+RTS ICT Risk Management T. II Ch. I Sec. 5 Art. 8 , 2

1. Overview

RTS ICT Risk Management T. II Ch. I Sec. 5 Art. 8 , 2

2. The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following:

  • (a) an ICT assets description, including all of the following:
    • (i) requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system;
    • (ii) requirements regarding the management of information assets used by ICT assets, including their processing
      and handling, both automated and manual;
    • (iii) requirements regarding the identification and control of legacy ICT systems;
  • (b) controls and monitoring of ICT systems, including all of the following:
    • (i) backup and restore requirements of ICT systems;
    • (ii) scheduling requirements, taking into consideration interdependencies among the ICT systems;
    • (iii) protocols for audit-trail and system log information;
    • (iv) requirements to ensure that the performance of internal audit and other testing minimises disruptions to
      business operations;
    • (v) requirements on the separation of ICT production environments from the development, testing, and other non-production environments;
      • For the purposes of point (b)(v), the separation shall consider all of the components of the environment, including accounts, data or connections, as required by Article 13, first subparagraph, point (a).
    • (vi) requirements to conduct the development and testing in environments which are separated from the production environment;
    • (vii) requirements to conduct the development and testing in production environments;
      • For the purposes of point (b)(vii), the policies and procedures referred to in paragraph 1 shall provide that the instances in which testing is performed in a production environment are clearly identified, reasoned, are for limited periods of time, and are approved by the relevant function in accordance with Article 16(6). Financial entities shall ensure the availability, confidentiality, integrity, and authenticity of ICT systems and production data during development and test activities in the production environment.
  • (c) error handling concerning ICT systems, including all of the following:
    • (i) procedures and protocols for handling errors;
    • (ii) support and escalation contacts, including external support contacts in case of unexpected operational or technical issues;
    • (iii) ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption.

1.1 References

1.2 Identified Requirements

1.3 Related Standards

2. Identified Requirements

Requirements

3. Related Standards

Standards
NOREA Critical and Important Functions
Identify, classify and adequately document all critical and important functions. This process involves determining which functions are essential for the entity's operational stability and continuity. Review as needed, and at least yearly, the adequacy of this classification.
NOREA Clear Segregation of Duties (SoD)
Establish Segregation of Duties (SoD) with regard to risk management functions, following the three lines of defence model or internal risk management and control model.
NOREA ICT Risk management framework

A sound, comprehensive and well-documented ICT risk management framework is in place. Which as goal to address all ICT risks properly and ensure a high level of digital resilience. The reponsibility for risk management is properly assigned to a control function. 

The ICT risk management framework shall be documented and reviewed at least annually, or periodically for microenterprises, with immediate reviews triggered by major ICT-related incidents or supervisory feedback. Continuous improvement will be ensured by incorporating lessons learned from implementation, monitoring, and audits. The report of the review will be prepared according to the requirements as stated in chapter 5 (Article 27) of the RTS RM and will be made available for submission to the competent authority upon request. 

Assess new standards and relevant technology developments in the field of information security, cybersecurity and resilience on a continuous basis and make proposals on how they can strengthen the information security and cybersecurity control measures of the institution.
NOREA Annual Framework Review and Audit Process

The effectiveness of the risk management framework is monitored based on the risk exposure over time to critical or important business functions. Implement a reviewing and auditing process, with a minimum yearly review of the framework, triggered by major ICT incidents, regulator instructions, or major audit findings. 

The tasks of verifying compliance with ICT risk management requirements may be outsourced to intra-group or external undertakings. In case of such outsourcing, the financial entity remains fully responsible for the verification of compliance with the ICT risk management requirements.
NOREA Third-Party (Multi-vendor) Risk Management Program

Maintain a comprehensive third-party risk management program which includes:

  • A register of information related to the use of thirdparty service providers, especially those supporting critical or important functions (see also control 17.3).
  • Put in place a policy on the management of ICT third-parties, including the criteria for determining the criticality of service providers and the internal responsibilities for managing third-parties.
  • Ensuring that senior management reviews the policy and designate a member to monitor relations with the third-parties and the contractual arrangements.
  • A (holistic) multi-vendor strategy, if deemed relevant,  showing key dependencies on ICT third-party service providers and explaining the rationale behind the procurement mix of ICT third-party service providers.  
NOREA Change Procedures
Ensure that all changes to software, hardware, firmware components, and systems, along with security parameters, are appropriately placed and scoped. Document and communicate change details, including the purpose and scope of the change, the implementation timeline, and expected outcomes. Define clear roles and responsibilities to ensure that changes are defined, planned, transitioned, tested, and finalized in a controlled manner. Additionally, establish effective quality assurance procedures. Implement mechanisms to maintain independence between the functions that approve changes and those responsible for requesting and implementing them.
NOREA Security Requirements
Identify the potential impact of a change on existing security measures and assess whether additional security measures are required for its implementation. Verify that security requirements have been met for all implemented changes. Establish fallback procedures and assign responsibilities for aborting changes or recovering from changes not successfully implemented.
NOREA Emergency Change Management
Define procedures for documenting, reevaluating, assessing, and approving the implementation of emergency changes, including workarounds and patches.
NOREA OTAP Implementation
Ensure segregation of production environments from development, testing, and other non-production environments, encompassing all components of an environment. This also includes requirements to conduct the development and testing in production environments. Ensure that the instances in which testing is performed in production environment are clearly identified, justified, for limited periods of time approved by the relevant function.
NOREA Error Handling and Recovery
Establish guidelines for handling errors, including support and escalation contacts, as well as external support contacts in case of unexpected operational or technical issues. Define the procedures for ICT system restart, rollback, and recovery to be used in the event of an ICT system disruption. Ensure the contact details are available in case systems are unavailable as well.
NOREA Protection Measures

Implement policies and procedures to protect all information, ICT assets, and relevant physical ICT components and infrastructures. At least the following policies shall be established and maintained.

  • Security policy
  • Human resources policy
  • Encryption and cryptographic control policy
  • Identity and access management (IAM) policy
  • Change management policy
  • Network security policy
  • ICT operating policies and procedures
  • (Crisis) Communication policy
  • Vulnerability and patch management policy
  • Back up policy
  • Project management policy
  • Physical and environmental security policy
  • Business continuity policy with response and recovery plans (including testing plans), see control1.4 *
  • ICT third-party service providers management policy, see control 1.1. *
  • Operations of ICT assets (ensuring network security, protect against intrusions and data misuse and defining how the entity operates, monitors, controls, and restores ICT assets, including the documentation of ICT operations).

* must be approved by the Management body
NOREA ICT Monitoring

Develop, document and implement capacity and performance management procedures to identify capacity requirements of their ICT systems and apply resource optimisation and monitoring procedures to maintain and improve the availability of data and ICT systems and efficiency of ICT systems and prevent ICT capacity shortages.
NOREA Clock Synchronization Standardization

Ensure clock synchronization of all ICT systems to a single reliable reference source time.
NOREA System Management and Security

Provide system descriptions that encompass secure installation, maintenance, configuration, and deinstallation/disposal of ICT assets. This includes the management of assets, both automated and manual, and the identification and control of legacy ICT systems.
Impressum