Contents
- Vulnerability management procedures
- Requirement to Establish Vulnerability Management Procedures (Article 10(1) RTS RMF)
- Mandatory Components of Vulnerability Management Procedures (Article 10(2) RTS RMF)
- Identification and Updating of Vulnerability Information Sources
- Automated Vulnerability Scanning and Assessments
- Verification of ICT Third-Party Service Provider Vulnerability Handling
- Tracking Usage of Third-Party Libraries and Custom Components
- Responsible Disclosure Procedures
- Prioritisation of Patches and Mitigation Measures
- Monitoring and Verification of Remediation
- Recording of Detected Vulnerabilities and Monitoring of Resolution
- Article 10 (1) and 2 RTS RMF
- Article 9 (2) DORA
Vulnerability management procedures
Requirement to Establish Vulnerability Management Procedures (Article 10(1) RTS RMF)
As part of the ICT security policies, procedures, protocols and tools required under Article 9(2) DORA, financial entities must:
- develop,
- document, and
- implement
vulnerability management procedures.
These procedures must ensure the resilience, continuity and availability of ICT systems, especially those supporting critical or important functions.
Mandatory Components of Vulnerability Management Procedures (Article 10(2) RTS RMF)
The vulnerability management procedures must include all of the following:
Identification and Updating of Vulnerability Information Sources
Procedures must:
- identify relevant and trustworthy information resources, and
- update them regularly,
to maintain awareness of vulnerabilities affecting ICT assets and ICT services.
Automated Vulnerability Scanning and Assessments
Procedures must ensure:
- automated scanning and assessment of ICT assets;
- frequency and scope commensurate with the classification under Article 8(1) DORA and the risk profile of the ICT asset.
Mandatory weekly frequency:
- For ICT assets supporting critical or important functions, automated vulnerability scanning must be performed at least weekly.
Verification of ICT Third-Party Service Provider Vulnerability Handling
Financial entities must verify:
(i) Handling of Vulnerabilities
Whether ICT third-party service providers:
- handle vulnerabilities relevant to the ICT services provided.
(ii) Reporting Obligations
Whether those providers:
- report at least critical vulnerabilities, and
- report relevant statistics and trends,
- in a timely manner.
Financial entities must request that ICT third-party service providers:
- investigate vulnerabilities,
- determine root causes, and
- implement appropriate mitigating actions.
Tracking Usage of Third-Party Libraries and Custom Components
Procedures must track the usage of:
(i) Third-Party Libraries (Including Open-Source)
Used in ICT services supporting critical or important functions.
(ii) ICT Services Developed Internally or Customised Externally
Including custom-developed or specifically tailored components.
Where appropriate, in cooperation with ICT third-party providers, financial entities must:
- monitor versions and updates of third-party libraries.
Where off-the-shelf ICT assets are used in functions not supporting critical or important functions, tracking must occur to the extent possible.
Responsible Disclosure Procedures
Procedures must include:
- mechanisms for responsible disclosure of vulnerabilities
– to clients,
– counterparties, and
– the public.
Prioritisation of Patches and Mitigation Measures
Procedures must prioritise deployment of patches or mitigation measures based on:
- the criticality of the vulnerability,
- the asset classification under Article 8(1) DORA, and
- the risk profile of the affected ICT asset.
Monitoring and Verification of Remediation
Procedures must:
- monitor remediation progress, and
- verify the effective remediation of vulnerabilities.
Recording of Detected Vulnerabilities and Monitoring of Resolution
Financial entities must:
- record all detected vulnerabilities affecting ICT systems, and
- monitor resolution status until closure.