Simplified ICT risk management framework (Article 16
Article 16 of the Regulation sets out the requirements for the simplified ICT risk management framework applicable to various exempted institutions. Part of the requirements for the framework are set out in the Regulation, while another part is elaborated in the RTS.
An analysis of the ICT risk management framework indicates that the simplified framework is broadly similar to the ‘regular’ ICT risk management framework. As is the case with the regular ICT risk management framework, the simplified variant must be documented and reviewed periodically (as well as upon the occurrence of major ICT-related incidents). The frequency of the periodic review is dependent on the institution’s risk profile.
Requirements for the simplified framework
The biggest difference is in the number of requirements that the simplified framework must meet. Also, these requirements are often less detailed. The reasoning behind this is that the simplified framework includes the minimum elements required to preserve the availability, integrity and confidentiality of data, while taking into account the risk, size and complexity of the company.
Institutions to which the simplified framework applies are therefore only required to develop an information security policy setting out general, overarching guidelines and rules aimed at preserving the availability, integrity and confidentiality of data.
Additional security measures
In addition to this information security policy, institutions are also required to implement adequate security measures for, among other things, logical access control, network security, ICT systems management and change management. To minimise the risk of unauthorised access, institutions must, for example, develop and implement procedures aimed at limiting as much as possible staff members’ rights and ensuring that individual users can be identified for the actions performed in ICT systems. Organisations must furthermore establish a standard process for granting, changing and revoking rights, and those rights must be reviewed periodically.
Organisations must also develop a procedure for change management. However, the requirements for this are more concise than those for institutions to which Article 15 applies. The simplified change management procedure must ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified.
With regard to network security, companies must configure the network in such a way that systems connected to the internal and/or external network are adequately protected against unauthorised access and data misuse. For this, it is important that measures are taken to protect data (in use, in transit and at rest) and to ensure the authenticity, integrity and confidentiality of data during network transmission. In addition, consideration must be given to how unauthorised access to the network is prevented and detected in a timely manner, and a process must be in place for securely deleting data.
Finally, as part of ICT asset management, institutions must identify all ICT systems supporting a critical or important business function. Organisations must additionally develop and implement an ICT systems acquisition, development and maintenance procedure. This procedure must clearly define the information security requirements and how ICT systems are tested prior to their first use. In this context, it is also important to monitor the life cycle of the ICT system, to ensure that it continues to meet and support the organisation’s requirements.
The requirements set out in the RTS for the simplified ICT risk management framework are therefore broadly in line with the requirements for the regular ICT risk management framework. However, the specified requirements are less extensive in the case of the simplified ICT risk management framework. In this way, account is taken of the size of the institutions to which Article 16 applies.