+RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 6 , 2
|
1. Overview
RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 6 , 2
2. Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following:
- (a) the encryption of data at rest and in transit;
- (b) the encryption of data in use, where necessary;
- For the purposes of point (b), where encryption of data in use is not possible, financial entities shall process data in use in a separated and protected environment, or take equivalent measures to ensure the confidentiality, integrity, authenticity, and availability of data
- (c) the encryption of internal network connections and traffic with external parties;
- (d) the cryptographic key management referred to in Article 7, laying down rules on the correct use, protection, and lifecycle of cryptographic keys.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Data Encryption
Define rules for encrypting data at rest, in transit, and, where applicable, in use, considering data classification and risk assessments. Specify procedures when encryption of data in use is not feasible, ensuring processing in a separate and protected environment or taking equivalent measures. Implement rules for encrypting internal network connections and traffic with external parties, aligned with data classification and risk assessments.
|
|
NOREA
|
Cryptographic Key Management and Lifecycle
Establish protocols for the proper use, protection, and lifecycle management of cryptographic keys. Define criteria for selecting cryptographic techniques and practices, incorporating best practices and industry standards. Employ mitigation and monitoring measures if adherence to these practices and standards is not possible. Outline requirements for managing and controlling cryptographic keys throughout their lifecycle, including generation, storage, backup, archiving, retrieval, transmission, retirement, revocation, and destruction. Establish methods to recover cryptographic keys in case of loss, compromise, or damage. Monitor crypto-analysis developments and, when necessary, update or change cryptographic technology. Implement mitigation and monitoring measures if changing or updating the cryptographic technology is not feasible. Maintain a register for all certificates and certificate storing devices.
|
|