+Inventory Management
|
1. Overview
Inventory Management
Keep an inventory of (ICT) assets, monitor their life-cycle and update it periodically and upon every major change in the network, the IT infrastructure, and processes and procedures supporting business functions. Keep records of the following for each ICT asset: unique identifier, location (physical or logical), asset classification, identity of asset owner, information for specific risk assessment on legacy systems, business functions or services supported, business continuity requirements (e.g., RTO, RPO), exposure to external networks, including the internet, links and interdependencies among assets and business functions using each asset, and the end dates of the ICT third-party service provider’s regular, extended and custom support services after which it is no longer supported by its supplier or by an ICT third-party service provider.
Ideally, inventory management is perfomed in an automated and continuous fashion.
1.1 References
1.2 Identified Requirements
1.2 Related Regulation
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Regulations
Regulations
| Source |
Regulation |
|
DORA
|
DORA Ch. II Sec. II Art. 7 ICT systems, protocols and tools
ICT systems, protocols and tools
In order to address and manage ICT risk, financial entities shall use and maintain updated ICT systems, protocols and tools that are:
- (a) appropriate to the magnitude of operations supporting the conduct of their activities, in accordance with the proportionality principle as referred to in Article 4;
- (b) reliable;
- (c) equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and to deal with peak orders, message or transaction volumes, as needed, including where new technology is introduced;
- (d) technologically resilient in order to adequately deal with additional information processing needs as required under stressed market conditions or other adverse situations.
|
|
DORA
|
DORA Ch. II Sec. II Art. 8 1.
1. As part of the ICT risk management framework referred to in Article 6(1), financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk. Financial entities shall review as needed, and at least yearly, the adequacy of this classification and of any relevant documentation.
|
|
DORA
|
DORA Ch. II Sec. II Art. 8 5.
5. Financial entities shall identify and document all processes that are dependent on ICT third-party service providers, and shall identify interconnections with ICT third-party service providers that provide services that support critical or important functions.
|
|
DORA
|
DORA Ch. II Sec. II Art. 8 6.
6. For the purposes of paragraphs 1, 4 and 5, financial entities shall maintain relevant inventories and update them periodically and every time any major change as referred to in paragraph 3 occurs.
|
|
DORA
|
RTS ICT Risk Management T. II Ch. I Sec. 3 Art. 4 , 1
As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a policy on management of ICT assets.
|
|
DORA
|
RTS ICT Risk Management T. II Ch. I Sec. 3 Art. 4 , 2
The policy on management of ICT assets referred to in paragraph 1 shall:
- (a) prescribe the monitoring and management of the lifecycle of ICT assets identified and classified in accordance with Article 8(1) of Regulation (EU) 2022/2554;
- (b) prescribe that the financial entity keeps records of all of the following:
- (i) the unique identifier of each ICT asset;
- (ii) information on the location, either physical or logical, of all ICT assets;
- (iii) the classification of all ICT assets, as referred to in Article 8(1) of Regulation (EU) 2022/2254;
- (iv) the identity of ICT asset owners;
- (v) the business functions or services supported by the ICT asset;
- (vi) the ICT business continuity requirements, including recovery time objectives and recovery point objectives;
- (vii) whether the ICT asset can be or is exposed to external networks, including the internet;
- (viii) the links and interdependencies among ICT assets and the business functions using each ICT asset;
- (ix) where applicable, for all ICT assets, the end dates of the ICT third-party service provider’s regular, extended, and custom support services after which those ICT assets are no longer supported by their supplier or by an ICT third-party service provider;
- (c) for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ICT risk assessment on all legacy ICT systems referred to in Article 8(7) of Regulation (EU) 2022/2554.
|
|
DORA
|
RTS ICT Risk Management T. II Ch. I Sec. 3 Art. 5 , 1
1. Financial entities shall develop, document, and implement a procedure for the management of ICT assets.
|
|
DORA
|
RTS ICT Risk Management T. II Ch. I Sec. 3 Art. 5 , 2
2. The procedure for management of ICT assets referred to in paragraph 1 shall specify the criteria to perform the criticality assessment of information assets and ICT assets supporting business functions. That assessment shall take into account:
- (a) the ICT risk related to those business functions and their dependencies on the information assets or ICT assets;
- (b) how the loss of confidentiality, integrity, and availability of such information assets and ICT assets would impact the business processes and activities of the financial entities.
|
|