Contents
- Policies on network security management
- Development, Documentation and Implementation (Article 13 RTS RMF)
- Mandatory Content Elements (Article 13(a)–(m) RTS RMF)
- Segregation and Segmentation of ICT Systems and Networks
- Documentation of Network Connections and Data Flows
- Dedicated Network for ICT Administration
- Network Access Controls
- Encryption of Network Connections
- Network Design Requirements
- Securing Traffic Between Internal and External Networks
- Governance of Firewall Rules and Connection Filters
- Annual Review of Network Architecture and Security Design
- Temporary Isolation Measures
- Secure Configuration Baseline and Hardening
- Inactivity Controls for System and Remote Sessions
- Network Services Agreements
- Article 13 RTS RMF
Policies on network security management
Development, Documentation and Implementation (Article 13 RTS RMF)
- Financial entities must develop, document, and implement policies, procedures, protocols, and tools on network security management.
- These measures form part of the safeguards ensuring the security of networks against intrusions and data misuse.
Mandatory Content Elements (Article 13(a)–(m) RTS RMF)
Segregation and Segmentation of ICT Systems and Networks
The policies must prescribe segregation and segmentation measures taking into account:
(i) Criticality or Importance
- the criticality or importance of the function supported by the ICT systems and networks;
(ii) Classification of ICT Assets
- the classification established in accordance with Article 8(1) DORA;
(iii) ICT Asset Risk Profile
- the overall risk profile of ICT assets using the networks and systems.
Documentation of Network Connections and Data Flows
- The policies must require the documentation of all network connections and data flows of the financial entity.
Dedicated Network for ICT Administration
- The policies must require the use of a separate and dedicated network for the administration of ICT assets.
Network Access Controls
- The policies must prescribe the identification and implementation of network access controls to prevent and detect:
– connections by unauthorised devices or systems, and
– connections by any endpoint not meeting the entity’s security requirements.
Encryption of Network Connections
- The policies must require the encryption of network connections passing over:
– corporate networks,
– public networks,
– domestic networks,
– third-party networks,
– wireless networks. - Encryption requirements must take into account:
– the approved data classification,
– the ICT risk assessment,
– the encryption rules under Article 6(2) RTS RMF.
Network Design Requirements
- Networks must be designed in line with the ICT security requirements established by the financial entity, taking into account leading practices to ensure confidentiality, integrity, and availability.
Securing Traffic Between Internal and External Networks
- The policies must require securing network traffic between internal networks and the internet or other external connections.
Governance of Firewall Rules and Connection Filters
The policies must define:
- roles and responsibilities, and
- steps for the specification, implementation, approval, change, and review of firewall rules and connection filters.
Review Frequency Requirements:
- Reviews must be performed regularly based on the ICT asset classification under Article 8(1) DORA and the relevant risk profile.
- For ICT systems supporting critical or important functions, adequacy must be verified at least every 6 months.
Annual Review of Network Architecture and Security Design
- Financial entities must perform a review of network architecture and network security design once a year,
- and periodically for microenterprises,
to identify potential vulnerabilities.
Temporary Isolation Measures
- The policies must prescribe measures to temporarily isolate subnetworks and network components or devices, where necessary.
Secure Configuration Baseline and Hardening
- The policies must require a secure configuration baseline for all network components.
- Networks and network devices must be hardened in line with:
– vendor instructions,
– applicable standards under Regulation (EU) No 1025/2012,
– leading practices.
Inactivity Controls for System and Remote Sessions
- The policies must include procedures to limit, lock, and terminate system and remote sessions after a specified period of inactivity.
Network Services Agreements
The policies must cover:
(i) Specification of ICT and Information Security Measures
- the identification and specification of ICT and information security measures,
- service levels, and
- management requirements of all network services.
(ii) Provider Identification
- whether network services are provided by an ICT intra-group service provider or by ICT third-party service providers.