STATEMENT OF REQUIREMENT
Background
Co-operative Bank requires the services of a qualified and licensed penetration testing vendor to perform a comprehensive assessment of its internal and external infrastructure. The primary objective is to identify vulnerabilities, evaluate the effectiveness of existing security controls, and ensure compliance with relevant industry and regulatory standards (including PCI DSS).
The selected vendor must:
- Be licensed by the Tanzania Communications Regulatory Authority (TCRA).
- Have demonstrable experience delivering penetration testing services in regulated industries, particularly the financial sector.
- Employ certified security professionals and follow recognized testing methodologies.
- Guarantee strict confidentiality and operate under a signed Non-Disclosure Agreement (NDA).
Specifications and Requirements:
Scope of Work
The penetration test must cover:
1. Internal Security Assessment
- Web & API Security Assessment (deep dive)
- Business Logic Abuse testing
- Cyber Defence Evasion techniques
- Active Directory configuration review and exploitation testing
- Man-in-the-Middle (MiTM) vulnerability testing
- PCI Systems internal assessment in line with PCI DSS
- Negative testing on security architecture
- Re-testing of previously closed issues
2. External Security Assessment
- Web application testing (including OWASP Top 10)
- IoT device security assessment
- File transfer service security testing
- Mobile application security testing
- Social engineering assessments (phishing, pretexting)
- PCI Systems external testing
- Cloud security review for hosted websites
Testing Methodologies
The vendor shall employ a mix of:
- Black Box Testing – simulating an external attacker with no prior system knowledge.
- White Box Testing – simulating an internal, fully informed threat actor.
- Gray Box Testing – simulating an attacker with partial knowledge and limited access.
Deliverables
The vendor must provide:
- Executive Summary – non-technical overview for senior management.
- Technical Report – detailed vulnerabilities, evidence, and impact analysis.
- Risk Ratings – classification by severity (High, Medium, Low).
- Remediation Plan – actionable recommendations with priority levels.
- Re-test Report – verification of remediation effectiveness.
Compliance & Standards
Testing must align with:
- OWASP Testing Guide
- NIST SP 800-115
- PCI DSS requirements
- Penetration Testing Execution Standard (PTES)
Operational Requirements
The vendor must ensure secure handling and storage of all test data and findings.
Written authorization will be obtained before testing.
Testing must be carried out in a controlled manner to avoid service disruptions.