Information Systems under the SPK Framework
Penetration Tests
For capital market institutions and portfolio management companies, we perform Information Systems Penetration Tests, with full compliance to the procedures and principles defined in the relevant Communiqué.
Purpose (compliant with the Communiqué)
The purpose of penetration tests is the detection of potential security weaknesses in the information systems of Institutions, Organisations and Partnerships before penetration attempts, the analysis of combined risks and the determination of remedial activities.
Scope (Minimum)
Communication Infrastructure and Active Devices
Firewall/Router/Switch configurations, DMZ
DNS Services
Domain name services security
Domain & User Computers
AD, endpoint policies
E-mail Services
Content security, phishing scenarios
Database Systems
Authorisation, query security
Web Applications
Application/API reviews
Mobile Applications
iOS/Android security controls
Wireless Network Systems
WLAN encryption and isolation
Distributed Denial of Service
DDoS tests (coordinated)
Social Engineering
Phishing, fake verification
Methodology – Access Points & User Profiles
Access Points
- Internet: Testing the organisation's internet-facing servers/services from an external location
- Internal Network: Testing the servers on the organisation's internal network by accessing from within
User Profiles
- Anonymous user: Non-member external user
- Customer profile: User authorised to log in to web applications
- Employee profile: The most common user + local admin
System Identification
Determination of the system/configuration information of servers and network devices.
Service Identification
Port scanning and inventory of externally exposed services.
Vulnerability Scanning
Scanning of components against current vulnerabilities.
Finding Severity Levels (Communiqué)
| Level | Definition |
|---|---|
| Emergency | Weaknesses allowing an unqualified attacker to completely take over the system from the external network |
| Critical | Weaknesses allowing a qualified attacker to completely take over the system from the external network |
| High | Limited privilege escalation/denial of service from the external network, or privilege escalation locally |
| Medium | Weaknesses leading to denial of service from the local network/server |
| Low | Situations whose impact cannot be fully determined; stemming from hardening deficiencies |
Reporting & Follow-up (compliant with the Communiqué)
Report Content
- Findings under each heading and a combined risk assessment
- Finding Format: Reference No, Name, Severity Level, Impact, Component(s), Remediation Recommendation
- Test team information and relevant competency certificates
Process & Notification
- After the report is completed, within 1 month ready for submission to the Board
- Board-approved action plan
- Prompt closure of "Emergency" and "Critical" findings
Why Nesil Teknoloji?
SPK Independent Auditor Licence
Official competence; a process and reporting fully compliant with the Communiqué
Finance Sector Focus
Experience in portfolio management, brokerage and fintech
Audit-Usable Report
Finding format and severity levels compliant with the Communiqué
Confidentiality & Security
A method that does not jeopardise business continuity; coordinated tests
Expert Team & Accreditations
Certificates Held by Our Team
Our References
Tera Portföy Yönetimi A.S
Tera Yatırım Menkul Değerler A.S
SPK-scope tests completed; reports accepted.
IKON Menkul Değerler A.S.
Internet & internal network, web/API and e-mail tests; combined risk analysis.
Perform Portföy Yönetimi A.S.
Web/mobile, database and wireless network tests.
SPK-Compliant Penetration Testing – Get a Quote
Let's plan the test scope, methodology and reporting process together.
- Preliminary reconnaissance & scope verification (specific to your organisation)
- Communiqué-compliant notification and reporting plan
- Rapid quoting and a start date