+RTS ICT Risk Management T. II Ch. I Sec. 8 Art. 18 , 2
|
1. Overview
RTS ICT Risk Management T. II Ch. I Sec. 8 Art. 18 , 2
2. The physical and environmental security policy referred to in paragraph 1 shall contain all of the following:
- (a) a reference to the section of the policy on control of access management rights referred to in Article 21, first paragraph, point (g);
- (b) measures to protect from attacks, accidents, and environmental threats and hazards, the premises, data centres of the financial entity, and sensitive designated areas identified by the financial entity, where ICT assets and information assets reside;
- For the purposes of point (b), the measures to protect from environmental threats and hazards shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein.
- (c) measures to secure ICT assets, both within and outside the premises of the financial entity, taking into account the results of the ICT risk assessment related to the relevant ICT assets;
- For the purposes of point (c), the physical and environmental security policy referred to in paragraph 1 shall contain measures to provide appropriate protection to unattended ICT assets.
- (d) measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets, information assets, and physical access control devices of the financial entity through the appropriate maintenance;
- (e) measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including:
- (i) a clear desk policy for papers;
- (ii) a clear screen policy for information processing facilities.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Physical and Environmental Security
Implement measures to safeguard the environment (premises, data centers, and sensitive designated areas) where important assets are located from attacks, accidents and from environmental threats and hazards. The level of protection from environmental threats should be commensurate with the importance of the asset storage location and the criticality of operations. Safeguard assets both within and outside the entity's premises, ensuring the Confidentiality, Integrity, and Availability (CIA) of these assets. These measures should be determined based on the outcomes of a risk assessment. This also includes practices like maintaining a clean desk and ensuring screens are clear at processing facilities and access to critical ICT assets. Identify and record authorized personnel entering critical locations of the financial entity. Grant physical access rights to critical ICT assets based on needtoknow, least privilege principles, and ad-hoc requirements according to the access management policy. Monitor physical access to premises, data centers, and designated sensitive areas, aligned with asset classification and area criticality. Regularly review and promptly revoke unnecessary physical access rights.
|
|