Contents
- Procedures, protocols and tools on network security management
- Obligation to Establish Network Security Management Measures
- Mandatory Components of Network Security Management
- Segregation and Segmentation of ICT Systems and Networks
- Documentation of Network Connections and Data Flows
- Dedicated Network for Administration of ICT Assets
- Network Access Controls
- Encryption of Network Connections
- Network Design Requirements
- Securing Network Traffic to and from External Connections
- Firewall Rules and Connection Filters
- Review of Network Architecture and Network Security Design
- Temporary Isolation Measures
- Secure Configuration Baseline and Hardening of Network Devices
- Session Limitation, Locking and Termination Procedures
- Requirements for Network Services Agreements
- Article 13 RTS RMF
Procedures, protocols and tools on network security management
Obligation to Establish Network Security Management Measures
Financial entities must, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols and tools on network security management.
The network security management framework must include all elements listed in Article 13 RTS RMF.
Mandatory Components of Network Security Management
Segregation and Segmentation of ICT Systems and Networks
Network security measures must include requirements for segregation and segmentation, taking into account:
- (i) the criticality or importance of the function supported by each ICT system or network;
- (ii) the classification established under Article 8(1) DORA;
- (iii) the overall risk profile of ICT assets using the respective systems or networks.
Documentation of Network Connections and Data Flows
Entities must document all network connections and all data flows across their ICT environment.
Dedicated Network for Administration of ICT Assets
A separate and dedicated network must be used for administrative activities related to ICT assets.
Network Access Controls
Procedures must identify and implement network access controls that:
- prevent and
- detect
connections to the entity’s network by:
- unauthorised devices or systems, or
- any endpoint that does not meet the entity’s security requirements.
Encryption of Network Connections
Network connections must be encrypted when passing over:
- corporate networks,
- public networks,
- domestic networks,
- third-party networks, and
- wireless networks.
Encryption measures must reflect:
- the results of the approved data classification,
- the outcomes of the ICT risk assessment, and
- the encryption requirements referred to in Article 6(2) RTS RMF.
Network Design Requirements
Network designs must comply with the entity’s own ICT security requirements and leading practices to ensure:
- confidentiality,
- integrity,
- availability of the network.
Securing Network Traffic to and from External Connections
Network traffic between internal networks and:
- the internet, and
- other external connections,
must be appropriately secured.
Firewall Rules and Connection Filters
Procedures must define:
- roles and responsibilities, and
- steps for the specification, implementation, approval, change, and review
of firewall rules and connection filters.
Review frequency:
- For all systems:
conducted on a regular basis aligned with:- classification under Article 8(1) DORA, and
- the overall risk profile of the ICT systems concerned.
- For ICT systems supporting critical or important functions:
adequacy of firewall rules and connection filters must be verified at least every 6 months.
Review of Network Architecture and Network Security Design
Entities must conduct:
- annual reviews (at least once per year),
- and periodic reviews for microenterprises,
to identify potential vulnerabilities in the network architecture and network security design.
Temporary Isolation Measures
Where necessary, the framework must include measures to temporarily isolate subnetworks, network components and devices.
Secure Configuration Baseline and Hardening of Network Devices
The procedures must require:
- a secure configuration baseline for all network components, and
- hardening practices for networks and network devices, following:
- vendor instructions,
- applicable standards (as defined in Article 2(1) of Regulation (EU) No 1025/2012),
- leading practices.
Session Limitation, Locking and Termination Procedures
The procedures must define how system and remote sessions are:
- limited,
- locked, and
- terminated
after specified periods of inactivity.
Requirements for Network Services Agreements
Network security management must also include requirements relating to network services agreements:
(i) Identification and specification of ICT and information security measures, service levels, and management requirements for all network services.
(ii) Whether the network services are provided by:
- an ICT intra-group service provider, or
- an ICT third-party service provider.