+DORA Ch. II Sec. II Art. 9 4.
|
1. Overview
DORA Ch. II Sec. II Art. 9 4.
4. As part of the ICT risk management framework referred to in Article 6(1), financial entities shall:
- (a) develop and document an information security policy defining rules to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets, including those of their customers, where applicable;
- (b) following a risk-based approach, establish a sound network and infrastructure management structure using appropriate techniques, methods and protocols that may include implementing automated mechanisms to isolate affected information assets in the event of cyber-attacks;
- For the purposes of the first subparagraph, point (b), financial entities shall design the network connection infrastructure in a way that allows it to be instantaneously severed or segmented in order to minimise and prevent contagion, especially for interconnected financial processes.
- (c) implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administration thereof;
- (d) implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, and protection measures of cryptographic keys whereby data is encrypted based on results of approved data classification and ICT risk assessment processes;
- (e) implement documented policies, procedures and controls for ICT change management, including changes to software, hardware, firmware components, systems or security parameters, that are based on a risk assessment approach and are an integral part of the financial entity’s overall change management process, in order to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner;
- For the purposes of the first subparagraph, point (e), the ICT change management process shall be approved by appropriate lines of management and shall have specific protocols in place.
- (f) have appropriate and comprehensive documented policies for patches and updates.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Critical and Important Functions
Identify, classify and adequately document all critical and important functions. This process involves determining which functions are essential for the entity's operational stability and continuity. Review as needed, and at least yearly, the adequacy of this classification.
|
|
NOREA
|
Network Design and Segmentation
Design the network infrastructure in a way that allows it to be instantaneously severed or segmented to minimize and prevent contagion. Have provisions for temporarily isolating subnetworks and network components/devices. Ensure redundant capabilities are equipped with sufficient resources, capabilities, and functions (e.g., redundant network setup). Systems and networks must be segregated based on function criticality, classification, and overall risk profile. Maintain a separate network for asset administration. Provide a Layer 3 or 7 (L3/L7) visual representation of all networks and data flows. Conduct yearly performance reviews of the network architecture/design.
|
|
NOREA
|
Network Security
Implement controls to prevent and detect unauthorized network connections. Establish and maintain a secure configuration baseline for all network components, following vendor instructions, industry standards, and best practices. Ensure Confidentiality, Integrity, and Availability (CIA) of data during network transmission. Prevent and detect data leakage, and secure data transfer with external parties. Implement measures to secure network traffic between internal networks and the internet/external connections. Apply encryption for all communication protocols over corporate, public, domestic, thirdparty, and wireless networks, based on data classification and risk assessments.
Regularly review roles and responsibilities for defining, implementing, approving, changing, and reviewing firewall rules and connection filters.
Financial entities shall perform the review of firewall rules and connections filters on a regular basis according to the classification and overall risk profile of ICT systems involved. For the ICT systems supporting critical or important functions, the financial entities shall verify the adequacy of the existing firewall rules and connection filters at least every six months.
|
|
NOREA
|
Session Management
Enforce procedures to limit, lock, and terminate system and remote sessions after a predefined period of inactivity.
|
|
NOREA
|
Clear Segregation of Duties (SoD)
Establish Segregation of Duties (SoD) with regard to risk management functions, following the three lines of defence model or internal risk management and control model.
|
|
NOREA
|
ICT Risk management framework
A sound, comprehensive and well-documented ICT risk management framework is in place. Which as goal to address all ICT risks properly and ensure a high level of digital resilience. The reponsibility for risk management is properly assigned to a control function.
The ICT risk management framework shall be documented and reviewed at least annually, or periodically for microenterprises, with immediate reviews triggered by major ICT-related incidents or supervisory feedback. Continuous improvement will be ensured by incorporating lessons learned from implementation, monitoring, and audits. The report of the review will be prepared according to the requirements as stated in chapter 5 (Article 27) of the RTS RM and will be made available for submission to the competent authority upon request.
Assess new standards and relevant technology developments in the field of information security, cybersecurity and resilience on a continuous basis and make proposals on how they can strengthen the information security and cybersecurity control measures of the institution.
|
|
NOREA
|
Annual Framework Review and Audit Process
The effectiveness of the risk management framework is monitored based on the risk exposure over time to critical or important business functions. Implement a reviewing and auditing process, with a minimum yearly review of the framework, triggered by major ICT incidents, regulator instructions, or major audit findings.
The tasks of verifying compliance with ICT risk management requirements may be outsourced to intra-group or external undertakings. In case of such outsourcing, the financial entity remains fully responsible for the verification of compliance with the ICT risk management requirements.
|
|
NOREA
|
Third-Party (Multi-vendor) Risk Management Program
Maintain a comprehensive third-party risk management program which includes:
- A register of information related to the use of thirdparty service providers, especially those supporting critical or important functions (see also control 17.3).
- Put in place a policy on the management of ICT third-parties, including the criteria for determining the criticality of service providers and the internal responsibilities for managing third-parties.
- Ensuring that senior management reviews the policy and designate a member to monitor relations with the third-parties and the contractual arrangements.
- A (holistic) multi-vendor strategy, if deemed relevant, showing key dependencies on ICT third-party service providers and explaining the rationale behind the procurement mix of ICT third-party service providers.
|
|
NOREA
|
Protection Measures
Implement policies and procedures to protect all information, ICT assets, and relevant physical ICT components and infrastructures. At least the following policies shall be established and maintained.
- Security policy
- Human resources policy
- Encryption and cryptographic control policy
- Identity and access management (IAM) policy
- Change management policy
- Network security policy
- ICT operating policies and procedures
- (Crisis) Communication policy
- Vulnerability and patch management policy
- Back up policy
- Project management policy
- Physical and environmental security policy
- Business continuity policy with response and recovery plans (including testing plans), see control1.4 *
- ICT third-party service providers management policy, see control 1.1. *
- Operations of ICT assets (ensuring network security, protect against intrusions and data misuse and defining how the entity operates, monitors, controls, and restores ICT assets, including the documentation of ICT operations).
* must be approved by the Management body
|
|