Contents
- Physical and environmental security policy
- Specification, Documentation and Implementation (Article 18(1) RTS RMF)
- Design Basis of the Policy (Article 18(1) RTS RMF)
- Mandatory Content Elements (Article 18(2)(a)–(e) RTS RMF)
- Article 18 RTS RMF
Physical and environmental security policy
Specification, Documentation and Implementation (Article 18(1) RTS RMF)
- Financial entities must specify, document, and implement a physical and environmental security policy.
- This policy forms part of the safeguards necessary to preserve the availability, authenticity, integrity, and confidentiality of data.
Design Basis of the Policy (Article 18(1) RTS RMF)
The policy must be designed:
- in light of the cyber threat landscape,
- in accordance with the classification established under Article 8(1) DORA, and
- in light of the overall risk profile of ICT assets and accessible information assets.
Mandatory Content Elements (Article 18(2)(a)–(e) RTS RMF)
(a) Reference to Access Management Rights (Article 21(g) RTS RMF)
- The policy must include a reference to the section of the policy on control of access management rights referred to in Article 21(g) RTS RMF.
(b) Protection Against Attacks, Accidents, and Environmental Threats
The policy must specify measures to protect:
- premises,
- data centres, and
- sensitive designated areas,
where ICT assets and information assets reside, against:
- attacks,
- accidents, and
- environmental threats and hazards.
Environmental protection measures must be commensurate with:
- the importance of premises, data centres, and sensitive areas, and
- the criticality of operations or ICT systems located therein.
(c) Secure ICT Assets Inside and Outside Premises
The policy must contain measures to secure ICT assets, both:
- within the premises, and
- outside the premises,
taking into account the ICT risk assessment of the relevant ICT assets.
- The policy must also include measures to provide appropriate protection to unattended ICT assets.
(d) Maintenance Measures to Ensure Security Attributes
The policy must include measures ensuring, through appropriate maintenance, the:
- availability,
- authenticity,
- integrity, and
- confidentiality
of ICT assets, information assets, and physical access control devices.
(e) Measures to Preserve Data Security
The policy must include measures to preserve the availability, authenticity, integrity, and confidentiality of data, including:
(i) Clear Desk Policy
- Requirements establishing a clear desk policy for papers.
(ii) Clear Screen Policy
- Requirements establishing a clear screen policy for information processing facilities.