Let’s first take a look at the first three letters of DORA – D(igital) O(perational) R(esilience).
Digital Operational Resilience is the ability to maintain operations (including recovery from disruptions or failures related to ICT) and adapt to the ever-changing environment and risks that exist for our organization.
The last letter A(ct) is referring to the Regulation 2022/2554 of the European Parliament and of the Council of the EU, as well as (and I know I’m playing with words now) to the need to act.
DORA is important for financial institutions, and zooms in on critical domains of ICT Risk Management and Governance, Incident Reporting and Management, Testing of operational resilience and management of 3rd party risks.
While financial institutions are accustomed to stringent regulatory frameworks like PCI-DSS and ISO 27001, DORA introduces an additional layer of stringency, compelling them, along with their service providers (like we are in CROZ, for example), to further fortify their defenses.
ICT Risk management is a significant area in DORA regulation (Chapter 2 is dedicated to ICT Risk management) and it focuses on:
- Governance and organisation
- ICT Risk Management Framework
- ICT Systems, tools and protocols
- Risk identification
- Protection and prevention
- Risk detection
- Response and recovery
- Backup and restore policies, procedures and methods
- Learning from incidents and lessons learned
- Communication
We’ll focus here only on some of ICT Risk Management requirements and improvements to comply with DORA, more specifically mostly with Article 9 (Protection and Prevention), and even more specifically to four interesting areas where CROZ has a lot of real-world experience, and can help with aligning your IT with DORA.
The four selected areas are IAM (Identity and Access Management), MFA (Multi-Factor Authentication), PAM (Privileged Access Management), and PKI (Public Key Infrastructure). They are all important components of an IT security framework. Implementing these services to full extent can help financial entities comply with DORA by ensuring that their IT systems are secure and resilient.
- IAM is a framework of policies and technologies that ensure that the right people have the right access to the right resources at the right time.
- MFA is a security mechanism that requires users to provide two or more forms of authentication before granting access to a system.
- PAM is a set of technologies and policies that control and monitor privileged access to critical systems and data.
- PKI is a security architecture that uses public key cryptography to secure communications over the internet.
To prepare IAM systems for compliance with DORA, organizations should conduct a thorough assessment of current IAM systems and processes to identify gaps in compliance with the given requirements.
This assessment should be comprehensive, examining
- access control,
- authentication,
- monitoring,
- auditing,
- incident response capabilities.
The next step would be to implement necessary improvements to access control and authentication mechanisms based on the assessment. This may include things like deploying MFA, refining RBAC policies, and strengthening password policies.
Additionally, enhance monitoring and auditing systems to ensure comprehensive and continuous tracking of user activities and access logs.
This may involve:
- investing in advanced analytics tools,
- establishing improved regular audit processes
- training staff to identify and address potential security risks.
It can be useful to develop and test a comprehensive incident response plan that outlines the procedures to be followed in the event of a security breach. This plan should include clear roles and responsibilities, communication protocols, and recovery procedures.
PAM is another important component of an IT security framework. It ensures that privileged access to critical systems and data is controlled and monitored.
To prepare PAM systems for compliance with DORA, organizations should conduct an assessment of current PAM systems and processes to identify gaps in compliance.
The implementation of necessary improvements to access control and authentication mechanisms (based on the assessment) usually includes refining RBAC policies and strengthening password policies, as well as improving monitoring and auditing systems to ensure comprehensive and continuous tracking of user activities and access logs (including recording of user actions, especially for privileged users).
Secure communication is apostrophed in DORA regulation. In modern IT it often relies on PKI – a security architecture that uses public key cryptography to secure communications over the internet. To prepare PKI systems for compliance with DORA, organizations should conduct an assessment of current PKI systems and processes to identify gaps in compliance and/or coverage of the system. The unsecure communication will not be tolerated, and we all know that self-signed certificates are not cool.
This text is only a reminder of some of things that need to be taken into consideration and suggestion of what steps should be taken. Although most of the above mentioned tools and technologies are already in place in companies targeted by DORA, it would be wise to revisit how they were implemented, to what extent, and verify if they are efficient and effective enough to cope with the new regulation’s requirements.
Since DORA will apply as soon as January 2025, it’s time to roll up your sleeves, reassess your tools and technologies, and make sure you’re not just compliant, but ahead of the game. After all, in the ever-evolving world of IT, adaptation is the name of the game.