The Chief Information Security Officer (CISO) of a small local bank has a compliance requirement that a third-party penetration test of the core bank:
a) Should be conducted annually
b) Is unnecessary for a small bank
c) Should only focus on external threats
d) Is not a standard practice
