1. Financial entities shall establish all of the following arrangements for the use of internal testers:
(a) the definition and implementation of a policy for the management of internal testers in a TLPT. Such policy shall:
i. include criteria to assess suitability, competence, potential conflicts of interest of the testers and define management responsibilities in the testing process. The policy shall be documented and periodically reviewed;
ii. provide that the internal testing team includes a test lead, and at least two additional members. The policy shall require that all members of the test team have been employed by the financial entity or by an ICT intra-group service provider for the preceding two years;
iii. include provisions on training on how to perform red teaming of the internal testers.
(b) measures to ensure that the use of internal testers to perform TLPT will not negatively impact the financial entity's general defensive or resilience capabilities regarding ICT-relate
…