+DORA Ch. II Sec. I Art. 5 2.
|
1. Overview
DORA Ch. II Sec. I Art. 5 2.
2. The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1).
For the purposes of the first subparagraph, the management body shall:
- (a) bear the ultimate responsibility for managing the financial entity’s ICT risk;
- (b) put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality, of data;
- (c) set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions;
- (d) bear the overall responsibility for setting and approving the digital operational resilience strategy as referred to in Article 6(8), including the determination of the appropriate risk tolerance level of ICT risk of the financial entity, as referred to in Article 6(8), point (b);
- (e) approve, oversee and periodically review the implementation of the financial entity’s ICT business continuity policy and ICT response and recovery plans, referred to, respectively, in Article 11(1) and (3), which may be adopted as a dedicated specific policy forming an integral part of the financial entity’s overall business continuity policy and response and recovery plan;
- (f) approve and periodically review the financial entity’s ICT internal audit plans, ICT audits and material modifications to them;
- (g) allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training referred to in Article 13(6), and ICT skills for all staff;
- (h) approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers;
- (i) put in place, at corporate level, reporting channels enabling it to be duly informed of the following:
- (i) arrangements concluded with ICT third-party service providers on the use of ICT services,
- (ii) any relevant planned material changes regarding the ICT third-party service providers,
- (iii) the potential impact of such changes on the critical or important functions subject to those arrangements, including a risk analysis summary to assess the impact of those changes, and at least major ICT-related incidents and their impact, as well as response, recovery and corrective measures.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Resilience Training Programs
Implement security awareness and digital operational resilience training as integral components of staff training schemes and ensure training extends to all staff members, including senior management. Customize training intensity based on employee roles and functions. For the training content, cover topics such as network security, insights from prior incidents, threat intelligence, defenses against intrusions, data protection measures (e.g., encryption, cryptography). Conduct the resilience training program on an annual basis. Staff shall be informed on the ICT security policies, procedures and protocols and be made aware of the reporting channels put in place for detecting anomalous activities. Upon termination of employment, all staff are required to return all ICT assets and information assets.
|
|
NOREA
|
Inclusion of Third-Party Providers
Incorporate ICT third-party service providers as participants in relevant training programs, where appropriate. Third-parties shall be informed on the ICT security policies, procedures and protocols and be made aware of the reporting channels put in place for detecting anomalous activities. Upon termination of employment or contract termination, the third-parties are required to return all ICT assets and information assets that belong to the financial entity.
|
|
NOREA
|
Governance of ICT risk
The Management body shall take ultimate responsibility for effectively managing all ICT risks of the financial entity. As such, the management body periodically (e.g. annually) ensures:
- Establish policies related to the availability, authenticity, integrity, and confidentiality of data, including the policy on arrangements with ICT third-party service providers (see control 2.1).
- Define the roles, responsibilities and goverance arrangements for ICT related functions risk management (including those related to ICT third-party arrangements), including the continuous monitoring thereof.
- Review the policy on arrangements with ICT third-party service providers and stay informed about third-party arrangements, services provided, planned material changes regarding third- party service providers, and understand the impact of these changes on critical and important functions of the entity (including risk assessment results).
|
|
NOREA
|
Knowledge of the Management Body
The Management body shall ensure that it is kept up to date with sufficient knowledge and skills to understand and assess ICT risks and operations (e.g. through periodic trainings).
|
|
NOREA
|
Digital Operational Resilience Strategy
The Management body shall set and approve the digital operational resilience strategy and periodically update when needed.
The digital operational resilience strategy must:
- Set out how the risk management framework will be implemented.
- Elaborate on the alignment between the risk management framework and the business strategy and objectives.
- Establish the ICT risk tolerance level (based on risk appetite) and the impact tolerance level for ICT disruptions.
- Include clear security objectives, including Key Performance Indicators (KPIs) and risk metrics.
- Elaborate on the ICT reference architecture and any changes needed to reach specific business objectives.
- Outline the mechanisms in place to detect ICT-related incidents
- Contain evidence to prove the current digital operational resilience situation (e.g. based on the number of major ICT-related incidents and the effectiveness of preventive measures.
- Contain how the digital operational resilience testing is implemented (see controls under 19 and 20).
- Outline the communication strategy in case of incidents (see 11.3)
The Management body shall allocate and review the budget required for resources to fulfill the digital operational resilience needs of the entity.
Ensure monitoring is arranged on the the effectiveness of the implementation of the digital operational resilience.
|
|
NOREA
|
Business Continuity Oversight
The Management body reviews and approves periodically (e.g. annually) the ICT business continuity policy and the ICT response and recovery plans.
|
|
NOREA
|
Audit Plan Approval and Review
The Management body reviews and approves periodically (e.g. annually) internal ICT audit plans, ICT audits, and material modifications to the audits.
|
|