Contents
- ICT asset management policy
- Integration into ICT Security Policies (Article 4(1) RTS RMF; Article 9(2) DORA)
- Purpose of the Policy (Article 4(2) RTS RMF)
- Mandatory Content Elements (Article 4(2)(a)–(c) RTS RMF)
- Relationship to Access Management (Article 9(4)(c) DORA)
- Article 4 RTS RMF
- Article 9 (2) and 4(c) DORA
ICT asset management policy
Integration into ICT Security Policies (Article 4(1) RTS RMF; Article 9(2) DORA)
- The ICT asset management policy forms part of the ICT security policies, procedures, protocols and tools referred to in Article 9(2) DORA.
- Financial entities must develop, document and implement this policy as part of ensuring the resilience, continuity and availability of ICT systems and the protection of data in accordance with the protection requirements of Article 9(2).
Purpose of the Policy (Article 4(2) RTS RMF)
- The policy must prescribe how ICT assets are monitored and managed across their lifecycle, based on the identification and classification performed in accordance with Article 8(1) DORA.
- The policy must ensure that ICT assets are managed in a manner that supports resilience, availability and appropriate access control as required under Article 9(2) and Article 9(4)(c).
Mandatory Content Elements (Article 4(2)(a)–(c) RTS RMF)
Lifecycle Monitoring and Management
The policy must prescribe the monitoring and management of the lifecycle of ICT assets identified and classified under Article 8(1) DORA.
Record-Keeping Requirements for All ICT Assets
The policy must prescribe that the financial entity keeps records of all of the following information for each ICT asset:
Unique Identifier
- A unique identifier for every ICT asset.
Location
- Information on the physical or logical location of each ICT asset.
Classification
- The classification of all ICT assets, in accordance with Article 8(1) DORA.
ICT Asset Owner
- The identity of the owner of each ICT asset.
Supported Business Functions
- The business functions or services supported by the ICT asset.
ICT Business Continuity Requirements
- Business continuity parameters, including:
– Recovery Time Objective (RTO);
– Recovery Point Objective (RPO).
Exposure to External Networks
- Whether the ICT asset can be or is exposed to external networks, including the internet.
Links and Interdependencies
- The links and interdependencies among ICT assets and the business functions that use each ICT asset.
Support End Dates (Supplier or Third Party)
- Where applicable, the end dates of:
– regular support,
– extended support, and
– custom support
provided by the ICT third-party service provider or the supplier, after which the ICT asset is no longer supported.
Record-Keeping for Legacy ICT Systems (Non-Microenterprises Only)
For financial entities other than microenterprises, the policy must prescribe that they keep records necessary to perform a specific ICT risk assessment on legacy ICT systems referred to in Article 8(7) DORA.
Relationship to Access Management (Article 9(4)(c) DORA)
- The policy forms part of the measures ensuring that physical and logical access to ICT assets is limited to legitimate and approved functions.
- To this end, the policy must align with policies, procedures and controls established under Article 9(4)(c) for access rights and their administration.