Article 8 Digital Operational Resilience Act (DORA), Protection And Prevention
Article 8 of the Digital Operational Resilience Act (DORA) focuses on the protection and prevention measures that financial entities must implement to mitigate ICT risks effectively. This article aims to establish stringent guidelines for safeguarding critical ICT systems and services against cyber threats and operational disruptions. By emphasizing proactive measures such as cybersecurity protocols, encryption standards, and risk assessment frameworks, DORA aims to enhance the sector's overall resilience.
Protection And Prevention
- Continuous Monitoring and Control of ICT Systems: Financial entities must continuously monitor and control the functioning of their ICT systems to adequately protect them and organize response measures. They should minimize risks by deploying appropriate ICT security tools, policies, and procedures.
- Design and Implementation of ICT Security Strategies: Financial entities are required to design, procure, and implement ICT security strategies, policies, procedures, protocols, and tools. These measures aim to ensure the resilience, continuity, and availability of ICT systems, as well as maintaining high standards of security, confidentiality, and data integrity—whether data is at rest, in use, or in transit.
- Utilization of State-of-the-Art ICT Technology and Processes: To achieve the objectives outlined in paragraph 2, financial entities must utilize state-of-the-art ICT technology and processes that:
- Secure the means of information transfer.
- Minimize the risk of data corruption, loss, unauthorized access, and technical flaws that could disrupt business activities.
- Prevent information leakage.
- Protect data from administrative or processing-related risks, including inadequate record-keeping practices.
Components of the ICT Risk Management Framework: As part of the ICT risk management framework defined in Article 5(1), financial entities must:
- Develop and document an information security policy that defines rules to protect the confidentiality, integrity, and availability of their and their customers' ICT resources, data, and information assets.
- Establish sound network and infrastructure management using appropriate techniques and methods, including automated mechanisms to isolate affected information assets during cyber-attacks, based on a risk-based approach.
- Implement policies restricting physical and virtual access to ICT system resources and data to legitimate and approved functions only. This includes establishing policies, procedures, and controls for managing access privileges effectively.
- Deploy policies and protocols for strong authentication mechanisms based on relevant standards and dedicated control systems to prevent unauthorized access to cryptographic keys used for data encryption, guided by approved data classification and risk assessment processes.
- Implement robust ICT change management policies, procedures, and controls for managing changes to software, hardware, firmware components, and system or security configurations. These should be part of the overall change management process, ensuring that all changes are documented, tested, assessed, approved, implemented, and verified in a controlled manner.
- Maintain comprehensive policies for managing patches and updates effectively.
For point (b), financial entities should design network connection infrastructure capable of instantaneously severing connections, and ensuring compartmentalization and segmentation to minimize and prevent contagion, especially in interconnected financial processes.
Regarding point (e), the ICT change management process must be approved by appropriate management lines and include specific protocols for emergency changes.
These provisions underscore the importance of robust ICT security measures, proactive management of ICT risks, and adherence to best practices to safeguard financial entities' operations, data integrity, and continuity of services.