Contents
Human resources policy
Integration into HR or Other Relevant Policies (Article 19 RTS RMF)
- Financial entities must include the ICT security-related elements set out in Article 19 RTS RMF within their human resources policy or within other relevant policies.
- These elements form part of the safeguards necessary to ensure appropriate ICT security governance across the organisation.
Mandatory Content Elements (Article 19(a)–(b) RTS RMF)
Assignment of ICT Security Responsibilities
The policy must include provisions for:
- the identification of specific ICT security responsibilities; and
- the assignment of those responsibilities to the appropriate personnel.
Requirements Applicable to Staff and ICT Third-Party Service Provider Personnel
The policy must include requirements for:
(i) Adherence to ICT Security Policies
- Staff of the financial entity and staff of ICT third-party service providers who use or access ICT assets must:
– be informed about the financial entity’s ICT security policies, procedures and protocols; and
– adhere to those ICT security policies, procedures and protocols.
(ii) Awareness of Reporting Channels for Anomalous Behaviour
- Staff must be made aware of the reporting channels established by the financial entity for the detection of anomalous behaviour, including:
– reporting channels established under Directive (EU) 2019/1937 where applicable (whistleblowing).
(iii) Return of Assets upon Termination of Employment
- Staff must be required, upon termination of employment, to return all ICT assets and tangible information assets belonging to the financial entity that are in their possession.