Contents
Policy governing the acquisition, development and maintenance of ICT systems
Development, Documentation and Implementation (Article 16(1) RTS RMF)
- Financial entities must develop, document, and implement a policy governing the acquisition, development, and maintenance of ICT systems.
- This policy forms part of the safeguards necessary to preserve the availability, authenticity, integrity, and confidentiality of data.
Mandatory Content Elements (Article 16(1)(a)–(c) RTS RMF)
Identification of Security Practices and Methodologies
The policy must identify the security practices and methodologies that apply to the acquisition, development, and maintenance of ICT systems.
Identification and Approval of ICT Requirements
The policy must require the identification of:
(i) Technical Specifications
- Technical specifications and ICT technical specifications, as defined in Article 2(4) and (5) of Regulation (EU) No 1025/2012.
(ii) Requirements for Acquisition, Development and Maintenance
- Requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements.
- These requirements must be approved by:
– the relevant business function, and
– the ICT asset owner,
in accordance with the financial entity’s internal governance arrangements.
Measures to Prevent Alteration or Manipulation
The policy must specify measures to mitigate the risk of:
- unintentional alteration, or
- intentional manipulation,
of ICT systems during their development, maintenance, and deployment into the production environment.