Policies for ICT operations

Policies for ICT operations

Integration into ICT Security Policies (Article 8(1) RTS RMF; Article 9(2) DORA)

  • The policies and procedures for ICT operations form part of the ICT security policies, procedures, protocols, and tools required under Article 9(2) DORA.
  • Financial entities must develop, document, and implement these policies and procedures to ensure the operation, monitoring, control, restoration, and documentation of ICT assets in a manner that guarantees resilience and maintains high standards of availability, authenticity, integrity, and confidentiality of data.

Purpose of the Policies (Article 8(1) RTS RMF)

  • The policies must specify how the financial entity operates, monitors, controls, and restores its ICT assets.
  • The policies must include provisions for the documentation of ICT operations.

Mandatory Content Elements (Article 8(2)(a)–(c) RTS RMF)

ICT Asset Description

The policies must include a description of ICT assets and prescribe:

Secure Installation, Maintenance, Configuration, and Deinstallation

  • Requirements for secure installation, maintenance, configuration, and deinstallation of ICT systems.

Management of Information Assets

  • Requirements on managing information assets used by ICT assets, including their processing and handling, whether automated or manual.

Identification and Control of Legacy ICT Systems

  • Requirements regarding the identification and control of legacy ICT systems.

Controls and Monitoring of ICT Systems

The policies must define controls and monitoring requirements for ICT systems, including:

Backup and Restore Requirements

  • Requirements for the backup and restoration of ICT systems.

Scheduling Requirements

  • Requirements for ICT operational scheduling, considering interdependencies among ICT systems.

Audit Trail and System Log Protocols

  • Protocols for audit-trail and system log information.

(iv) Minimising Disruptions from Internal Audit and Testing

  • Requirements ensuring that internal audit activities and other testing minimise disruptions to business operations.

Separation of Production and Non-Production Environments

  • Requirements ensuring the separation of ICT production environments from development, testing, and other non-production environments.
  • The separation must consider all components of the environment, including accounts, data, and connections, as required by Article 13(a) RTS RMF.

Development and Testing in Separated Environments

  • Requirements that development and testing be conducted in environments separated from the production environment.

Development and Testing in Production Environments

Where testing in production environments occurs, the policies must provide that such instances are:

  • clearly identified,
  • reasoned,
  • conducted for limited periods of time, and
  • approved by the relevant function pursuant to Article 16(6) RTS RMF.

Financial entities must ensure the availability, confidentiality, integrity, and authenticity of ICT systems and production data during any development or testing activities conducted in production environments.

Error Handling for ICT Systems

The policies must include provisions on error handling, including:

Error Handling Procedures and Protocols

  • Procedures and protocols for handling errors in ICT systems.

Support and Escalation Contacts

  • Support and escalation contacts, including external support contacts, to be used in case of unexpected operational or technical issues.

Restart, Rollback, and Recovery Procedures

  • Procedures for restart, rollback, and recovery of ICT systems for use in the event of ICT system disruption.

Article 8 RTS RMF

RTS RMF

Article 9 (2) DORA

Article 9 DORA – Protection and prevention