DORA: How to digitize ICT risk & ICT third party risk management based on the AGP@ARTEMEON platform
The AGP@ARTEMEON software suite offers a comprehensive, web-based solution for digitizing governance, risk & compliance (GRC) functions.
The individual modules of our AGP@ARTEMEON platform contain GRC-specific checklists, risk & reporting engines and workflows to help our clients comply with regulatory requirements, industry standards or internal policies and procedures. The key modules of our AGP@ARTEMEON software suite comprise of functionalities related to …
1.?????information risk management?(ISMS@ARTEMEON)
2.?????data security management?(DSGVO@ARTEMEON)
3.?????internal control Systems (ICS@ARTEMEON)
4.?????third party governance, contract management & outsourcing controlling (VAM@ARTEMEON)
5.?????business continuity management?(BCM@ARTEMEON)
While the current set up of our software products already covers a wide array of functionalities, we continuously strive to improve our platform.
With regards to Regulation (EU) 2022/2554 (Digital Operational Resilience Act – “DORA”), we believe that our AGP@ARTEMEON software modules already include the major required features to technically support major parts of DORA ICT risk management and ICT third party risk management. As a matter of fact, this also includes identification, assessment, mitigation, prevention, recovery and reporting of ICT risks (see figure 1).
The following figure illustrates key functionalities provided by our AGP@ARTEMEON platform to digitize DORA-related workflows, risk assessments, controls and checklists.
?In the wake of the public consultation on the first batch of policy products under the DORA (regulatory technical standards (RTS) and draft implementing technical standards (ITS)) as launched by the ESAs (EBA, EIOPA and ESMA) on June 19th, 2023, we have identified several add-on features to our software products in order to better support our clients complying with DORA ICT risk management.
We therefore would like to share the following adjustments to our software modules ISMS@ARTEMEON, BCM@ARTEMEON and VAM@ARTEMEON, which we consider important in the context of the DORA.
We acknowledge that some functional aspects of DORA – such as the content and formats of ICT-related incident reporting (Art.17-19), the standards for strategies, procedures, protocols and instruments of ICT security (Art. 8), the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers (Art. 28) or the requirements for the subcontracting of critical or important functions (Art. 26) are subject to the current consultation phase.
For planning purposes, we have integrated topics which still need to be further specified based on the existing DORA regulation, the current state of consultation papers as well as requirements of related standards which have previously been implemented (i.e. EBA GL 2019/02).
?We are prepared to take into account any amendments resulting from the consultation process which are relevant for our information risk, business continuity or third party risk / contract management software solutions ISMS@ARTEMEON, BCM@ARTEMEON, VAM@ARTEMEON in a timely manner.
领英推荐
?As an extension of the existing DORA-specific functions, we will provide the following features beginning with release 11.0 of our ISMS@ARTEMEON, BCM@ARTEMEON, VAM@ARTEMEON software modules.
?(1)???Report to governing body according to DORA Art. 4, Para. 2 (h): Extension of VAM@ARTEMEON report generator to include filter criteria and respective summaries.
(2)???Identification and risk assessment in accordance with DORA Art. 7: Identification, classification, documentation and regular risk assessment (Art. 7, Para. 7) of ICT-related business functions, information resources supporting these functions, as well as the configurations and interconnections of the ICT systems with internal and external ICT systems and ICT third-party providers in ISMS@ARTEMEON via the SBF and IVB functionalities (operationalization in accordance with consultation paper "Draft Regulatory Technical Standards to further harmonise ICT risk management tools, methods, processes and policies as mandated under Articles 15 and 16(3) of Regulation (EU) 2022/2554").
(3)???Business continuity and recovery plans according to DORA Art. 10: BCM@ARTEMEON will be enhanced by several ICT-related filters, roll over procedures to regularly review existing business continuity and recovery plans, tracking of ICT business continuity actions.
(4)???ICT-related incidents as per DORA Art. 15-17: Capture, classification and documentation of ICT-related incidents via the BCM@ARTEMEON incident tracker functionality, implementation of filter criteria to identify major ICT-related incidents and enhancement of checklists to generate reports in based on the standards for content of the reporting of major ICT-related incidents. Implementation of classification criteria for ICT-related incidents (e.g., based on consultation paper "Draft Regulatory Technical Standards on specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under Regulation (EU) 2022/2554").
(5)???Register of information pursuant to DORA Art. 25 Para. 4: Enhancement of VAM@ARTEMEON reporting engine to generate register of information content at entity level, at sub-consolidated and consolidated levels. List of all contractual arrangements on the use of ICT services provided by ICT third-party service providers. In addition to the information required by DORA, the register of information contains additional fields for filtering and root cause analysis of the relevant contracts. Introduction of filtering criteria for ICT related contracts of critical or important functions. All changes based on consultation paper ?Draft Implementing Technical Standards to establish the templates composing the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers as mandated by Regulation (EU) 2022/2554“)
(6)???Information of competent authorities about planned contracting of critical or important functions and when a function has become critical or important in accordance with DORA Art. 25 Para. 4: Need for notifications will be displayed as part of the VAM@ARTEMEON workflow. Enhancement of reporting engine to retrieve the respective information within the VAM@ARTEMEON contract database.
(7)???Assessment of potential critical or important function and impact on ICT concentration risk in accordance with DORA Art. 25 Para. 5: Reconfiguration of existing VAM@ARTEMEON business partner due diligence workflow; integration of ICT concentration risk assessment within the scope of the VAM@ARTEMEON risk analysis.
(8)???ICT third-party provider compliance with information security standards in accordance with DORA Art. 25 Para. 6: Enhancement of information security checklist within the VAM@ARTEMEON workflow for all ICT contracts; Flagging of third party provider list (contract management functionality).
(9)???Requirements for contractual arrangements according to DORA Art. 25 Para. 8 and Art. 27: Enhancement of checklists within the VAM@ARTEMEON workflow (in particular: contract check functionality).
(10)Classification of DORA-related flags,functions and ICT third-party providers:
a.??????????????Classification of ICT related contracts via the VAM@ARTEMEON contract data capture interface, enhancement of commodity / product group functionality and contract type functionality. Display of drop down list of ICT related services (e.g., in accordance with Annex IV of consultation paper "Draft Implementing Technical Standards to establish the templates composing the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers as mandated by Regulation (EU) 2022/2554").
b.??????????????Classification of critical or important functions according to DORA in ISMS@ARTEMEON via the IVB functionality and in VAM@ARTEMEON via the drop down field "Type of service purchased / type of outsourced function", feature to manage individual categories of critical or important functions.
c.???????????????Flagging of critical ICT third-party providers in ISMS@ARTEMEON and VAM@ARTEMEON (DORA Art. 28).
?Please note that the envisioned changes can only be fully exploited when using the standard versions of our ISMS@ARTEMEON, BCM@ARTEMEON and VAM@ARTEMEON software solution. Customized platforms of AGP@ARTEMEON may restrict the use of the new these features.
?We have based our implementation roadmap on the timeframes of the consultation phase as communicated by the ESAs. We will initiate the final adaptations in our software modules once the consultations have been officially concluded and the final RTS and ITS are available.
We hope that this text is beneficial to you. We would like to foster a discussion on how to pragmatically implement ICT risk management based on already existing software solutions. How do you envisage to support ICT risk management in your organization?
We look very much forward to discussing potential questions, suggestions and further topics.