CBEST Threat Intelligence-Led Penetration Testing
Bank of England framework for intelligence-led penetration testing of UK financial infrastructure. Prescribes threat intelligence gathering, red team execution, blue team assessment, and remediation for systemically important financial institutions. Requires accredited threat intelligence providers (TIPs) and penetration testing providers (PTPs). Complementary to PRA operational resilience requirements.
AC (1) AT (1) AU (2) CA (6) CM (2) IR (3) MP (4) PL (2) PM (12) PS (2) PT (2) RA (7) SA (3) SC (7) SI (4) SR (1)
AC Access Control
| Control | Name | CBEST References |
|---|---|---|
| AC-03 | Access Enforcement | CBEST.9 |
AT Awareness and Training
| Control | Name | CBEST References |
|---|---|---|
| AT-06 | Training Feedback | CBEST.10 |
AU Audit and Accountability
CA Security Assessment and Authorization
| Control | Name | CBEST References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | CBEST.1 |
| CA-02 | Security Assessments | CBEST.10CBEST.7 |
| CA-05 | Plan Of Action And Milestones | CBEST.10CBEST.6CBEST.7 |
| CA-06 | Security Accreditation | CBEST.1 |
| CA-07 | Continuous Monitoring | CBEST.10CBEST.5CBEST.7 |
| CA-08 | Penetration Testing | CBEST.3CBEST.4 |
CM Configuration Management
IR Incident Response
MP Media Protection
PL Planning
PM Program Management
| Control | Name | CBEST References |
|---|---|---|
| PM-01 | Information Security Program Plan | CBEST.1 |
| PM-02 | Information Security Program Leadership Role | CBEST.1 |
| PM-04 | Plan of Action and Milestones Process | CBEST.6 |
| PM-06 | Measures of Performance | CBEST.10CBEST.7 |
| PM-08 | Critical Infrastructure Plan | CBEST.3 |
| PM-09 | Risk Management Strategy | CBEST.1 |
| PM-11 | Mission and Business Process Definition | CBEST.3 |
| PM-14 | Testing, Training, and Monitoring | CBEST.1CBEST.10CBEST.5CBEST.7 |
| PM-15 | Security and Privacy Groups and Associations | CBEST.2 |
| PM-16 | Threat Awareness Program | CBEST.2 |
| PM-29 | Risk Management Program Leadership Roles | CBEST.1 |
| PM-31 | Continuous Monitoring Strategy | CBEST.10CBEST.6 |
PS Personnel Security
PT Personally Identifiable Information Processing and Transparency
RA Risk Assessment
| Control | Name | CBEST References |
|---|---|---|
| RA-02 | Security Categorization | CBEST.3 |
| RA-03 | Risk Assessment | CBEST.2 |
| RA-05 | Vulnerability Scanning | CBEST.2CBEST.6 |
| RA-06 | Technical Surveillance Countermeasures Survey | CBEST.4 |
| RA-07 | Risk Response | CBEST.6 |
| RA-09 | Criticality Analysis | CBEST.3 |
| RA-10 | Threat Hunting | CBEST.2CBEST.4 |
SA System and Services Acquisition
SC System and Communications Protection
| Control | Name | CBEST References |
|---|---|---|
| SC-07 | Boundary Protection | CBEST.5 |
| SC-08 | Transmission Integrity | CBEST.9 |
| SC-12 | Cryptographic Key Establishment And Management | CBEST.9 |
| SC-13 | Use Of Cryptography | CBEST.9 |
| SC-26 | Decoys | CBEST.4 |
| SC-28 | Protection of Information at Rest | CBEST.9 |
| SC-35 | External Malicious Code Identification | CBEST.4 |
SI System and Information Integrity
SR Supply Chain Risk Management
| Control | Name | CBEST References |
|---|---|---|
| SR-06 | Supplier Assessments and Reviews | CBEST.8 |