+RTS ICT Risk Management T. II Ch. I Sec. 3 Art. 4 , 2
|
1. Overview
RTS ICT Risk Management T. II Ch. I Sec. 3 Art. 4 , 2
The policy on management of ICT assets referred to in paragraph 1 shall:
- (a) prescribe the monitoring and management of the lifecycle of ICT assets identified and classified in accordance with Article 8(1) of Regulation (EU) 2022/2554;
- (b) prescribe that the financial entity keeps records of all of the following:
- (i) the unique identifier of each ICT asset;
- (ii) information on the location, either physical or logical, of all ICT assets;
- (iii) the classification of all ICT assets, as referred to in Article 8(1) of Regulation (EU) 2022/2254;
- (iv) the identity of ICT asset owners;
- (v) the business functions or services supported by the ICT asset;
- (vi) the ICT business continuity requirements, including recovery time objectives and recovery point objectives;
- (vii) whether the ICT asset can be or is exposed to external networks, including the internet;
- (viii) the links and interdependencies among ICT assets and the business functions using each ICT asset;
- (ix) where applicable, for all ICT assets, the end dates of the ICT third-party service provider’s regular, extended, and custom support services after which those ICT assets are no longer supported by their supplier or by an ICT third-party service provider;
- (c) for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ICT risk assessment on all legacy ICT systems referred to in Article 8(7) of Regulation (EU) 2022/2554.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Resilient Systems
Use and maintain ICT systems, protocols, and tools that are up to date and:
- Tailored to the magnitude of ICT operations
- Reliable
- Equipped with sufficient capacity to accurately process data and to deal with peak orders, message or transaction volumes as needed
- Technologically resilient to deal with additional processing needs under stressed market conditions or other adverse market conditions
|
|
NOREA
|
Inventory Management
Keep an inventory of (ICT) assets, monitor their life-cycle and update it periodically and upon every major change in the network, the IT infrastructure, and processes and procedures supporting business functions. Keep records of the following for each ICT asset: unique identifier, location (physical or logical), asset classification, identity of asset owner, information for specific risk assessment on legacy systems, business functions or services supported, business continuity requirements (e.g., RTO, RPO), exposure to external networks, including the internet, links and interdependencies among assets and business functions using each asset, and the end dates of the ICT third-party service provider’s regular, extended and custom support services after which it is no longer supported by its supplier or by an ICT third-party service provider.
Ideally, inventory management is perfomed in an automated and continuous fashion.
|
|
NOREA
|
Asset Classification and Documentation
Identify, classify and document all ICT-supported business functions, including the assets supporting them, and detail the roles and dependencies of these assets in relation to ICT risk. Additionally, identify and document all ICT-supported business functions dependent on ICT third-party service providers, and identify the services provided by third-party providers that support critical or important business functions. Make a mapping of critical (ICT) assets based on a criticality assessment, which must include network resources, hardware equipment, and resources on remote sites. This mapping should also incorporate the configuration of assets and their links and interdependencies with other assets. The criticality assessment should follow clear criteria to evaluate the ICT risk related to business functions, taking into account the potential impact of confidentiality, integrity, and availability losses. Review the adequacy of this classification and documentation at least on a yearly basis, ensuring it meets the requirements for maintaining accurate and up-to-date asset records.
|
|