NOREA

Copyright by NOREA, de beroepsorganisatie van IT-auditors

DORA in Control Framework

 

Issues
Standard DORA in Control Framework

DORA in Control Framework

Issues
+ DORA in Control Framework
---+ Governance and Risk Management
------+ Risk Asessments
---------+ Risk Assessment
---------+ Major change risk assessment
---------+ Legacy Systems risk assessment
------+ (Internal) ICT Audit
---------+ Audit approach and frequency
---------+ Auditor requirements
---------+ Audit findings
---------+ Reliance Third-Party Assurance and Certifications
------+ Management Responsibilities
---------+ Governance of ICT risk
---------+ Knowledge of the Management Body
---------+ Digital Operational Resilience Strategy
---------+ Business Continuity Oversight
---------+ Audit Plan Approval and Review
------+ Risk Management Framework
---------+ Critical and Important Functions
---------+ Clear Segregation of Duties (SoD)
---------+ ICT Risk management framework
---------+ Annual Framework Review and Audit Process
---------+ Third-Party (Multi-vendor) Risk Management Program
---------+ Protection Measures
---+ Operational Management
------+ Asset Management
---------+ Resilient Systems
---------+ Inventory Management
---------+ Asset Classification and Documentation
------+ Change Management
---------+ Change Procedures
---------+ Security Requirements
---------+ Emergency Change Management
---------+ OTAP Implementation
------+ ICT Operations
---------+ Error Handling and Recovery
---------+ ICT Monitoring
---------+ Clock Synchronization Standardization
---------+ System Management and Security
---+ Continuity Management
------+ Backup Management
---------+ Backup Policy
---------+ Restore Procedures
------+ Response and Recovery
---------+ Business Continuity Policy
---------+ Crisis Management
---------+ Record Keeping
---------+ Business Impact analysis
---------+ Response and Recovery
---------+ Testing and Assessment
---+ Incident Management
------+ Incident Classification
---------+ Incident Classification Criteria
---------+ Cyber Threat Classification Criteria and Information Exchenge
------+ Incident Management
---------+ Incident Management Process
---------+ Incident Tracking
---------+ Incident Communication and Reporting
---+ Software and Systems Development
------+ Acquisition, Development, and Maintenance
---------+ Policy Framework
---------+ Environment Risk Mitigation Measures
---------+ Systems Testing Procedures
---------+ Source Code Reviews
------+ Project Management
---------+ ICT Project Management Practices
---------+ Project Risk Management
---+ Third-party Risk Management
------+ Third-party Due Diligence and Selection
---------+ Suitability Criteria
---------+ Selection Criteria
------+ Third-party (Standard) Contract Management
---------+ Termination Rights and Conditions
---------+ Service Level Management
---------+ Service Locations and Data Processing
---------+ Cooperation in Incident Response
---------+ Participation in Security Awareness Programs
------+ Third-party (Critical) Contract Management
---------+ (Critical) Service Level Management
---------+ Contractual Clauses
---------+ Third-party Critical Subcontracting Management
------+ Third-party Risk Management
---------+ Third-party Risk Management
---------+ Pre-Contract Risk Assessment
---------+ Register of Information
---------+ Contractual Requisites
---------+ Exit strategies
---------+ Annual Reporting of New Arrangements
------+ Subcontracting Management
---------+ Third-Party Subcontractor Due Diligence
---------+ Subcontracting Risk Management
---------+ Subcontracting Monitoring
---+ Resilience testing
------+ Digital Operational Resilience Testing
---------+ Resilience Testing Program
---------+ Diverse Testing Modalities
------+ Threat-led Penetration Testing (TLPT)
---------+ Outsourced System testing
---------+ Selection of TLPT Testers
---------+ Periodic TLPT Testing
---+ Security Management
------+ Architectural and Network Security
---------+ Network Design and Segmentation
---------+ Network Security
---------+ Session Management
------+ Security Monitoring & Log Management
---------+ Security Monitoring (SIEM)
---------+ Event Identification for Logging
---------+ Secure Handling of Log Data
------+ Data and (Legacy) System Security
---------+ ICT (Security) Systems, tools, and solutions
---------+ Data Protection Practices
---------+ Vendor Recommended Security Settings
---------+ Endpoint Devices
---------+ Secure Data Deletion and Disposal
------+ Encryption and Cryptography
---------+ Data Encryption
---------+ Cryptographic Key Management and Lifecycle
------+ Identity and Access Management
---------+ Authentication Methods
---------+ Identity Management
---------+ Privilige Access Management
---------+ Account Management
------+ Physical and Environmental Security
---------+ Physical and Environmental Security
------+ Security Awareness
---------+ Resilience Training Programs
---------+ Inclusion of Third-Party Providers
------+ Vulnerability and Patch Management
---------+ Resource Management
---------+ Vulnerability Management
---------+ Patch Management

Impressum