Contents
Information security policy
Integration into the ICT Risk Management Framework (Article 9(4)(a) DORA)
- The information security policy forms a mandatory component of the financial entity’s ICT risk management framework as referred to in Article 6(1).
- The policy must be developed and documented by the financial entity.
Purpose of the Policy (Article 9(4)(a) DORA)
- The policy must define rules for the protection of the financial entity’s data, information assets and ICT assets.
- The policy must also address protection of the data, information assets and ICT assets of customers, where applicable.
Mandatory Protection Objectives (Article 9(4)(a) DORA)
The information security policy shall define rules to protect the:
Availability
Ensuring that data, information assets and ICT assets remain accessible and usable when required.
Authenticity
Ensuring that data and information assets are genuine and originate from verified sources.
Integrity
Ensuring that data, information assets and ICT assets are accurate, complete and unaltered.
Confidentiality
Ensuring that data, information assets and ICT assets are protected against unauthorised access or disclosure.
Scope of Protection (Article 9(4)(a) DORA)
- The policy must cover data, information assets and ICT assets of the financial entity.
- Where applicable, the policy must also extend to customer data, customer information assets and customer ICT assets.