+RTS ICT Risk Management T. II Ch. I Sec. 5 Art. 12 , 2
|
1. Overview
RTS ICT Risk Management T. II Ch. I Sec. 5 Art. 12 , 2
2. The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following:
- (a) the identification of the events to be logged, the retention period of the logs, and the measures to secure and handle the log data, considering the purpose for which the logs are created;
- For the purposes of point (a), financial entities shall establish the retention period, taking into account the business and information security objectives, the reason for recording the event in the logs, and the results of the ICT risk assessment.
- (b) the alignment of the level of detail of the logs with their purpose and usage to enable the effective detection of anomalous activities as referred to in Article 24;
- (c) the requirement to log events related to all of the following:
- (i) logical and physical access control, as referred to in Article 21, and identity management;
- (ii) capacity management;
- (iii) change management;
- (iv) ICT operations, including ICT system activities;
- (v) network traffic activities, including ICT network performance;
- (d) measures to protect logging systems and log information against tampering, deletion, and unauthorised access at rest, in transit, and, where relevant, in use;
- (e) measures to detect a failure of logging systems;
- (f) without prejudice to any applicable regulatory requirements under Union or national law, the synchronisation of the clocks of each of the financial entity’s ICT systems upon a documented reliable reference time source.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Security Monitoring (SIEM)
Put in place mechanisms to detect anomalous activities, including network performance issues, incidents (reported by the third-parties in the services that they provide), and potential material single points of failure. The mechanisms shall enable multi-layers of control, define alerting thresholds, monitoring on specific events and criteria to automatically trigger incident response. Identify and implement tools generating alerts of anomalous activities and behaviour, at least for ICT assets and information assets supporting critical or important functions. Devote sufficient resources to detection and monitoring activities, especially to cybersecurity attacks.
|
|
NOREA
|
Event Identification for Logging
Identify events to be logged, covering logical access, physical access, identity management, capacity management, change management, ICT operation (including system activity), and network traffic activities (including network performance). Determine the level of detail for the logs, aligning with the purpose for which the logs were created and to enable effective detection of anomalous activities. Define retention periods for logs, considering business and security objectives, the purpose of recording logs, and risk assessments.
*Data reporting service providers shall, in addition, have in place systems that can effectively check trade reports for completeness, identify omissions and obvious errors, and request re-transmission of those reports.
|
|
NOREA
|
Secure Handling of Log Data
Implement measures to secure and handle log data, taking into account the purpose for which the logs were created. Establish measures to detect failures in logging systems. Protect the recording of anomalous activities against tampering and unauthorised access at rest, in use, where relevant, and in transit.
|
|
NOREA
|
Error Handling and Recovery
Establish guidelines for handling errors, including support and escalation contacts, as well as external support contacts in case of unexpected operational or technical issues. Define the procedures for ICT system restart, rollback, and recovery to be used in the event of an ICT system disruption. Ensure the contact details are available in case systems are unavailable as well.
|
|
NOREA
|
ICT Monitoring
Develop, document and implement capacity and performance management procedures to identify capacity requirements of their ICT systems and apply resource optimisation and monitoring procedures to maintain and improve the availability of data and ICT systems and efficiency of ICT systems and prevent ICT capacity shortages.
|
|
NOREA
|
Clock Synchronization Standardization
Ensure clock synchronization of all ICT systems to a single reliable reference source time.
|
|
NOREA
|
System Management and Security
Provide system descriptions that encompass secure installation, maintenance, configuration, and deinstallation/disposal of ICT assets. This includes the management of assets, both automated and manual, and the identification and control of legacy ICT systems.
|
|