+RTS ICT Risk Management T. II Ch. I Sec. 5 Art. 10 , 3
|
1. Overview
RTS ICT Risk Management T. II Ch. I Sec. 5 Art. 10 , 3
3. As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document and implement patch management procedures.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Resource Management
Identify and maintain relevant and trustworthy information resources to build and sustain awareness about vulnerabilities. Track the usage of thirdparty libraries, including open source, by monitoring versions and potential updates (see also 28.2-3).
|
|
NOREA
|
Vulnerability Management
Conduct automated vulnerability scanning and assessments on ICT assets. For assets supporting critical or important functions, perform scans and assessments on a weekly basis. Record detected vulnerabilities, monitor their resolution status, and verify the remediation of vulnerabilities. Disclose vulnerabilities responsibly to clients/customers, financial counterparts, and the public when appropriate. Ensure thirdparty service providers report vulnerabilities related to the services they offer. This includes investigating vulnerabilities, determining root causes, and implementing appropriate solutions by the service providers.
*Specific to central securities depositories and central counterparties: perform vulnerability assessments before any deployment or redeployment of new or existing applications and infrastructure components, and ICT services supporting critical or important functions.
|
|
NOREA
|
Patch Management
Identify and evaluate available ICT assets (e.g., software and hardware) patches and updates using automated tools, to the extent possible. Deploy patches to address identified vulnerabilities. Prioritize the deployment of patches and other mitigation measures based on the criticality of the vulnerability and the classification and risk profile of the affected assets. Establish emergency procedures for patching and updating ICT assets. Test and deploy ICT asset patches and updates. Set due dates for the installation of ICT asset patches and updates, and establish escalation procedures in case the due dates cannot be met. In cases where no patches can be applied or are available, identify and implement alternative mitigation measures within the set due dates.
|
|