What is STAR-FS?

STAR-FS is a framework for intelligence-led penetration testing of the financial sector.

STAR-FS has been developed to meet the needs of the Regulators by ensuring the same level of rigour is applied to them whilst reducing resourcing implications on regulators. STAR-FS will reduce the role of the regulator in its delivery.

Any worldwide institution is able to adopt this framework and, where scoped appropriately, the results can be used to inform the Regulators. Regulators will be able to understand the current cyber security posture of regulated entities, proving itself an invaluable tool. This will also help entities themselves to understand where improvements in the current security arrangements need to be applied.

STAR-FS promotes an intelligence-led penetration testing approach that mimics the actions of cyber threat actors’ intent on compromising an organisation’s important business services and the technology assets and people supporting those services. Collaboration, evidence and improvement lie at the heart of STAR-FS as well as a close liaison with key stake holders.

The STAR-FS process utilises commercially available threat intelligence services in order to define realistic and current threat scenarios that will be utilised by the penetration testing teams to replicate real world attacks to operational systems. Risks to these systems are mitigated through the establishment of an internal control group, risk assessment, the accredited policies and processes utilised by the service provider and the skill and competence of the threat intelligence and penetration testing providers.

STAR-FS is more than a penetration test. The process is designed to utilise the expertise available through accredited service providers. It allows for consistent formal reports that are to be used by the participant to provide appropriate evidence to the Regulator of the level of technical cyber resilience.

Should you wish to look at implementation of this scheme into other CNI functions, please visit our STAR Penetration Testing and STAR Threat Intelligence pages for their requirements.

Should you wish to discuss this further, please do contact the team by emailing [email protected]

CREST YouTube content
Intelligence-Led Penetration Testing – https://www.youtube.com/playlist?list=PLZ2XFVIKjM5uFAZZh6jGAUKqP3HYQiikD
Threat Intelligence – https://www.youtube.com/playlist?list=PLZ2XFVIKjM5uklDnXXNe8_DRm2KvczYvO

Research
https://www.crest-approved.org/wp-content/uploads/CREST-Cyber-Threat-Intelligence.pdf