+Data Encryption
|
1. Overview
Data Encryption
Define rules for encrypting data at rest, in transit, and, where applicable, in use, considering data classification and risk assessments. Specify procedures when encryption of data in use is not feasible, ensuring processing in a separate and protected environment or taking equivalent measures. Implement rules for encrypting internal network connections and traffic with external parties, aligned with data classification and risk assessments.
1.1 References
1.2 Identified Requirements
1.2 Related Regulation
- RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 6 , 1 (DORA)
- RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 6 , 2 (DORA)
- RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 6 ,3 , (DORA)
- RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 6 , 4 (DORA)
- RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 6 , 5 (DORA)
- RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 7 , 1 (DORA)
- RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 7 , 2 (DORA)
- RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 7 , 3 (DORA)
- RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 7 , 4 (DORA)
- RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 7 , 5 (DORA)
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Regulations
Regulations
| Source |
Regulation |
|
DORA
|
RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 6 , 1
1. As part of their ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a policy on encryption and cryptographic controls.
|
|
DORA
|
RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 6 , 2
2. Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following:
- (a) the encryption of data at rest and in transit;
- (b) the encryption of data in use, where necessary;
- For the purposes of point (b), where encryption of data in use is not possible, financial entities shall process data in use in a separated and protected environment, or take equivalent measures to ensure the confidentiality, integrity, authenticity, and availability of data
- (c) the encryption of internal network connections and traffic with external parties;
- (d) the cryptographic key management referred to in Article 7, laying down rules on the correct use, protection, and lifecycle of cryptographic keys.
|
|
DORA
|
RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 6 ,3 ,
3. Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 criteria for the selection of cryptographic techniques and use practices, taking into account leading practices, and standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and the classification of relevant ICT assets established in accordance with Article 8(1) of Regulation (EU) 2022/2554. Financial entities that are not able to adhere to the leading practices or standards, or to use the most reliable techniques, shall adopt mitigation and monitoring measures that ensure resilience against cyber threats.
|
|
DORA
|
RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 6 , 4
4. Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1provisions for updating or changing, where necessary, the cryptographic technology on the basis of developments incryptanalysis. Those updates or changes shall ensure that the cryptographic technology remains resilient against cyberthreats, as required by Article 10(2), point (a). Financial entities that are not able to update or change the cryptographictechnology shall adopt mitigation and monitoring measures that ensure resilience against cyber threats.
|
|
DORA
|
RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 6 , 5
5. Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 a requirement to record the adoption of mitigation and monitoring measures adopted in accordance with paragraphs 3 and 4 and to provide a reasoned explanation for doing so.
|
|
DORA
|
RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 7 , 1
1. Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys.
|
|
DORA
|
RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 7 , 2
2. Financial entities shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorised access, disclosure, and modification. Financial entities shall design those controls on the basis of the results of the approved data classification and the ICT risk assessment.
|
|
DORA
|
RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 7 , 3
3. Financial entities shall develop and implement methods to replace the cryptographic keys in the case of loss, or where those keys are compromised or damaged.
|
|
DORA
|
RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 7 , 4
4. Financial entities shall create and maintain a register for all certificates and certificate-storing devices for at least ICT assets supporting critical or important functions. Financial entities shall keep that register up to date.
|
|
DORA
|
RTS ICT Risk Management T. II Ch. I Sec. 4 Art. 7 , 5
5. Financial entities shall ensure the prompt renewal of certificates in advance of their expiration.
|
|