TL;DR – In this blogpost, we will give you an introduction to the key requirements associated with the Risk Management Framework introduced by DORA (Digital Operational Resilience Act);
More specifically, throughout this blogpost we will try to formulate an answer to following questions:
- What are the key requirements associated with the Risk Management Framework of DORA?
- What are the biggest challenges associated with these requirements?
- How can you prepare yourself and what are the actions that you should took in aligning your organization to the Risk Management Framework requirements?
In the following sections, we will share our thoughts on how to self-assess your compliance on this requirement. Note also that, if this self-assessment checklist is of interest to you, you will be able to find it in an excel format in our GitHub repository, here.
What are the ICT Risk Management requirements?
DORA requires organizations to apply a strong risk-based approach in their digital operational resilience efforts. This approach is reflected in Chapter 2 of the regulation.
Chapter 2 – Section 1 – Risk management governance
The first part of Chapter 2 addresses the risk management governance requirements. They include, but are not limited to, setting roles and responsibilities of the management body, planning and periodic auditing.
This section states the responsibilities of the management body for the definition, approval, overseeing of all arrangements related to the ICT risk management framework.
This section also states the definition and attribution of the role of ICT third party Officer. This position shall be in charge of defining and monitoring all the arrangements concluded with ICT third-party service providers on the use of ICT services.
The following table provides a checklist for financial entities to self-assess their compliance on this requirement:
| Article 4 | Governance and organisation |
| Responsibilities of the management body | The management body shall define, approve, oversee and be accountable for the implementation of all arrangements related to the ICT risk management framework. |
| ICT third party Officer | The role of ICT third party Officer shall be defined to monitor the arrangements concluded with ICT third-party service providers on the use of ICT services |
| Training of the management body | The management body shall, on a regular basis, follow specific trainings related to ICT risks and their impact on the operations |
Chapter 2 – Section 2 – Risk management framework
The second part of Chapter 2 introduces the ICT risk management framework itself as a critical component of the regulation.
ICT risk management requirements form a set of key principles revolving around specific functions (identification, protection and prevention, detection, response and recovery, learning and evolving and communication). Most of them are recognized by current technical standards and industry best practices, such as the NIST framework, and thus the DORA does not impose specific standardization itself.
Before exploring the functions, let’s note that DORA specifies several governance mechanisms around the risk management framework. They include, but are not limited to, setting the objectives of the risk management framework, planning and periodic auditing.
The following table provides a checklist for financial entities to self-assess their compliance on these governance requirement:
| Article 5 | ICT risk management framework |
| Protecting physical elements | Entities shall define a well-documented ICT risk management framework which shall include strategies, policies, procedures, ICT protocols and tools which are necessary to protect all relevant physical components and infrastructures |
| Information on ICT risks | Entities shall minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, protocols and tools |
| ISMS | Entities shall implement an information security management system based on recognized international standards |
| Three lines of defence | Entities shall ensure appropriate segregation of ICT management functions, control functions, and internal audit functions |
| Review | The ICT risk management framework shall be reviewed at least once a year, as well as upon the occurrence of major ICT-related incidents |
| Improvement | The ICT risk management framework shall be continuously improved on the basis of lessons derived from implementation and monitoring |
| Audit | The ICT risk management framework shall be audited on a regular basis by ICT auditors |
| Remediation | Entities shall define a formal follow-up process for the timely verification and remediation of critical ICT audit findings |
| ICT risk management framework objectives | The ICT risk management framework shall include the methods to address ICT risk and attain specific ICT objectives |
Identification
Financial entities shall identify and classify the ICT-related business functions, information assets and supporting ICT resources based on which risks posed by current cyber threats and ICT vulnerabilities are identified and assessed.
The following table provides a checklist for financial entities to self-assess their compliance on the Identification requirement:
| Article 7 | Identification |
| Asset Identification | Entities shall identify and adequately document: (a) ICT-related business functions (b) Information assets supporting these functions (c) ICT system configurations and interconnections with internal and external ICT systems |
| Asset Classification | Entities shall classify and adequately document: (a) ICT-related business functions (b) Information assets supporting these functions (c) ICT system configurations and interconnections with internal and external ICT systems |
| Asset Classification Review | Entities shall review as needed, and at least yearly, the adequacy of the classification of the information assets |
| ICT risks Identification and Assessment | Entities shall identify all sources of ICT risks, and assess cyber threats and ICT vulnerabilities relevant to their ICT-related business functions and information assets. |
| ICT risks Identification and Assessment Review | Entities shall regularly review the ICT risks Identification and Assessment yearly or upon each major change in the network and information system infrastructure |
| ICT mapping | Entities shall identify all ICT systems accounts, the network resources and hardware equipment (a) Entities shall map physical equipment considered critical (b) Entities shall map the configuration of the ICT assets and the links and interdependencies between the different ICT assets. |
| ICT third-party service providers identification | Entities shall identify all ICT third-party service providers (a) Entities shall identify and document all processes that are dependent on ICT third-party service providers (b) Entities shall identify interconnections with ICT third-party service providers. |
| ICT third-party service providers identification review | Entities shall regularly review the ICT third-party service providers identification |
| Legacy ICT systems | Entities shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems |
This ICT risk management framework shall include the identification of critical and important functions as well as the mapping of the ICT assets that underpin them. Moreover, this ICT risk management framework shall also include the assessment of all risks associated with the ICT-related business functions and information assets identified.
What to identify and assess? Well …
- ICT-related business functions
- Supporting information assets supporting these functions
- ICT system configurations
- Interconnections with internal and external systems
- Sources of ICT risk
- All ICT system accounts
- Network resources and hardware equipment
- Critical physical equipment
- All processes dependent on and interconnections with ICT third-party service providers
Protection and Prevention
Financial entities shall (based on the risk assessment) set up protection and prevention measures to ensure the resilience, continuity and availability of ICT systems. These shall include ICT security strategies, policies, procedures and appropriate technologies.
The following table provides a checklist for financial entities to self-assess their compliance on this requirement:
| Article 8 | Protection and Prevention |
| CIA | Entities shall develop and document an information security policy defining rules to protect the confidentiality, integrity and availability of theirs, and their customers’ ICT resources, data and information assets; |
| Segmentation | Entities shall establish a sound network and infrastructure management using appropriate techniques, methods and protocols including implementing automated mechanisms to isolate affected information assets in case of cyber-attacks |
| Access privileges | Entities shall implement policies that limit the physical and virtual access to ICT system resources and data and establish to that effect a set of policies, procedures and controls that address access privileges |
| Authentication mechanisms | Entities shall implement policies and protocols for strong authentication mechanisms and dedicated controls systems to prevent access to cryptographic keys |
| ICT change management | Entities shall implement policies, procedures and controls for ICT change management including changes to software, hardware, firmware components, system or security changes. The ICT change management process shall be approved by appropriate lines of management and shall have specific protocols enabled for emergency changes. |
| Patching | Entities shall have appropriate and comprehensive policies for patches and updates |
What does this entail?
- Ensuring the resilience, continuity and availability of ICT systems
- Ensuring the security, confidentiality and integrity of data
- Ensuring the continuous monitoring and control of ICT systems and tools
- Defining and implementing Information security policies such as
- Limit physical and virtual access to ICT systems
- Protocols on strong authentication
- Change management
- Patching / updates management
Detection
Financial entities shall continuously monitor and promptly detect anomalous activities, threats and compromises of the ICT environment.
The following table provides a checklist for financial entities to self-assess their compliance on this requirement:
| Article 9 | Detection |
| Detect anomalous activities | Entities shall have in place mechanisms to promptly detect anomalous activities (a) ICT network performance issues (b) ICT-related incidents |
| Detect single points of failure | Entities shall have in place mechanisms to identify all potential material single points of failure |
| Testing | All detection mechanisms shall be regularly tested |
| Alert mechanism | All detection mechanisms shall enable multiple layers of control (a) Define alert thresholds (b) Define criteria to trigger ICT-related incident detection (c) Define criteria to trigger ICT-related incident response processes (d) Have automatic alert mechanisms in place for relevant staff in charge of ICT-related incident response. |
| Trade reports checking | Entities shall have in place systems that can effectively check trade reports for completeness, identify omissions and obvious errors and request re-transmission of any such erroneous reports. |
What does this entail?
- Ensure the prompt detection of anomalous activities
- Enforce multiple layers of control
- Enable the identification of single points of failure
Response and recovery (including Backup policies and recovery methods)
Financial entities shall put in place dedicated and comprehensive business continuity policies and disaster and recovery plans to adequately react to identified security incidents and to ensure the resilience, continuity and availability of ICT systems.
The following table provides a checklist for financial entities to self-assess their compliance on Response and recovery requirements:
| Article 10 | Response and recovery |
| ICT Business Continuity Policy | Entities shall put in place a dedicated and comprehensive ICT Business Continuity Policy as an integral part of the operational business continuity policy of the entity |
| ICT Business Continuity Mechanisms | Entities shall implement the ICT Business Continuity Policy through appropriate and documented arrangements, plans, procedures and mechanisms aimed at: (a) recording all ICT-related incidents ; (b) ensuring the continuity of the entity’s critical functions; (c) quickly, appropriately and effectively responding to and resolving all ICT-related incidents (d) activating without delay dedicated plans that enable containment measures, processes and technologies, as well as tailored response and recovery procedures (e) estimating preliminary impacts, damages and losses; (f) setting out communication and crisis management actions which ensure that updated information is transmitted to all relevant internal staff and external stakeholders, and reported to competent authorities |
| ICT Disaster Recovery Plan | Entities shall implement an associated ICT Disaster Recovery Plan |
| ICT Disaster Recovery Audit Review | Entities shall define a process for the ICT Disaster Recovery Plan to be subject to independent audit reviews. |
| ICT Business Continuity Test | Entities shall periodically test the ICT Business Continuity Policy, at least yearly and after substantive changes to the ICT systems; |
| ICT Disaster Recovery Test | Entities shall periodically test the ICT Disaster Recovery Plan, at least yearly and after substantive changes to the ICT systems; |
| Testing Plans | Entities shall include in the testing plans scenarios of cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups and redundant facilities |
| Crisis Communication Plans | Entities shall implement a crisis communication plan |
| Crisis Communication Plans Test | Entities shall periodically test the crisis communication plans, at least yearly and after substantive changes to the ICT systems; |
| Crisis Management Function | Entities shall have a crisis management function, which, in case of activation of their ICT Business Continuity Policy or ICT Disaster Recovery Plan, shall set out clear procedures to manage internal and external crisis communications |
| Records of Activities | Entities shall keep records of activities before and during disruption events when their ICT Business Continuity Policy or ICT Disaster Recovery Plan is activated. |
| ICT Business Continuity Policy Communication | When implementing changes to the ICT Business Continuity Policy, entities shall communicate those changes to the competent authorities |
| Test Communication | Entities shall define a process to provide to the competent authorities copies of the results of the ICT business continuity tests |
| Incident Communication | Entities shall define a process to report to competent authorities all costs and losses caused by ICT disruptions and ICT-related incidents |
The following table provides a checklist for financial entities to self-assess their compliance on Backup policies requirements:
| Article 11 | Backup policies and recovery methods |
| Backup Policy | Entities shall develop a backup policy (a) specifying the scope of the data that is subject to the backup (b) specifying the minimum frequency of the backup (c) based on the criticality of information or the sensitiveness of the data |
| Backup Restoration | When restoring backup data using own systems, entities shall use ICT systems that have an operating environment different from the main one, that is not directly connected with the latter and that is securely protected from any unauthorized access or ICT corruption |
| Recovery Plans | Entities shall develop a recovery plans which enable the recovery of all transactions at the time of disruption to allow the central counterparty to continue to operate with certainty and to complete settlement on the scheduled date |
| Recovery Methods | Entities shall develop recovery methods to limit downtime and limited disruption |
| ICT third-party providers Continuity | Entities shall ensure that their ICT third-party providers maintain at least one secondary processing site endowed with resources, capabilities, functionalities and staffing arrangements sufficient and appropriate to ensure business needs |
| ICT third-party providers secondary processing site | Entities shall ensure that the ICT third-party provider secondary processing site is: (a) located at a geographical distance from the primary processing site (b) capable of ensuring the continuity of critical services identically to the primary site (c) immediately accessible to the entity’s staff to ensure continuity of critical services |
| Recovery time objectives | Entities shall determine recovery time and point objectives for each function. Such time objectives shall ensure that, in extreme scenarios, the agreed service levels are met |
| Recovery checks | When recovering from an ICT-related incident, entities shall perform multiple checks, including reconciliations, in order to ensure that the level of data integrity is of the highest level |
How to meet the compliance on the Response and Recovery requirements?
- Define and implement an ICT Business Continuity Policy
- Define and implement an ICT Disaster Recovery Plans
- Define and implement an Back-up policies
- Develop recovery methods
- Determine flexible recovery time and point objectives for each function
Developing response and recovery strategies and plans adds an additional level of complexity, as it will require financial entities to think carefully about substitutability, including investing in backup and restoration systems, as well as assess whether – and how – certain critical functions can operate through alternative systems or methods of delivery while primary systems are checked and brought back up.
Learning and evolving
Financial entities shall include continuous learning and evolving in the internal processes in the form of information-gathering, as well as post-incident review and analysis.
The following table provides a checklist for financial entities to self-assess their compliance on this requirement:
| Article 12 | Learning and evolving |
| Risk landscape | Entities shall gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyber-attacks, and analyse their likely impacts on their digital operational resilience. |
| Post ICT-related incident reviews | Entities shall put in place post ICT-related incident reviews after significant ICT disruptions of their core activities (a) analysing the causes of disruption (b) identifying required improvements to the ICT operations or within the ICT Business Continuity Policy |
| Post ICT-related incident reviews mechanism | Entities shall ensure the post ICT-related incident reviews determines whether the established procedures were followed and the actions taken were effective (a) the promptness in responding to security alerts and determining the impact of ICT-related incidents and their severity; (b) the quality and speed in performing forensic analysis; (c) the effectiveness of incident escalation within the financial entity; (d) the effectiveness of internal and external communication |
| Lessons learned from the ICT Business Continuity and ICT Disaster Recovery tests | Entities shall derive lessons from the ICT Business Continuity and ICT Disaster Recovery tests. Lessons shall be duly incorporated on a continuous basis into the ICT risk assessment process |
| Lessons learned reporting | Senior ICT staff shall report at least yearly to the management body on the findings derived from the lessons learned from the ICT Business Continuity and ICT Disaster Recovery tests |
| Monitor the effectiveness of the implementation of the digital resilience strategy | Entities shall map the evolution of ICT risks over time, analyse the frequency, types, magnitude and evolution of ICT-related incidents, in particular cyber-attacks and their patterns, with a view to understand the level of ICT risk exposure and enhance the cyber maturity and preparedness of the entity |
| ICT security awareness programs | Entities shall develop ICT security awareness trainings as compulsory modules in their staff training schemes |
| Digital operational resilience training | Entities shall develop ICT digital operational resilience trainings as compulsory modules in their staff training schemes |
What does this entail?
- Ensure information gathering on vulnerabilities and cyber threats
- Ensure post-incident reviews after significant ICT disruptions
- Define a procedure for the analysis of causes of disruptions
- Define a procedure for the reporting to the management body
- Develop ICT security awareness programs and trainings
Developing an ICT security awareness programs and trainings adds another level of complexity, as DORA does not only introduces compulsory training on digital operational resilience for the management body, DORA also introduces it for the whole staff, as part of their general training package.
Communication
Financial entities shall define a communication strategy, plans and procedures for communicating ICT-related incidents to clients, counterparts and the public
The following table provides a checklist for financial entities to self-assess their compliance on this requirement:
| Article 13 | Communication |
| Clients and counterparts communication | Entities shall have in place communication plans enabling a responsible disclosure of ICT-related incidents or major vulnerabilities to clients and counterparts as well as to the public, as appropriate. |
| Staff communication | Entities shall implement communication policies for staff and for external stakeholders. (a) Communication policies for staff shall take into account the need to differentiate between staff involved in the ICT risk management, in particular response and recovery, and staff that needs to be informed. |
| Mandate | At least one person in the entity shall be tasked with implementing the communication strategy for ICT-related incidents and fulfil the role of public and media spokesperson for that purpose. |
What does this entail?
- Develop communication plans to communicate to clients, counterparts and the public
- Mandate at least one person to implement the communication strategy for ICT-related incidents
I hope you found this blogpost interesting.
Keep an eye out for the following parts! This blog post is part of a series. In the following blogposts, we will further explore the requirements associated with the Incident Management process, the Digital Operational Resilience Testing and the ICT Third-Party Risk Management of DORA.
About the Author
Nicolas is a consultant in the Cyber Strategy & Culture team at NVISO. He taps into his technical hands-on experiences as well as his managerial academic background to help organisations build out their Cyber Security Strategy. He has a strong interest IT management, Digital Transformation, Information Security and Data Protection. In his personal life, he likes adventurous vacations. He hiked several 4000+ summits around the world, and secretly dreams about one day hiking all of the top summits. In his free time, he is an academic teacher who has been teaching for 7 years at both the Solvay Brussels School of Economics and Management and the Brussels School of Engineering.
Find out more about Nicolas on Linkedin.
One thought on “DORA and ICT Risk Management: how to self-assess your compliance”