+DORA Ch. IV Art. 24 3.
|
1. Overview
DORA Ch. IV Art. 24 3.
3. When conducting the digital operational resilience testing programme referred to in paragraph 1 of this Article, financial entities, other than microenterprises, shall follow a risk-based approach taking into account the criteria set out in Article 4(2) duly considering the evolving landscape of ICT risk, any specific risks to which the financial entity concerned is or might be exposed, the criticality of information assets and of services provided, as well as any other factor the financial entity deems appropriate.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Resilience Testing Program
Establish a risk-based digital operational resilience testing program encompassing identification, classification, and full remediation of test deficiencies based on risk landscape and criticality of assets and services. Utilize independent internal or external parties for conducting tests, ensuring clear Segregation of Duties (SoD). Conduct yearly tests on all systems and applications supporting critical or important functions (see controls 19-20 for the digital operational resilience tests).
|
|
NOREA
|
Diverse Testing Modalities
Employ a range of tests including vulnerability assessments, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires, scanning software solutions, source code reviews (where applicable), scenario-based tests, compatibility testing, performance testing, end-to-end testing, and penetration testing as appropriate.
|
|