Further elaboration of ICT risk management in the RTS (Articles 6 to 14)
We will explain some of the RTS topics below. These topics are a further elaboration of Article 15 of the Regulation. In the interest of providing a clear overview, a selection of topics from the RTS was chosen. The fact that not all the topics from the RTS are discussed does not mean that the other topics are less important. Companies must comply with all requirements detailed in the RTS by 17 January 2025.
Business Continuity Management
Certain topics related to BCM are elaborated further in Chapter IV (Articles 24 to 26) of the RTS. They include the testing of the Business Continuity Plan (BCP) to ensure the continuity of critical and important business functions. Companies must perform the testing of the BCP on the basis of realistic test scenarios that attempt to simulate potential disruption. The testing must also include the testing of ICT services provided by third parties, if possible. Test results must be documented and any identified deficiencies resulting from the tests must be analysed, addressed and reported to the management body.
In addition to testing the BCP, companies must develop a response and recovery plan to minimise the impact of disruptions. In this regard, organisations must take account of a Business Impact Analysis. See also Article 11(5) of the Regulation. The ICT response and recovery plan must, among other things, specify the conditions prompting its activation (and any exceptions), describe what actions must be taken to ensure the availability, integrity and confidentiality of critical and important systems, and lay down the conditions to declare successful execution of the response and recovery plan.
ICT Asset Management
As part of ICT asset management, companies must develop (and implement) a policy and procedures, with a view to guaranteeing the availability, integrity and confidentiality of data. The policy must describe how the organisation monitors and manages the lifecycle of its ICT assets.
In addition, institutions must keep records of all ICT assets, including their location, classification, the identity of the system owner and the business function supported by the ICT assets. Finally, a procedure must be developed detailing how the company determines whether an ICT asset or application is critical or important.
Encryption and cryptography
As with ICT asset management, companies must develop and implement a policy documenting their data encryption and cryptographic key management. Companies must include in this policy a description of the criteria to select cryptographic techniques and use practices, among other things.
It must also be laid down under what circumstances and conditions a company will switch to a new cryptographic technique to increase resilience against cyber attacks. It is important that companies lay out the requirements for managing cryptographic keys through their entire lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking and destroying keys.
Network security
In order to ensure the security of networks within the organisation, it is important that companies develop and implement policies and procedures laying out measures to safeguard against intrusions and data misuse. The mapping and visual representation of the various network connections and data flows within the organisation provide institutions with a clear overview of the network.
Furthermore, it is important that network connections passing over corporate networks, public networks, domestic networks, third-party networks and wireless networks are secured and encrypted to prevent unauthorised access to the data. Finally, institutions can ensure the security of their network by reviewing on a regular basis the firewall rules and by performing regular reviews of the network architecture and of the network security design.
Vulnerability and patch management
To further secure the networks of companies, institutions must develop and document vulnerability as well as patch management procedures. The vulnerability management procedure must describe, among other things, how the institution ensures the performance of (automated) vulnerability scanning on a regular basis and how any identified vulnerabilities are addressed and monitored.
At the same time, the patch management procedure must ensure that software and hardware patches are identified using automated tools and are tested in an environment separate from the production environment (to the extent possible) and that a deadline is set for the installation of patches and updates.
Logging
In addition to vulnerability and patch management and network security, institutions must ensure they are protected against intrusions and data misuse by logging user events. The companies must identify for themselves which events are to be logged, the retention period of the logs and the measures to secure and handle the log data.
To safeguard the accuracy of the logs, it is also important that measures are taken to protect the logs against unauthorised access, manipulation/deletion and disruptions affecting the logging system.
Change management
As part of the safeguards to preserve the availability, integrity and confidentiality of data, institutions must develop and implement an ICT change management procedure. This procedure must set out how the organisation verifies that ICT security requirements have been met, that changes are requested, tested, approved and implemented by the appropriate staff members, and how emergency changes must be implemented.
It is also important for companies to consider procedures to evaluate and monitor changes after their implementation and what steps should be taken when a change is aborted or cannot be implemented.
Logical access control
As part of their logical access control, companies must also develop and implement policies and procedures which must set out the identification and authentication of natural persons and systems accessing the institution’s information. For this, it is important that all (external) staff members are assigned a unique identity corresponding to their user account. Companies must maintain records of these identities/user accounts, which must also be reviewed and verified on a regular basis. Identity verification includes the creation, change, temporary deactivation and termination of user accounts.
In addition to user identification, it is important that staff members’ access to data is properly managed by the organisation. In this context, institutions must implement measures aimed at limiting as much as possible staff members’ access to data (least privilege principles), avoiding conflicts related to segregation of duties, and ensuring that staff members can be identified for the actions performed in ICT systems (in particular where shared user accounts are used). Finally, it is important that changes to access rights are implemented promptly and correctly.