Contents
- Procedures for ICT operations
- Integration into ICT Security Policies (Article 8(1) RTS RMF; Article 9(2) DORA)
- Mandatory Content of ICT Operations Procedures (Article 8(2) RTS RMF)
- ICT Assets Description (Article 8(2)(a))
- Controls and Monitoring of ICT Systems (Article 8(2)(b))
- (i) Backup and Restore Requirements
- (ii) Scheduling Requirements
- (iii) Audit-Trail and System Log Protocols
- (iv) Minimising Disruption During Internal Audit and Testing
- (v) Separation of Production and Non-Production Environments
- (vi) Conducting Development and Testing in Separated Environments
- (vii) Testing in Production Environments
- Error Handling for ICT Systems (Article 8(2)(c))
- Article 8 RTS RMF
- Article 9 (2) DORA
Procedures for ICT operations
Integration into ICT Security Policies (Article 8(1) RTS RMF; Article 9(2) DORA)
Financial entities must develop, document and implement policies and procedures for ICT operations as part of the ICT security policies, procedures, protocols and tools required under Article 9(2) DORA.
These ICT operations procedures must:
- specify how ICT assets are operated, monitored, controlled and restored, and
- ensure the documentation of ICT operations.
They support resilience, continuity and availability of ICT systems, in particular for ICT assets supporting critical or important functions.
Mandatory Content of ICT Operations Procedures (Article 8(2) RTS RMF)
The procedures must contain all of the following components:
ICT Assets Description (Article 8(2)(a))
The procedures must include descriptions and requirements covering:
(i) Secure Installation, Maintenance, Configuration and Deinstallation
Standards and requirements for securely:
- installing
- maintaining
- configuring, and
- deinstalling
ICT systems.
(ii) Management of Information Assets Used by ICT Assets
Requirements for managing information assets used by ICT assets, including:
- automated and manual processing, and
- information-handling standards.
(iii) Identification and Control of Legacy ICT Systems
Rules for identifying and controlling legacy ICT systems.
Controls and Monitoring of ICT Systems (Article 8(2)(b))
The procedures must include controls and monitoring requirements for ICT systems, including:
(i) Backup and Restore Requirements
Backup and restore requirements for ICT systems.
(ii) Scheduling Requirements
Scheduling requirements considering interdependencies between ICT systems.
(iii) Audit-Trail and System Log Protocols
Protocols for generating, maintaining and securing audit-trail and system log information.
(iv) Minimising Disruption During Internal Audit and Testing
Requirements ensuring that internal audit and other testing minimise operational disruptions.
(v) Separation of Production and Non-Production Environments
Requirements to separate:
- production environments
from - development, testing and other non-production environments,
taking into account all environment components (accounts, data, connections) as per Article 13(1)(a) RTS RMF.
(vi) Conducting Development and Testing in Separated Environments
Requirements to ensure development and testing occur in environments separated from production.
(vii) Testing in Production Environments
Where testing must occur in production, the procedures must ensure:
- such instances are clearly identified and reasoned,
- testing is conducted for limited periods,
- testing is approved by the relevant function under Article 16(6) RTS RMF, and
- availability, confidentiality, integrity and authenticity of ICT systems and production data are ensured.
Error Handling for ICT Systems (Article 8(2)(c))
The procedures must include error-handling controls, including:
(i) Procedures and Protocols for Handling Errors
Documented error-handling procedures and protocols.
(ii) Support and Escalation Contacts
Contact details for:
- internal support,
- external support (if required), and
- escalation channels for unexpected operational or technical issues.
(iii) Restart, Rollback and Recovery Procedures
Procedures for:
- ICT system restart,
- rollback, and
- recovery
in the event of ICT system disruption.