Article 22 Digital Operational Resilience Act (DORA), Testing of ICT Tools And Systems

Jul 23, 2024by Sneha Naskar

A comprehensive digital operational resilience testing programme is essential for ensuring financial entities can effectively withstand and recover from ICT-related incidents. As mandated in Article 21, the testing programme should be extensive and include a variety of tests to cover different aspects of the ICT systems and infrastructure. This approach helps identify and address vulnerabilities, ensure robust security, and maintain operational continuity.

Testing of ICT Tools And Systems

Diverse Testing Methods

To ensure a thorough evaluation of the digital resilience of financial entities, the testing programme should incorporate a diverse range of methods. Each testing type serves a specific purpose and collectively provides a holistic view of the entity’s ICT resilience:

  • Vulnerability Assessments and Scans: Regularly identifying and assessing potential weaknesses in the ICT systems through automated tools and manual techniques. This helps discover vulnerabilities before they can be exploited.
  • Analysis of Open-Source Components: Evaluating open-source software used within the entity’s systems for vulnerabilities and compliance issues. This includes assessing the security posture of components that might be integrated into the entity’s critical functions.
  • Network Security Evaluations: Assessing the security of network infrastructure to identify potential weaknesses that could be exploited by attackers. This includes testing firewalls, intrusion detection systems, and network configurations.
  • Gap Analyses: Identifying discrepancies between the current security posture and industry best practices or regulatory requirements. This helps highlight areas that need improvement.
  • Reviews of Physical Security: Evaluating the physical security measures in place to protect the ICT infrastructure, including access controls to data centers and server rooms.
  • Use of Questionnaires and Scanning Software: Employing questionnaires and automated scanning tools to gather information about system configurations and potential security issues.
  • Source Code Reviews: Where feasible, analyzing the source code of applications to identify coding flaws or security vulnerabilities that could impact the overall system security.
  • Scenario-Based Tests: Conduct tests based on hypothetical scenarios to evaluate the entity’s response to different types of ICT incidents. This includes simulating various attack vectors or operational disruptions.
  • Compatibility Testing: Ensuring that new and existing systems are compatible with one another and do not introduce security vulnerabilities due to incompatibility.
  • Performance Evaluations: Assessing the performance of ICT systems under various conditions to ensure they can handle expected workloads and stress without compromising security or functionality.
  • End-to-End Testing: Testing the entire ICT infrastructure from end to end to ensure that all components work together effectively and securely.
  • Penetration Testing: Controlled attacks on the systems are conducted to identify potential entry points and assess the effectiveness of security measures in place.
DORA Compliance Framework

Pre-Deployment Assessments

Before deploying or redeploying any new or existing services that support critical functions, applications, and infrastructure components, financial entities specified in points (f) and (g) of Article 2(1) must conduct thorough vulnerability assessments. This requirement ensures that:

  • New Deployments: Any new services or components are evaluated for potential vulnerabilities before they are introduced into the production environment. This helps prevent security issues that could arise from newly deployed systems.
  • Redeployments: Existing services that are being redeployed or updated are reassessed to ensure that changes do not introduce new vulnerabilities. This is crucial for maintaining the integrity and security of systems over time.
  • Critical Functions and Applications: Special attention is given to services and components that are critical to the entity’s operations. Ensuring their security is paramount to maintaining business continuity and protecting sensitive data.
  • Infrastructure Components: The underlying infrastructure supporting critical services is also assessed for vulnerabilities to ensure that all aspects of the ICT environment are secure.

A well-rounded digital operational resilience testing programme is fundamental for financial entities to manage and mitigate ICT risks effectively. By incorporating a comprehensive range of testing methods and conducting thorough pre-deployment assessments, entities can identify and address potential vulnerabilities, ensuring robust security and operational resilience. Regular testing and proactive vulnerability assessments help safeguard the entity’s ICT systems, maintain compliance with regulatory requirements, and ensure the continuity of critical functions and services.

DORA Compliance Framework