+RTS ICT Risk Management T. II Ch. I Sec. 7 Art. 16 , 2
|
1. Overview
RTS ICT Risk Management T. II Ch. I Sec. 7 Art. 16 , 2
2. Financial entities shall develop, document, and implement an ICT systems’ acquisition, development, and
maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in
accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally.
Central counterparties shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph:
- (a) clearing members and clients;
- (b) interoperable central counterparties;
- (c) other interested parties.
Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as
appropriate, in the design and conduct of the testing referred to in the first subparagraph:
- (a) users;
- (b) critical utilities and critical service providers;
- (c) other central securities depositories;
- (d) other market infrastructures;
- (e) any other institutions with which central securities depositories have identified interdependencies in their business continuity policy.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Policy Framework
Establish and maintain a policy governing the acquisition, development, and maintenance of ICT systems. Implement security practices and methodologies throughout the acquisition, development, and maintenance lifecycle. Define functional and non-functional requirements for ICT systems, including security aspects. Obtain approval from relevant business functions and asset owners in accordance with internal governance.
|
|
NOREA
|
Environment Risk Mitigation Measures
Put in place measures to mitigate the risk of unintentional alteration or intentional manipulation during development, maintenance, and deployment in production. Protect the integrity and confidentiality of data in non-production environments. Store only anonymized, pseudonymized, or randomized production data.
Production data that are not anonymized, not pseudonymized or not randomized may be stored only for specific testing occasions, for limited periods of time and following the approval by the relevant function and, for financial entities other than microenterprises, the reporting of such occasions to the ICT
risk management function.
|
|
NOREA
|
Systems Testing Procedures
Develop and follow procedures for testing and approval of all ICT systems before use and after maintenance. Determine testing level based on criticality of the business functions and ICT assets. Design and implement testing procedures to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally. Perform security testing of software packages no later than the integration phase.
|
|
NOREA
|
Source Code Reviews
Conduct source code reviews encompassing static and dynamic testing, for the purpose of acquisition, development and maintenance of ICT-systems. Include security testing for internet-exposed systems. Identify and address vulnerabilities and anomalies in the source code and put in place plans to mitigate them. Monitor mitigation efforts. Implement controls to safeguard the integrity of source code, whether developed in-house or by a third-party service provider. Analyze and test source code and proprietary software provided by third-party service providers or from open-source projects for vulnerabilities.
|
|