+RTS ICT Risk Management T. II Ch. III Art. 23 , 2
|
1. Overview
RTS ICT Risk Management T. II Ch. III Art. 23 , 2
2. The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to:
- (a) collect, monitor, and analyse all of the following:
- (i) internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity;
- (ii) potential internal and external cyber threats, considering scenarios commonly used by threat actors and scenarios based on threat intelligence activity;
- (iii) ICT-related incident notification from an ICT third-party service provider of the financial entity detected in the ICT systems and networks of the ICT third-party service provider and that may affect the financial entity;
- (b) identify anomalous activities and behaviour, and implement tools generating alerts for anomalous activities and behaviour, at least for ICT assets and information assets supporting critical or important functions;
- For the purposes of point (b), the tools referred to in that point shall contain the tools that provide automated alerts based on pre-defined rules to identify anomalies affecting the completeness and integrity of the data sources or log collection.
- (c) prioritise the alerts referred to in point (b) to allow for the management of the detected ICT-related incidents within the expected resolution time, as specified by financial entities, both during and outside working hours;
- (d) record, analyse, and evaluate any relevant information on all anomalous activities and behaviours automatically or manually.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Security Monitoring (SIEM)
Put in place mechanisms to detect anomalous activities, including network performance issues, incidents (reported by the third-parties in the services that they provide), and potential material single points of failure. The mechanisms shall enable multi-layers of control, define alerting thresholds, monitoring on specific events and criteria to automatically trigger incident response. Identify and implement tools generating alerts of anomalous activities and behaviour, at least for ICT assets and information assets supporting critical or important functions. Devote sufficient resources to detection and monitoring activities, especially to cybersecurity attacks.
|
|
NOREA
|
Event Identification for Logging
Identify events to be logged, covering logical access, physical access, identity management, capacity management, change management, ICT operation (including system activity), and network traffic activities (including network performance). Determine the level of detail for the logs, aligning with the purpose for which the logs were created and to enable effective detection of anomalous activities. Define retention periods for logs, considering business and security objectives, the purpose of recording logs, and risk assessments.
*Data reporting service providers shall, in addition, have in place systems that can effectively check trade reports for completeness, identify omissions and obvious errors, and request re-transmission of those reports.
|
|
NOREA
|
Secure Handling of Log Data
Implement measures to secure and handle log data, taking into account the purpose for which the logs were created. Establish measures to detect failures in logging systems. Protect the recording of anomalous activities against tampering and unauthorised access at rest, in use, where relevant, and in transit.
|
|