Contents
- Data and system security procedure
- Obligation to Establish a Data and System Security Procedure (Article 11(1) RTS RMF)
- Mandatory Elements of the Data and System Security Procedure (Article 11(2) RTS RMF)
- Access Restrictions (Article 21 RTS RMF)
- Secure Configuration Baseline for ICT Assets
- Measures Ensuring Only Authorised Software is Installed
- Measures Against Malicious Code
- Measures Ensuring Only Authorised Storage Media and Devices Are Used
- Security Requirements for Portable and Private Endpoint Devices
- Secure Data Deletion
- Secure Disposal or Decommissioning of Data Storage Devices
- Measures to Prevent Data Loss and Leakage
- Teleworking and Private Device Security Measures
- Requirements for ICT Assets Operated by Third-Party Service Providers
- Article 11 RTS RMF
- Article 9 (2) DORA
Data and system security procedure
Obligation to Establish a Data and System Security Procedure (Article 11(1) RTS RMF)
As part of the ICT security policies, procedures, protocols and tools required under Article 9(2) DORA, financial entities must:
- develop,
- document, and
- implement
a data and system security procedure.
This procedure must uphold high standards of availability, authenticity, integrity, and confidentiality of data, especially for ICT systems supporting critical or important functions.
Mandatory Elements of the Data and System Security Procedure (Article 11(2) RTS RMF)
The procedure must contain all of the following elements, aligned with the data classification established under Article 8(1) DORA.
Access Restrictions (Article 21 RTS RMF)
The procedure must incorporate:
- access restrictions supporting the protection requirements for each classification level,
- alignment with access management principles set out in Article 21 RTS RMF.
Secure Configuration Baseline for ICT Assets
The procedure must include:
- identification of secure configuration baselines minimising exposure to cyber threats,
- measures to regularly verify that secure baselines are effectively deployed.
Baselines must take into account leading practices and standards under Article 2(1) Regulation (EU) No 1025/2012.
Measures Ensuring Only Authorised Software is Installed
The procedure must identify security controls that ensure:
- installation of authorised software only,
- enforcement across ICT systems and endpoint devices.
Measures Against Malicious Code
The procedure must specify:
- security measures designed to detect, prevent and mitigate malicious code in ICT systems.
Measures Ensuring Only Authorised Storage Media and Devices Are Used
The procedure must define:
- security measures ensuring that only authorised data storage media, systems and endpoint devices are used to transfer and store financial-entity data.
Security Requirements for Portable and Private Endpoint Devices
The procedure must include:
(i) Remote management and remote wipe capability
- obligation to use a management solution allowing remote device management and remote wiping of financial-entity data.
(ii) Security mechanisms not modifiable by staff or ICT third-party providers
- requirement to use mechanisms that cannot be modified, removed or bypassed in an unauthorised manner.
(iii) Restricted use of removable data storage devices
- removable devices permitted only where residual ICT risk remains within the risk tolerance level referred to in Article 3(a) RTS RMF.
Secure Data Deletion
The procedure must define:
- a process for securely deleting data, whether stored on-premises or externally, when no longer required.
Secure Disposal or Decommissioning of Data Storage Devices
The procedure must outline:
- secure disposal or decommissioning processes for storage devices containing confidential information, whether stored on-premises or externally.
Measures to Prevent Data Loss and Leakage
The procedure must describe:
- measures to prevent data loss and leakage for systems and endpoint devices, across all stages of the data lifecycle.
Teleworking and Private Device Security Measures
The procedure must implement:
- controls to ensure that teleworking and the use of private endpoint devices do not adversely impact ICT security.
Requirements for ICT Assets Operated by Third-Party Service Providers
For ICT assets or services operated by ICT third-party service providers, the procedure must:
- identify and implement requirements necessary to maintain digital operational resilience,
- be aligned with the results of the data classification and the ICT risk assessment.
Financial entities must consider:
(a) Vendor-recommended settings
- implementation of vendor-recommended configurations for elements operated by the financial entity.
(b) Clear allocation of information security roles and responsibilities
- reflecting full responsibility of the financial entity under Article 28(1)(a) DORA and the financial entity’s ICT third-party usage policy.
(c) Need to maintain adequate internal competences
- ensuring the financial entity retains sufficient expertise in managing and securing the services used.
(d) Technical and organisational measures addressing ICT third-party infrastructure risks
- in line with leading practices and standards under Article 2(1) Regulation (EU) No 1025/2012.