Contents
- ICT business continuity policy
- Integration into the ICT Risk Management Framework (Article 9(4)(c) DORA)
- Development, Documentation and Implementation (Article 21 RTS RMF)
- Mandatory Content Elements (Article 21(a)–(g) RTS RMF)
- Article 11 DORA
- Article 5 (2)(e) DORA
- Article 8 DORA
- Article 24 RTS RMF
ICT business continuity policy
Integration into the ICT Risk Management Framework (Article 9(4)(c) DORA)
- Financial entities must implement policies that limit physical and logical access to information assets and ICT assets strictly to what is required for legitimate and approved functions and activities.
- To meet this obligation, financial entities must establish policies, procedures and controls addressing access rights and ensuring their sound administration.
- The policy under Article 21 RTS RMF forms a core component of these access-management arrangements.
Development, Documentation and Implementation (Article 21 RTS RMF)
- Financial entities must develop, document, and implement a policy covering all mandatory access-control elements listed in Article 21 RTS RMF.
- This policy forms part of the entity’s overall control of access management rights.
Mandatory Content Elements (Article 21(a)–(g) RTS RMF)
(a) Assignment of Access Rights (Need-to-Know, Need-to-Use, Least Privilege)
The policy must define that access rights to ICT assets are assigned on the basis of:
- need-to-know,
- need-to-use, and
- least privilege principles,
including requirements for remote and emergency access.
(b) Segregation of Duties
The policy must require the segregation of duties to:
- prevent unjustified access to critical data; and
- prevent combinations of access rights that could be used to circumvent controls.
(c) User Accountability
The policy must include provisions to ensure:
- user accountability,
- limitations on the use of generic and shared accounts as far as possible, and
- that users are identifiable at all times for actions performed in ICT systems.
(d) Restrictions to Access ICT Assets
The policy must define controls and tools to prevent unauthorised access to ICT assets.
(e) Account Management Procedures
The policy must include account-management procedures for granting, changing, or revoking access rights for:
- user accounts,
- generic accounts, and
- generic administrator accounts.
These procedures must include:
(i) Roles and Responsibilities
- Assignment of roles and responsibilities for granting, reviewing, and revoking access rights.
- Financial entities must establish the retention period for logs based on business and information-security objectives, reasons for recording events, and ICT risk-assessment results.
(ii) Privileged, Emergency and Administrator Access
- Assignment of privileged, emergency and administrator access on a need-to-use or ad-hoc basis for all ICT systems.
- Where possible, entities must use dedicated accounts for administrative tasks and, where feasible and appropriate, deploy automated solutions for privileged-access management (PAM).
(iii) Withdrawal of Access Rights
- Access rights must be withdrawn without undue delay upon termination of employment or when access is no longer necessary.
(iv) Update and Review of Access Rights
- Access rights must be updated where necessary and reviewed:
– at least once a year for all ICT systems;
– at least every 6 months for ICT systems supporting critical or important functions.
(f) Authentication Methods
The policy must define authentication methods that include:
(i) Commensurability Requirements
- Authentication methods commensurate with:
– the classification of ICT assets under Article 8(1) DORA;
– the overall risk profile of ICT assets; and
– leading practices.
(ii) Strong Authentication Requirements
- Use of strong authentication for:
– remote access;
– privileged access;
– access to ICT assets supporting critical or important functions;
– access to ICT assets that are publicly accessible.
(g) Physical Access Controls
The policy must include physical access-control measures covering:
(i) Identification and Logging
- Identification and logging of natural persons authorised to access premises, data centres, and sensitive designated areas.
- Logging requirements must be commensurate with the importance of the area and the criticality of ICT systems located therein.
(ii) Granting of Physical Access
- Physical access to critical ICT assets may only be granted:
– to authorised persons,
– following the need-to-know and least privilege principles, and
– on an ad-hoc basis.
(iii) Monitoring of Physical Access
- Physical access to premises, data centres and sensitive areas must be monitored to a degree commensurate with ICT asset classification and criticality.
(iv) Review of Physical Access Rights
- Physical access rights must be reviewed to ensure that unnecessary access is promptly revoked.