+RTS ICT Risk Management T. II Ch. I Sec. 8 Art. 18 , 1

1. Overview

RTS ICT Risk Management T. II Ch. I Sec. 8 Art. 18 , 1

1. As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall specify, document, and implement a physical and environmental security policy. Financial entities shall design that policy i light of the cyber threat landscape, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and in light of the overall risk profile of ICT assets and accessible information assets.

1.1 References

1.2 Identified Requirements

1.3 Related Standards

2. Identified Requirements

Requirements

3. Related Standards

Standards
NOREA Physical and Environmental Security
Implement measures to safeguard the environment (premises, data centers, and sensitive designated areas) where important assets are located from attacks, accidents and from environmental threats and hazards. The level of protection from environmental threats should be commensurate with the importance of the asset storage location and the criticality of operations. Safeguard assets both within and outside the entity's premises, ensuring the Confidentiality, Integrity, and Availability (CIA) of these assets. These measures should be determined based on the outcomes of a risk assessment. This also includes practices like maintaining a clean desk and ensuring screens are clear at processing facilities and access to critical ICT assets. Identify and record authorized personnel entering critical locations of the financial entity. Grant physical access rights to critical ICT assets based on needtoknow, least privilege principles, and ad-hoc requirements according to the access management policy. Monitor physical access to premises, data centers, and designated sensitive areas, aligned with asset classification and area criticality. Regularly review and promptly revoke unnecessary physical access rights.
Impressum