+RTS ICT Risk Management T. II Ch. I Sec. 5 Art. 10 , 2
|
1. Overview
RTS ICT Risk Management T. II Ch. I Sec. 5 Art. 10 , 2
2. The vulnerability management procedures referred to in paragraph 1 shall:
- (a) identify and update relevant and trustworthy information resources to build and maintain awareness about vulnerabilities;
- (b) ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset;
- For the purposes of point (b), financial entities shall perform the automated vulnerability scanning and assessments on ICT assets for the ICT assets supporting critical or important functions on at least a weekly basis.
- (c) verify whether:
- (i) ICT third-party service providers handle vulnerabilities related to the ICT services provided to the financial entity;
- (ii) whether those service providers report to the financial entity at least the critical vulnerabilities and statistics and trends in a timely manner;
- For the purposes of point (c), financial entities shall request that ICT third-party service providers investigate the relevant vulnerabilities, determine the root causes, and implement appropriate mitigating action.
- (d) track the usage of:
- (i) third-party libraries, including open-source libraries, used by ICT services supporting critical or important functions;
- (ii) ICT services developed by the financial entity itself or specifically customised or developed for the financial entity by an ICT third-party service provider;
- For the purposes of point (d), financial entities shall, where appropriate in collaboration with the ICT third-party service provider, monitor the version and possible updates of the third-party libraries. In case of ready to use (off-the-shelf) ICT assets or components of ICT assets acquired and used in the operation of ICT services not supporting critical or important functions, financial entities shall track the usage to the extent possible of third-party libraries, including open-source libraries.
- (e) establish procedures for the responsible disclosure of vulnerabilities to clients, counterparties, and to the public;
- (f) prioritise the deployment of patches and other mitigation measures to address the vulnerabilities identified;
- For the purposes of point (f), financial entities shall consider the criticality of the vulnerability, the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and the risk profile of the ICT assets affected by the identified vulnerabilities.
- (g) monitor and verify the remediation of vulnerabilities;
- (h) require the recording of any detected vulnerabilities affecting ICT systems and the monitoring of their resolution.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Resource Management
Identify and maintain relevant and trustworthy information resources to build and sustain awareness about vulnerabilities. Track the usage of thirdparty libraries, including open source, by monitoring versions and potential updates (see also 28.2-3).
|
|
NOREA
|
Vulnerability Management
Conduct automated vulnerability scanning and assessments on ICT assets. For assets supporting critical or important functions, perform scans and assessments on a weekly basis. Record detected vulnerabilities, monitor their resolution status, and verify the remediation of vulnerabilities. Disclose vulnerabilities responsibly to clients/customers, financial counterparts, and the public when appropriate. Ensure thirdparty service providers report vulnerabilities related to the services they offer. This includes investigating vulnerabilities, determining root causes, and implementing appropriate solutions by the service providers.
*Specific to central securities depositories and central counterparties: perform vulnerability assessments before any deployment or redeployment of new or existing applications and infrastructure components, and ICT services supporting critical or important functions.
|
|
NOREA
|
Patch Management
Identify and evaluate available ICT assets (e.g., software and hardware) patches and updates using automated tools, to the extent possible. Deploy patches to address identified vulnerabilities. Prioritize the deployment of patches and other mitigation measures based on the criticality of the vulnerability and the classification and risk profile of the affected assets. Establish emergency procedures for patching and updating ICT assets. Test and deploy ICT asset patches and updates. Set due dates for the installation of ICT asset patches and updates, and establish escalation procedures in case the due dates cannot be met. In cases where no patches can be applied or are available, identify and implement alternative mitigation measures within the set due dates.
|
|