9. The Customer shall be responsible for all damages to FINBOURNE or other FINBOURNE customers which are caused by the Customer or Customer’s personnel Customer TLPT activities. FINBOURNE disclaims all liability of any kind in relation to Customer TLTP and shall have no claim in respect thereof