+DORA Ch. II Sec. I Art. 5 4.
|
1. Overview
DORA Ch. II Sec. I Art. 5 4.
4. Members of the management body of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Governance of ICT risk
The Management body shall take ultimate responsibility for effectively managing all ICT risks of the financial entity. As such, the management body periodically (e.g. annually) ensures:
- Establish policies related to the availability, authenticity, integrity, and confidentiality of data, including the policy on arrangements with ICT third-party service providers (see control 2.1).
- Define the roles, responsibilities and goverance arrangements for ICT related functions risk management (including those related to ICT third-party arrangements), including the continuous monitoring thereof.
- Review the policy on arrangements with ICT third-party service providers and stay informed about third-party arrangements, services provided, planned material changes regarding third- party service providers, and understand the impact of these changes on critical and important functions of the entity (including risk assessment results).
|
|
NOREA
|
Knowledge of the Management Body
The Management body shall ensure that it is kept up to date with sufficient knowledge and skills to understand and assess ICT risks and operations (e.g. through periodic trainings).
|
|
NOREA
|
Digital Operational Resilience Strategy
The Management body shall set and approve the digital operational resilience strategy and periodically update when needed.
The digital operational resilience strategy must:
- Set out how the risk management framework will be implemented.
- Elaborate on the alignment between the risk management framework and the business strategy and objectives.
- Establish the ICT risk tolerance level (based on risk appetite) and the impact tolerance level for ICT disruptions.
- Include clear security objectives, including Key Performance Indicators (KPIs) and risk metrics.
- Elaborate on the ICT reference architecture and any changes needed to reach specific business objectives.
- Outline the mechanisms in place to detect ICT-related incidents
- Contain evidence to prove the current digital operational resilience situation (e.g. based on the number of major ICT-related incidents and the effectiveness of preventive measures.
- Contain how the digital operational resilience testing is implemented (see controls under 19 and 20).
- Outline the communication strategy in case of incidents (see 11.3)
The Management body shall allocate and review the budget required for resources to fulfill the digital operational resilience needs of the entity.
Ensure monitoring is arranged on the the effectiveness of the implementation of the digital operational resilience.
|
|
NOREA
|
Business Continuity Oversight
The Management body reviews and approves periodically (e.g. annually) the ICT business continuity policy and the ICT response and recovery plans.
|
|
NOREA
|
Audit Plan Approval and Review
The Management body reviews and approves periodically (e.g. annually) internal ICT audit plans, ICT audits, and material modifications to the audits.
|
|