0003975
Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
European Union
Regulations
Free
RTS specifying criteria regarding ICT risk management
Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
2024-03-13
The document as a whole was last reviewed and released on 2024-09-26T00:00:00-0700.
0003975
Free
European Union
Regulations
RTS specifying criteria regarding ICT risk management
Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
2024-03-13
The document as a whole was last reviewed and released on 2024-09-26T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2025 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Acquisition or sale of facilities, technology, and services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition/Sale of Assets or Services | Preventive | |
| Perform a due diligence assessment on bidding suppliers prior to acquiring assets. CC ID 15714 | Acquisition/Sale of Assets or Services | Preventive | |
| Require third parties to disclose all known vulnerabilities in third party products and services. CC ID 15491 [For the purposes of point (c), financial entities shall request that ICT third-party service providers investigate the relevant vulnerabilities, determine the root causes, and implement appropriate mitigating action. Article 10 2 ¶ 3 For the purposes of point (c), financial entities shall request that ICT third-party service providers investigate the relevant vulnerabilities, determine the root causes, and implement appropriate mitigating action. Article 10 2 ¶ 3 The vulnerability management procedures referred to in paragraph 1 shall: verify whether: whether those service providers report to the financial entity at least the critical vulnerabilities and statistics and trends in a timely manner; Article 10 2 ¶ 1(c)(ii)] | Communicate | Preventive | |
| Establish, implement, and maintain system acquisition contracts. CC ID 14758 | Establish/Maintain Documentation | Preventive | |
| Include security requirements in system acquisition contracts. CC ID 01124 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements, including information security requirements, are clearly specified and approved by the business function concerned; Article 37 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
| Include operational requirements in system acquisition contracts. CC ID 00825 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements, including information security requirements, are clearly specified and approved by the business function concerned; Article 37 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
| Obtain system documentation before acquiring products and services. CC ID 01445 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: technical specifications and ICT technical specifications, as defined in Article 2, points (4) and (5), of Regulation (EU) No 1025/2012; Article 16 1(b)(i)] | Establish/Maintain Documentation | Preventive | |
| Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309 | Establish/Maintain Documentation | Preventive | |
| Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285 | Communicate | Preventive | |
| Document attempts to obtain system documentation. CC ID 14284 | Process or Activity | Corrective | |
| Obtain user documentation before acquiring products and services. CC ID 14283 | Acquisition/Sale of Assets or Services | Preventive | |
| Include instructions on how to use the security functions in the user documentation. CC ID 14314 | Establish/Maintain Documentation | Preventive | |
| Include security functions in the user documentation. CC ID 14313 | Establish/Maintain Documentation | Preventive | |
| Include user responsibilities for maintaining system security in the user documentation. CC ID 14312 | Establish/Maintain Documentation | Preventive | |
| Include a description of user interactions in the user documentation. CC ID 14311 | Establish/Maintain Documentation | Preventive | |
| Require the information system developer to create a continuous monitoring plan. CC ID 14307 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a product and services acquisition policy. CC ID 14028 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: Article 16 1.] | Establish/Maintain Documentation | Preventive | |
| Obtain authorization for marketing new products. CC ID 16805 | Business Processes | Preventive | |
| Include compliance requirements in the product and services acquisition policy. CC ID 14163 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the product and services acquisition policy. CC ID 14162 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the product and services acquisition policy. CC ID 14161 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the product and services acquisition policy. CC ID 14160 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the product and services acquisition policy. CC ID 14159 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the product and services acquisition policy. CC ID 14158 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157 | Communicate | Preventive | |
| Establish, implement, and maintain product and services acquisition procedures. CC ID 14065 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: Article 37 ¶ 1 The ICT project management policy referred to in paragraph 1 shall specify the elements that ensure the effective management of the ICT projects related to the acquisition, maintenance and, where applicable, development of the financial entity's ICT systems. Article 15 2.] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152 | Communicate | Preventive | |
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Assign the Board of Directors to address audit findings. CC ID 12396 [{be critical} Based on the outcome of the audit referred to in paragraph 5, the financial entities referred to in paragraph 1 shall ensure the timely verification and remediation of critical ICT audit findings. Article 28 6.] | Human Resources Management | Corrective | |
| Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 [The financial entities referred to in paragraph 1 shall ensure an appropriate segregation and the independence of control functions and internal audit functions. Article 28 4.] | Establish Roles | Preventive | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities' audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity. Article 28 5.] | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Establish/Maintain Documentation | Preventive | |
| Assign the audit to impartial auditors. CC ID 07118 [The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities' audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity. Article 28 5.] | Establish Roles | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and Risk Management | Preventive | |
| Mitigate the threats to an auditor's independence. CC ID 17282 | Process or Activity | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and Risk Management | Detective | |
| Establish and maintain audit terms. CC ID 13880 [Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the reason for the review of the ICT risk management framework in accordance with Article 6(5) of Regulation (EU) 2022/2554.; Article 27 2 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Process or Activity | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Establish/Maintain Documentation | Preventive | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 [{ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a summary of findings, and a self-assessment of the severity of the weaknesses, deficiencies, and gaps identified in ICT risk management framework for the review period, including a detailed analysis thereof; Article 41 2(f)] | Audits and Risk Management | Preventive | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 [For the purposes of point (f), the description shall contain an analysis of the impact of the changes on the financial entity's digital operational resilience strategy, on the financial entity's ICT internal control framework, and on the financial entity's ICT risk management governance. Article 27 2 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 [{ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a description of the reasons for the review, including: where the review has been initiated following the occurrence of ICT-related incidents, the list of all those ICT-related incidents with related incident root-cause analysis; Article 41 2(c)(ii) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a description of the reasons for the review, including: where the review has been initiated following the occurrence of ICT-related incidents, the list of all those ICT-related incidents with related incident root-cause analysis; Article 41 2(c)(ii) {review} {ICT risk management framework} For the purposes of point (c), where the review was initiated following supervisory instructions, or conclusions derived from relevant digital operational resilience testing or audit processes, the report shall contain explicit references to such instructions or conclusions, allowing for the identification of the reason for initiating the review. Where the review was initiated following ICT-related incidents, the report shall contain the list of all ICT-related incidents with incident root-cause analysis. Article 27 2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Establish/Maintain Documentation | Preventive | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Establish/Maintain Documentation | Preventive | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Establish/Maintain Documentation | Preventive | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Establish/Maintain Documentation | Preventive | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities' audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity. Article 28 5.] | Establish/Maintain Documentation | Preventive | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and Risk Management | Preventive | |
| Include audit subject matter in the audit program. CC ID 07103 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: information on the process for informing the competent authority, where appropriate; Article 27 2 ¶ 1(h)(v)] | Establish/Maintain Documentation | Preventive | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: summarises the major changes in the ICT risk management framework since the previous report submitted; Article 27 2 ¶ 1(a)(iii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the major changes and improvements to the ICT risk management framework since the previous review; Article 27 2 ¶ 1(f) {review} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: a summary of the major changes in the ICT risk management framework since the previous report; Article 41 2(a)(iv) {review} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: a summary and a description of the impact of major changes to the simplified ICT risk management framework since the previous report; Article 41 2(a)(v)] | Establish/Maintain Documentation | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 [The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities' audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity. Article 28 5.] | Audits and Risk Management | Preventive | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Testing | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and Risk Management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and Risk Management | Detective | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Investigate | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Investigate | Detective | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and Risk Management | Detective | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Process or Activity | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Process or Activity | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and Risk Management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and Risk Management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Process or Activity | Preventive | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and Risk Management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and Risk Management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and Risk Management | Detective | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 | Audits and Risk Management | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Communicate | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Human Resources Management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Process or Activity | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Process or Activity | Preventive | |
| Identify interviewees. CC ID 16290 | Process or Activity | Preventive | |
| Verify statements made by interviewees are correct. CC ID 16299 | Behavior | Detective | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Process or Activity | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Process or Activity | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Process or Activity | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Process or Activity | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Process or Activity | Corrective | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Establish/Maintain Documentation | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 [{ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: overall conclusions on the review of the simplified ICT risk management framework, including any further planned developments. Article 41 2(h)] | Establish/Maintain Documentation | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Establish/Maintain Documentation | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Establish/Maintain Documentation | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Establish/Maintain Documentation | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Establish/Maintain Documentation | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and Risk Management | Preventive | |
| Establish and maintain organizational audit reports. CC ID 06731 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: sources of information used in the preparation of the report, including all of the following: for financial entities other than microenterprises as referred to in Article 6(6) of Regulation (EU) 2022/2554, the results of internal audits; Article 27 2 ¶ 1(l)(i) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: sources of information used in the preparation of the report, including all of the following: the results of compliance assessments; Article 27 2 ¶ 1(l)(ii)] | Establish/Maintain Documentation | Preventive | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Establish/Maintain Documentation | Detective | |
| Include the purpose in the audit report. CC ID 17263 | Establish/Maintain Documentation | Preventive | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and Risk Management | Preventive | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and Risk Management | Preventive | |
| Include audit subject matter in the audit report. CC ID 14882 | Establish/Maintain Documentation | Preventive | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Establish/Maintain Documentation | Preventive | |
| Identify the audit team members in the audit report. CC ID 15259 | Human Resources Management | Detective | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Establish/Maintain Documentation | Preventive | |
| Include written agreements in the audit report. CC ID 17266 | Establish/Maintain Documentation | Preventive | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Establish/Maintain Documentation | Preventive | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Establish/Maintain Documentation | Preventive | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Establish/Maintain Documentation | Preventive | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Establish/Maintain Documentation | Preventive | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Establish/Maintain Documentation | Preventive | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Establish/Maintain Documentation | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Establish/Maintain Documentation | Preventive | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Establish/Maintain Documentation | Preventive | |
| Include the date of the audit in the audit report. CC ID 07024 [{review} {ICT risk management framework} {start date} Financial entities shall include all of the following information in the report referred to in paragraph 1: the start and end dates of the review period; Article 27 2 ¶ 1(d)] | Actionable Reports or Measurements | Preventive | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Establish/Maintain Documentation | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: clearly identifies the financial entity that is the subject of the report, and describes its group structure, where relevant; Article 27 2 ¶ 1(a)(i) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: describes the context of the report in terms of the nature, scale, and complexity of the financial entity's services, activities, and operations, its organisation, identified critical functions, strategy, major ongoing projects or activities, relationships and its dependence on in-house and contracted ICT services and systems or the implications that a total loss or severe degradation of such systems would have in terms of critical or important functions and market efficiency; Article 27 2 ¶ 1(a)(ii) {review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: a description of the context of the report in terms of the nature, scale, and complexity of the financial entity's services, activities, and operations, the financial entity's organisation, identified critical functions, strategy, major ongoing projects or activities, and relationships, and the financial entity's dependence on in-house and outsourced ICT services and systems, or the implications that a total loss or severe degradation of such systems would have on critical or important functions and market efficiency; Article 41 2(a)(i) {review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: an executive level summary of the current and near-term ICT risk identified, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 41 2(a)(ii) {review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: information about the reported area; Article 41 2(a)(iii) {review} {ICT risk management framework} {be internal} {be external} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: tools to be used, and the identification of the function responsible for carrying out the measures, detailing whether the tools and functions are internal or external; Article 27 2 ¶ 1(h)(iii) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: the person responsible for the review; Article 41 2(e) {review} {ICT risk management framework} {be responsible} Financial entities shall include all of the following information in the report referred to in paragraph 1: an indication of the function responsible for the review; Article 27 2 ¶ 1(e)] | Actionable Reports or Measurements | Preventive | |
| Include any discussions of significant findings in the audit report. CC ID 13955 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a summary of the findings of the review and detailed analysis and assessment of the severity of the weaknesses, deficiencies, and gaps in the ICT risk management framework during the review period; Article 27 2 ¶ 1(g) {review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: an executive level summary of the current and near-term ICT risk identified, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 41 2(a)(ii) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a summary of findings, and a self-assessment of the severity of the weaknesses, deficiencies, and gaps identified in ICT risk management framework for the review period, including a detailed analysis thereof; Article 41 2(f) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a summary of findings, and a self-assessment of the severity of the weaknesses, deficiencies, and gaps identified in ICT risk management framework for the review period, including a detailed analysis thereof; Article 41 2(f) {review} {ICT risk management framework} For the purposes of point (c), where the review was initiated following supervisory instructions, or conclusions derived from relevant digital operational resilience testing or audit processes, the report shall contain explicit references to such instructions or conclusions, allowing for the identification of the reason for initiating the review. Where the review was initiated following ICT-related incidents, the report shall contain the list of all ICT-related incidents with incident root-cause analysis. Article 27 2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Establish/Maintain Documentation | Preventive | |
| Include the audit criteria in the audit report. CC ID 13945 | Establish/Maintain Documentation | Preventive | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Establish/Maintain Documentation | Preventive | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Establish/Maintain Documentation | Preventive | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Establish/Maintain Documentation | Preventive | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Establish/Maintain Documentation | Preventive | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Establish/Maintain Documentation | Preventive | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Establish/Maintain Documentation | Preventive | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Establish/Maintain Documentation | Preventive | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Establish/Maintain Documentation | Preventive | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and Risk Management | Preventive | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Establish/Maintain Documentation | Preventive | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and Risk Management | Detective | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Establish/Maintain Documentation | Preventive | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Establish/Maintain Documentation | Preventive | |
| Include recommended corrective actions in the audit report. CC ID 16197 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: Article 27 2 ¶ 1(h) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: overall conclusions on the review of the simplified ICT risk management framework, including any further planned developments. Article 41 2(h) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: a summary of measures taken to remediate to identified weaknesses, deficiencies and gaps; Article 27 2 ¶ 1(h)(i)] | Establish/Maintain Documentation | Preventive | |
| Include the cost of corrective action in the audit report. CC ID 17015 | Audits and Risk Management | Preventive | |
| Include risks and opportunities in the audit report. CC ID 16196 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: provides an executive level summary of the current and near-term ICT risk profile, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 27 2 ¶ 1(a)(iv) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: provides an executive level summary of the current and near-term ICT risk profile, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 27 2 ¶ 1(a)(iv)] | Establish/Maintain Documentation | Preventive | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 [{review} {ICT risk management framework} {be internal} {be external} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: tools to be used, and the identification of the function responsible for carrying out the measures, detailing whether the tools and functions are internal or external; Article 27 2 ¶ 1(h)(iii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: provides an executive level summary of the current and near-term ICT risk profile, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 27 2 ¶ 1(a)(iv)] | Establish/Maintain Documentation | Preventive | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Establish/Maintain Documentation | Preventive | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Establish/Maintain Documentation | Preventive | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Establish/Maintain Documentation | Preventive | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and Risk Management | Preventive | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: sources of information used in the preparation of the report, including all of the following: results of digital operational resilience testing, and where applicable the results of advanced testing, based on threat-led penetration testing (TLPT), of ICT tools, systems, and processes; Article 27 2 ¶ 1(l)(iii)] | Establish/Maintain Documentation | Preventive | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Establish/Maintain Documentation | Preventive | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Establish/Maintain Documentation | Preventive | |
| Include the organization's in scope system description in the audit report. CC ID 11626 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: describes the context of the report in terms of the nature, scale, and complexity of the financial entity's services, activities, and operations, its organisation, identified critical functions, strategy, major ongoing projects or activities, relationships and its dependence on in-house and contracted ICT services and systems or the implications that a total loss or severe degradation of such systems would have in terms of critical or important functions and market efficiency; Article 27 2 ¶ 1(a)(ii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: sources of information used in the preparation of the report, including all of the following: Article 27 2 ¶ 1(l)] | Audits and Risk Management | Preventive | |
| Include the scope and work performed in the audit report. CC ID 11621 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: sources of information used in the preparation of the report, including all of the following: external sources. Article 27 2 ¶ 1 (l)(iv) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a description of the reasons for the review, including: Article 41 2(c) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a description of the reasons for the review, including: where the review has been initiated following supervisory instructions, evidence of such instructions; Article 41 2(c)(i)] | Audits and Risk Management | Preventive | |
| Review past audit reports. CC ID 01155 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: information on past reviews, including: a list of past reviews to date; Article 27 2 ¶ 1(k)(i)] | Establish/Maintain Documentation | Detective | |
| Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: information on past reviews, including: Article 27 2 ¶ 1(k)] | Establish/Maintain Documentation | Detective | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Establish/Maintain Documentation | Preventive | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Establish/Maintain Documentation | Preventive | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a summary of the findings of the review and detailed analysis and assessment of the severity of the weaknesses, deficiencies, and gaps in the ICT risk management framework during the review period; Article 27 2 ¶ 1(g)] | Establish/Maintain Documentation | Corrective | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Investigate | Detective | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Process or Activity | Detective | |
| Include the results of the business impact analysis in the audit report. CC ID 17208 [{review} {ICT risk management framework} {financial resource} {human resource} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: a description of the impact of the changes envisaged in the measures on the financial entity's budgetary, human, and material resources, including resources dedicated to the implementation of any corrective measures; Article 27 2 ¶ 1(h)(iv) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: describes the context of the report in terms of the nature, scale, and complexity of the financial entity's services, activities, and operations, its organisation, identified critical functions, strategy, major ongoing projects or activities, relationships and its dependence on in-house and contracted ICT services and systems or the implications that a total loss or severe degradation of such systems would have in terms of critical or important functions and market efficiency; Article 27 2 ¶ 1(a)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include an audit opinion in the audit report. CC ID 07017 [Financial entities shall include all of the following information in the report referred to in paragraph 1: conclusions resulting from the review of the ICT risk management framework; Article 27 2 ¶ 1(j) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: provides an executive level summary of the current and near-term ICT risk profile, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 27 2 ¶ 1(a)(iv)] | Establish/Maintain Documentation | Preventive | |
| Include qualified opinions in the audit report. CC ID 13928 | Establish/Maintain Documentation | Preventive | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Establish/Maintain Documentation | Corrective | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Establish/Maintain Documentation | Preventive | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Business Processes | Corrective | |
| Include items that pertain to third parties in the audit report. CC ID 07008 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: describes the context of the report in terms of the nature, scale, and complexity of the financial entity's services, activities, and operations, its organisation, identified critical functions, strategy, major ongoing projects or activities, relationships and its dependence on in-house and contracted ICT services and systems or the implications that a total loss or severe degradation of such systems would have in terms of critical or important functions and market efficiency; Article 27 2 ¶ 1(a)(ii)] | Establish/Maintain Documentation | Preventive | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Establish/Maintain Documentation | Preventive | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Establish/Maintain Documentation | Preventive | |
| Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 [{review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: an executive level summary of the current and near-term ICT risk identified, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 41 2(a)(ii)] | Establish/Maintain Documentation | Preventive | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Establish/Maintain Documentation | Corrective | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Establish/Maintain Documentation | Preventive | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [{be searchable} Financial entities shall submit the report on the review of the ICT risk management framework referred to in Article 6(5) of Regulation (EU) 2022/2554 in a searchable electronic format. Article 27 1. {be searchable} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall submit the report on the review of the ICT risk management framework referred to in paragraph 2 of that Article in a searchable electronic format. Article 41 1.] | Establish/Maintain Documentation | Preventive | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Human Resources Management | Preventive | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Communicate | Preventive | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Communicate | Preventive | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [{be critical} Based on the outcome of the audit referred to in paragraph 5, the financial entities referred to in paragraph 1 shall ensure the timely verification and remediation of critical ICT audit findings. Article 28 6. {review} Financial entities shall include all of the following information in the report referred to in paragraph 1: information on planned further developments of the ICT risk management framework; Article 27 2 ¶ 1(i) {ICT risk management framework} {review} {remedial measure} The report referred to in paragraph 1 shall contain all of the following information: remedying measures identified to address weaknesses, deficiencies, and gaps in the simplified ICT risk management framework, and the expected date for implementing those measures, including the follow-up on weaknesses, deficiencies, and gaps identified in previous reports, where those weaknesses, deficiencies, and gaps have not yet been remedied; Article 41 2(g)] | Establish/Maintain Documentation | Corrective | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 [The vulnerability management procedures referred to in paragraph 1 shall: require the recording of any detected vulnerabilities affecting ICT systems and the monitoring of their resolution. Article 10 2 ¶ 1(h) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: an expected date for implementing the measures and dates related to the internal control of the implementation, including information on the state of progress of the implementation of those measures as at the date of drafting of the report, explaining, where applicable, if there is a risk that deadlines may not be respected; Article 27 2 ¶ 1(h)(ii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: information on past reviews, including: where applicable, a state of implementation of the corrective measures identified by the last report; Article 27 2 ¶ 1(k)(ii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: information on past reviews, including: where the proposed corrective measures in past reviews have proven ineffective or have created unexpected challenges, a description of how those corrective measures could be improved or of those unexpected challenges; Article 27 2 ¶ 1(k)(iii) {ICT risk management framework} {review} {remedial measure} The report referred to in paragraph 1 shall contain all of the following information: remedying measures identified to address weaknesses, deficiencies, and gaps in the simplified ICT risk management framework, and the expected date for implementing those measures, including the follow-up on weaknesses, deficiencies, and gaps identified in previous reports, where those weaknesses, deficiencies, and gaps have not yet been remedied; Article 41 2(g)] | Actionable Reports or Measurements | Corrective | |
| Review management's response to issues raised in past audit reports. CC ID 01149 [{ICT risk management framework} {review} {remedial measure} The report referred to in paragraph 1 shall contain all of the following information: remedying measures identified to address weaknesses, deficiencies, and gaps in the simplified ICT risk management framework, and the expected date for implementing those measures, including the follow-up on weaknesses, deficiencies, and gaps identified in previous reports, where those weaknesses, deficiencies, and gaps have not yet been remedied; Article 41 2(g)] | Audits and Risk Management | Detective | |
| Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities' audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity. Article 28 5. {ICT risk management framework} {start date} The report referred to in paragraph 1 shall contain all of the following information: the start and end date of the review period; Article 41 2(d)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1 Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: Article 3 ¶ 1 The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: specifies and implements the policies and measures included in Chapters I, II and III of this Title to identify, assess and manage the ICT risk the financial entity is exposed to; Article 28 2(f) {governance, risk, and compliance framework} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk to achieve a high level of digital operational resilience. Article 28 1.] | Establish/Maintain Documentation | Preventive | |
| Include the scope of risk management activities in the risk management program. CC ID 13658 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Business Processes | Detective | |
| Integrate the risk management program with the organization's business activities. CC ID 13661 | Business Processes | Preventive | |
| Integrate the risk management program into daily business decision-making. CC ID 13659 | Business Processes | Preventive | |
| Include managing mobile risks in the risk management program. CC ID 13535 | Establish/Maintain Documentation | Preventive | |
| Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and Risk Management | Preventive | |
| Include regular updating in the risk management system. CC ID 14990 | Business Processes | Preventive | |
| Establish, implement, and maintain a risk management policy. CC ID 17192 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1 Based on their information security policy referred to in paragraph 1, the financial entities referred to in paragraph 1 shall establish and implement ICT security measures to mitigate their exposure to ICT risk, including mitigating measures implemented by ICT third-party service providers. Article 29 2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Establish/Maintain Documentation | Preventive | |
| Include data quality in the risk management strategies. CC ID 15308 | Data and Information Management | Preventive | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: requirements to ensure that the performance of internal audit and other testing minimises disruptions to business operations; Article 8 2 ¶ 1(b)(iv)] | Establish/Maintain Documentation | Preventive | |
| Include off-site storage in the risk mitigation strategies. CC ID 13213 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Establish/Maintain Documentation | Preventive | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Human Resources Management | Detective | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Communicate | Preventive | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Communicate | Preventive | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Acquisition/Sale of Assets or Services | Corrective | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and Risk Management | Preventive | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Establish/Maintain Documentation | Preventive | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Establish/Maintain Documentation | Preventive | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Establish/Maintain Documentation | Preventive | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Establish/Maintain Documentation | Preventive | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Establish/Maintain Documentation | Preventive | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Establish/Maintain Documentation | Preventive | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Establish/Maintain Documentation | Preventive | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Establish/Maintain Documentation | Preventive | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Establish/Maintain Documentation | Preventive | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Establish/Maintain Documentation | Preventive | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Establish/Maintain Documentation | Preventive | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Establish/Maintain Documentation | Preventive | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Process or Activity | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Communicate | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the risk assessment policy. CC ID 14117 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Communicate | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: Article 3 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 [The financial entities referred to in paragraph 1 shall carry out and document the ICT risk assessment periodically commensurate to the financial entities' ICT risk profile. Article 31 2.] | Establish/Maintain Documentation | Preventive | |
| Analyze the organization's information security environment. CC ID 13122 | Technical Security | Preventive | |
| Employ risk assessment procedures that align with strategic objectives. CC ID 06474 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on a process to ensure that any changes to the business strategy and the digital operational resilience strategy of the financial entity are taken into account. Article 3 ¶ 1(f)] | Establish/Maintain Documentation | Preventive | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Human Resources Management | Preventive | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and Risk Management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and Risk Management | Detective | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: the quantitative or qualitative indicators to measure the impact and likelihood of the vulnerabilities and threats referred to in point (i); Article 3 ¶ 1(b)(ii)] | Audits and Risk Management | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Business Processes | Preventive | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Communicate | Preventive | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: specifies and implements the policies and measures included in Chapters I, II and III of this Title to identify, assess and manage the ICT risk the financial entity is exposed to; Article 28 2(f) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the identification and assessment of the ICT risks to which the financial entity is exposed; Article 31 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the identification and assessment of any ICT and information security risks resulting from any major change in ICT system or ICT services, processes, or procedures, and from ICT security testing results and after any major ICT-related incident. Article 31 1(e)] | Testing | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Establish/Maintain Documentation | Preventive | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 [The financial entities referred to in paragraph 1 shall carry out and document the ICT risk assessment periodically commensurate to the financial entities' ICT risk profile. Article 31 2.] | Establish/Maintain Documentation | Preventive | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Establish/Maintain Documentation | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Establish/Maintain Documentation | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and Risk Management | Detective | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Communicate | Preventive | |
| Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: ensures that the staff of the financial entity is kept up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, commensurate to the ICT risk being managed; Article 28 2(h)] | Business Processes | Preventive | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 [The vulnerability management procedures referred to in paragraph 1 shall: monitor and verify the remediation of vulnerabilities; Article 10 2 ¶ 1(g)] | Investigate | Detective | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and Risk Management | Preventive | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: the quantitative or qualitative indicators to measure the impact and likelihood of the vulnerabilities and threats referred to in point (i); Article 3 ¶ 1(b)(ii)] | Audits and Risk Management | Detective | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Establish/Maintain Documentation | Preventive | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Establish/Maintain Documentation | Preventive | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Establish/Maintain Documentation | Preventive | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Establish/Maintain Documentation | Preventive | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Establish/Maintain Documentation | Preventive | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity's activities. Article 1 ¶ 1(e) When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity's activities. Article 1 ¶ 1(e)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Communicate | Preventive | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Establish/Maintain Documentation | Preventive | |
| Document organizational risk tolerance in a risk register. CC ID 09961 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: a determination of the risk tolerance levels for ICT risk, in accordance with the risk appetite of the financial entity; Article 31 1(a)] | Establish/Maintain Documentation | Preventive | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the classification of information assets of the financial entity as referred to in Article 30(1) of this Regulation, the list of main risks identified, and the business impact analysis and related >policies; Article 28 2(d)(i)] | Business Processes | Preventive | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: specifies and implements the policies and measures included in Chapters I, II and III of this Title to identify, assess and manage the ICT risk the financial entity is exposed to; Article 28 2(f) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the identification and assessment of the ICT risks to which the financial entity is exposed; Article 31 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the identification and assessment of any ICT and information security risks resulting from any major change in ICT system or ICT services, processes, or procedures, and from ICT security testing results and after any major ICT-related incident. Article 31 1(e)] | Audits and Risk Management | Preventive | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Process or Activity | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Investigate | Detective | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Process or Activity | Detective | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [{ICT risk management procedure} For the purposes of the first paragraph, point (c), the procedure referred to in that point shall ensure: the assessment of whether the established risk tolerance levels of the financial entity have been attained; Article 3 ¶ 2(b) The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: bears the overall responsibility for ensuring that the simplified ICT risk management framework allows for the achievement of the financial entity's business strategy in accordance with the risk appetite of that financial entity, and ensures that ICT risk is considered in that context; Article 28 2(a)] | Establish/Maintain Documentation | Preventive | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [{exceed} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the specification of mitigation strategies at least for the ICT risks that are not within the risk tolerance levels of the financial entity; Article 31 1(c)] | Establish/Maintain Documentation | Preventive | |
| Approve the risk acceptance level, as necessary. CC ID 17168 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: an indication of the approval of the risk tolerance level for ICT risk established in accordance with Article 6(8), point (b), of Regulation (EU) 2022/2554; Article 3 ¶ 1(a)] | Process or Activity | Preventive | |
| Document the results of the gap analysis. CC ID 16271 | Establish/Maintain Documentation | Preventive | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Financial entities shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorised access, disclosure, and modification. Financial entities shall design those controls on the basis of the results of the approved data classification and the ICT risk assessment. Article 7 2. {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 criteria for the selection of cryptographic techniques and use practices, taking into account leading practices, and standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and the classification of relevant ICT assets established in accordance with Article 8(1) of Regulation (EU) 2022/2554. Financial entities that are not able to adhere to the leading practices or standards, or to use the most reliable techniques, shall kground-color:#B7D8ED;" class="term_primary-verb">adopt mitigation and monitoring measures that ensure resilience against cyber threats. Article 6 3.] | Audits and Risk Management | Preventive | |
| Determine the effectiveness of risk control measures. CC ID 06601 [{residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): provisions on the review of the accepted residual ICT risks at least once a year, including: the assessment of available mitigation measures; Article 3 ¶ 1(d)(iv) (2)] | Testing | Detective | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: the procedure to identify, implement, and document ICT risk treatment measures for the ICT risks identified and assessed, including the determination of ICT risk treatment measures necessary to bring ICT risk within the risk tolerance level referred to in point (a); Article 3 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Establish/Maintain Documentation | Preventive | |
| Include time information in the risk treatment plan. CC ID 16993 | Establish/Maintain Documentation | Preventive | |
| Include allocation of resources in the risk treatment plan. CC ID 16989 | Establish/Maintain Documentation | Preventive | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Establish/Maintain Documentation | Preventive | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and Risk Management | Preventive | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 [{ICT risk management procedure} {risk treatment measure} For the purposes of the first paragraph, point (c), the procedure referred to in that point shall ensure: the assessment of whether the financial entity has taken actions to correct or improve those measures where necessary. Article 3 ¶ 2(c) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the monitoring of the effectiveness of the mitigation strategies referred to in point (c); Article 31 1(d)] | Establish/Maintain Documentation | Preventive | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Communicate | Preventive | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: the procedure to identify, implement, and document ICT risk treatment measures for the ICT risks identified and assessed, including the determination of ICT risk treatment measures necessary to bring ICT risk within the risk tolerance level referred to in point (a); Article 3 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
| Document residual risk in a residual risk report. CC ID 13664 [{residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): provisions on the identification of those residual ICT risks; Article 3 ¶ 1(d)(i) {residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): the development of an inventory of the accepted residual ICT risks, including a justification for their acceptance; Article 3 ¶ 1(d)(iii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: where the weaknesses, deficiencies, or gaps identified are not subject to corrective measures, a detailed explanation of the criteria used to analyse the impact of those weaknesses, deficiencies, or gaps, to evaluate the related residual ICT risk, and of the criteria used to accept the related residual risk; Article 27 2 ¶ 1(h)(vi)] | Establish/Maintain Documentation | Corrective | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 [{residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): provisions on the review of the accepted residual ICT risks at least once a year, including: Article 3 ¶ 1(d)(iv) {residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): the development of an inventory of the accepted residual ICT risks, including a justification for their acceptance; Article 3 ¶ 1(d)(iii) {residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): provisions on the review of the accepted residual ICT risks at least once a year, including: the identification of any changes to the residual ICT risks; Article 3 ¶ 1(d)(iv)(1) {residual risk} {be valid} {be applicable} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): provisions on the review of the accepted residual ICT risks at least once a year, including: the assessment of whether the reasons justifying the acceptance of residual ICT risks are still valid and applicable at the date of the review; Article 3 ¶ 1(d)(iv) (3)] | Business Processes | Preventive | |
| Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Establish/Maintain Documentation | Preventive | |
| Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Establish/Maintain Documentation | Preventive | |
| Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Business Processes | Preventive | |
| Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and Risk Management | Detective | |
| Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: network security; Article 1 ¶ 1(c)] | Audits and Risk Management | Preventive | |
| Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Establish/Maintain Documentation | Preventive | |
| Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Communicate | Preventive | |
| Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Communicate | Preventive | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Establish/Maintain Documentation | Preventive | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Communicate | Preventive | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Business Processes | Preventive | |
| Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Establish/Maintain Documentation | Preventive | |
| Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the supply chain risk management policy. CC ID 14709 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the supply chain risk management policy. CC ID 14707 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the supply chain risk management policy. CC ID 14706 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Communicate | Preventive | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Establish/Maintain Documentation | Preventive | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Establish/Maintain Documentation | Preventive | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Establish/Maintain Documentation | Preventive | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Establish/Maintain Documentation | Preventive | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 [Based on their information security policy referred to in paragraph 1, the financial entities referred to in paragraph 1 shall establish and implement ICT security measures to mitigate their exposure to ICT risk, including mitigating measures implemented by ICT third-party service providers. Article 29 2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Communicate | Preventive | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Human Resources Management | Preventive | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Process or Activity | Detective | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Communicate | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 | Establish Roles | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the classification of information assets of the financial entity as referred to in Article 30(1) of this Regulation, the list of main risks identified, and the business impact analysis and related policies; Article 28 2(d)(i)] | Human Resources Management | Preventive | |
| Define and assign roles and responsibilities for network management. CC ID 13128 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the identification of the roles and responsibilities and steps for the specification, implementation, approval, change, and review of firewall rules and connections filters; Article 13 ¶ 1(h)] | Human Resources Management | Preventive | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): the assignment of roles and responsibilities regarding: the acceptance of the residual ICT risks that exceed the financial entity's risk tolerance level referred to in point (a); Article 3 ¶ 1(d)(ii)(1) {residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): the assignment of roles and responsibilities regarding: for the review process referred to in point (iv) of this point (d); Article 3 ¶ 1(d)(ii)(2) The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: bears the overall responsibility for ensuring that the simplified ICT risk management framework allows for the achievement of the financial entity's business strategy in accordance with the risk appetite of that financial entity, and ensures that ICT risk is considered in that context; Article 28 2(a) The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: sets clear roles and responsibilities for all ICT-related tasks; Article 28 2(b)] | Human Resources Management | Preventive | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources Management | Preventive | |
| Assign the roles and responsibilities for the change control program. CC ID 13118 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: Article 17 1(c) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the identification of fall-back procedures and responsibilities, including procedures and responsibilities for aborting changes or recovering from changes not successfully implemented; Article 17 1(e)] | Human Resources Management | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Behavior | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: allocates and reviews at least once a year the budget necessary to fulfil the financial entity's digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training and ICT skills for all staff; Article 28 2(e)] | Establish/Maintain Documentation | Preventive | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Training | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 [Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements: requirements for staff of the financial entity and of the ICT third-party service providers using or accessing ICT assets of the financial entity to: be informed about, and adhere to, the financial entity's ICT security policies, procedures, and protocols; Article 19 ¶ 1(b)(i)] | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 [Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements: requirements for staff of the financial entity and of the ICT third-party service providers using or accessing ICT assets of the financial entity to: be informed about, and adhere to, the financial entity's ICT security policies, procedures, and protocols; Article 19 ¶ 1(b)(i)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Communicate | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Establish/Maintain Documentation | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Establish/Maintain Documentation | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Training | Preventive | |
| Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
| Include identity and access management in the security awareness program. CC ID 17013 | Training | Preventive | |
| Include the encryption process in the security awareness program. CC ID 17014 | Training | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Training | Preventive | |
| Include data management in the security awareness program. CC ID 17010 | Training | Preventive | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Training | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Training | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Training | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Training | Preventive | |
| Include social networking in the security awareness program. CC ID 17011 | Training | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Training | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Establish/Maintain Documentation | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Establish/Maintain Documentation | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Establish/Maintain Documentation | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources Management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Establish/Maintain Documentation | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources Management | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements: requirements for staff of the financial entity and of the ICT third-party service providers using or accessing ICT assets of the financial entity to: be aware of the reporting channels put in place by the financial entity for the detection of anomalous behaviour, including, where applicable, the reporting channels established in line with Directive (EU) 2019/1937 of the European Parliament and of the Council (11); Article 19 ¶ 1(b)(ii)] | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Training | Preventive | |
| Establish, implement, and maintain an insider threat program. CC ID 10687 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: insider attacks; Article 26 2(g)] | Human Resources Management | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 [{reporting requirements} The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: establishes reporting arrangements, including the frequency, form, and content of reporting to the management body on the information security and digital operational resilience. Article 28 2(i)] | Business Processes | Preventive | |
| Establish, implement, and maintain communication protocols. CC ID 12245 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Communicate | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Business Processes | Preventive | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Establish/Maintain Documentation | Preventive | |
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Process or Activity | Detective | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Establish/Maintain Documentation | Preventive | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Communicate | Preventive | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Process or Activity | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Process or Activity | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Communicate | Preventive | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Communicate | Preventive | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Process or Activity | Preventive | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Communicate | Preventive | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Communicate | Preventive | |
| Route notifications, as necessary. CC ID 12832 | Process or Activity | Preventive | |
| Substantiate notifications, as necessary. CC ID 12831 | Process or Activity | Preventive | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Business Processes | Preventive | |
| Prioritize notifications, as necessary. CC ID 12830 | Process or Activity | Preventive | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Actionable Reports or Measurements | Preventive | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Communicate | Preventive | |
| Establish and maintain the organization's survey method. CC ID 12869 | Process or Activity | Preventive | |
| Document the findings from surveys. CC ID 16309 | Establish/Maintain Documentation | Preventive | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Process or Activity | Preventive | |
| Establish, implement, and maintain warning procedures. CC ID 12407 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain alert procedures. CC ID 12406 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Establish/Maintain Documentation | Preventive | |
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 [{reporting requirements} The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: establishes reporting arrangements, including the frequency, form, and content of reporting to the management body on the information security and digital operational resilience. Article 28 2(i)] | Business Processes | Preventive | |
| Include transactions and events as a part of internal reporting. CC ID 12413 | Business Processes | Preventive | |
| Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Communicate | Preventive | |
| Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Establish/Maintain Documentation | Preventive | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Establish/Maintain Documentation | Preventive | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Communicate | Preventive | |
| Provide identifying information about the organization to the responsible party. CC ID 16715 | Communicate | Preventive | |
| Identify the material topics required to be reported on. CC ID 15654 | Business Processes | Preventive | |
| Check the list of material topics for completeness. CC ID 15692 | Investigate | Preventive | |
| Prioritize material topics used in reporting. CC ID 15678 | Communicate | Preventive | |
| Review and approve the material topics, as necessary. CC ID 15670 | Process or Activity | Preventive | |
| Define the thresholds for reporting in the external reporting program. CC ID 15679 | Establish/Maintain Documentation | Preventive | |
| Include time requirements in the external reporting program. CC ID 16566 | Communicate | Preventive | |
| Include information about the organizational culture in the external reporting program. CC ID 15610 | Establish/Maintain Documentation | Preventive | |
| Submit certification letters to interested personnel and affected parties. CC ID 16969 | Communicate | Preventive | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Communicate | Preventive | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Communicate | Preventive | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Establish/Maintain Documentation | Preventive | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Establish/Maintain Documentation | Preventive | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Establish/Maintain Documentation | Preventive | |
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Process or Activity | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
| Identify threats that could affect achieving organizational objectives. CC ID 12827 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: vulnerabilities and threats that affect or may affect the supported business functions, the ICT systems and ICT assets supporting those functions; Article 3 ¶ 1(b)(i)] | Business Processes | Preventive | |
| Establish, implement, and maintain data governance and management practices. CC ID 14998 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: measures to protect logging systems and log information against tampering, deletion, and unauthorised access at rest, in transit, and, where relevant, in use; Article 12 2 ¶ 1(d) {data in transit} {data at rest} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to protect data in use, in transit, and at rest; Article 35 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
| Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Establish/Maintain Documentation | Preventive | |
| Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Establish/Maintain Documentation | Preventive | |
| Include bias for data sets in the data governance and management practices. CC ID 15085 | Establish/Maintain Documentation | Preventive | |
| Include the data source in the data governance and management practices. CC ID 17211 | Data and Information Management | Preventive | |
| Include a data strategy in the data governance and management practices. CC ID 15304 | Establish/Maintain Documentation | Preventive | |
| Include data monitoring in the data governance and management practices. CC ID 15303 | Establish/Maintain Documentation | Preventive | |
| Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Establish/Maintain Documentation | Preventive | |
| Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Establish/Maintain Documentation | Preventive | |
| Include data collection for data sets in the data governance and management practices. CC ID 15082 | Establish/Maintain Documentation | Preventive | |
| Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Establish/Maintain Documentation | Preventive | |
| Include design choices for data sets in the data governance and management practices. CC ID 15080 | Establish/Maintain Documentation | Preventive | |
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [The vulnerability management procedures referred to in paragraph 1 shall: identify and update relevant and trustworthy information resources to build and maintain awareness about vulnerabilities; Article 10 2 ¶ 1(a)] | Technical Security | Detective | |
| Correct errors and deficiencies in a timely manner. CC ID 13501 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: procedures and protocols for handling errors; Article 8 2 ¶ 1(c)(i)] | Business Processes | Corrective | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
| Define the scope of the security policy. CC ID 07145 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the organization's policies, standards, and procedures. CC ID 17167 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: support and escalation contacts, including external support contacts in case of unexpected operational or technical issues; Article 8 2 ¶ 1(c)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include the effective date on all organizational policies. CC ID 06820 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: indicate the date of the formal approval of the ICT security policies by the management body; Article 2 2(b) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: the date of the approval of the report by the management body of the financial entity; Article 27 2 ¶ 1(b) {review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: where applicable, the date of the approval of the report by the management body of the financial entity; Article 41 2(b)] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain an Authority Document list. CC ID 07113 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: list the documentation to be maintained; Article 2 2(f)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: sets out information security objectives and ICT requirements; Article 28 2(c)] | Establish/Maintain Documentation | Preventive | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Establish/Maintain Documentation | Preventive | |
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Establish/Maintain Documentation | Corrective | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Establish/Maintain Documentation | Preventive | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Establish/Maintain Documentation | Preventive | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: contain indicators and measures to: record exceptions from that implementation; Article 2 2(c)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Establish/Maintain Documentation | Preventive | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Establish/Maintain Documentation | Preventive | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Communicate | Preventive | |
| Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 [{critical function} In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: Article 15 5.] | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 | Establish/Maintain Documentation | Preventive | |
| Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the objectives of the ICT business continuity policy, including the interrelation of ICT and overall business continuity, and considering the results of the business impact analysis (BIA) referred to in Article 11(5) of Regulation (EU) 2022/2554; Article 24 1(a)(i)] | Establish/Maintain Documentation | Preventive | |
| Align business continuity objectives with the business continuity policy. CC ID 12408 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the objectives of the ICT business continuity policy, including the interrelation of ICT and overall business continuity, and considering the results of the business impact analysis (BIA) referred to in Article 11(5) of Regulation (EU) 2022/2554; Article 24 1(a)(i)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Information Technology project plans. CC ID 16944 [{project management} When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT project and change management; Article 1 ¶ 1 (d) The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project planning, timeframe, and steps; Article 15 3(c)] | Establish/Maintain Documentation | Preventive | |
| Submit closure reports at the conclusion of each information technology project. CC ID 16948 [{individual} In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: individually or in aggregation, depending on the importance and size of the ICT projects; Article 15 5(a)] | Actionable Reports or Measurements | Preventive | |
| Review and approve the closure report. CC ID 16947 | Actionable Reports or Measurements | Preventive | |
| Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 | Establish/Maintain Documentation | Preventive | |
| Document the business case and return on investment in each Information Technology project plan. CC ID 06846 | Establish/Maintain Documentation | Preventive | |
| Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Business Processes | Preventive | |
| Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 | Establish/Maintain Documentation | Preventive | |
| Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 | Establish/Maintain Documentation | Preventive | |
| Assign senior management to approve business cases. CC ID 13068 | Human Resources Management | Preventive | |
| Include milestones for each project phase in the Information Technology project plan. CC ID 12621 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: relevant milestones; Article 15 3(e)] | Establish/Maintain Documentation | Preventive | |
| Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Establish/Maintain Documentation | Corrective | |
| Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 [In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: periodically and, where necessary, on an event-driven basis. Article 15 5(b)] | Actionable Reports or Measurements | Preventive | |
| Include significant security risks in the Information Technology Plan status reports. CC ID 06939 [{individual} In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: individually or in aggregation, depending on the importance and size of the ICT projects; Article 15 5(a) In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: periodically and, where necessary, on an event-driven basis. Article 15 5(b) {critical function} In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: Article 15 5.] | Actionable Reports or Measurements | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Monitor the usage and capacity of critical assets. CC ID 14825 | Monitor and Evaluate Occurrences | Detective | |
| Monitor the usage and capacity of Information Technology assets. CC ID 00668 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe the monitoring and management of the lifecycle of ICT assets identified and classified in accordance with Article 8(1) of Regulation (EU) 2022/2554; Article 4 2(a) As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement policies and procedures to manage the ICT operations. Those policies and procedures shall specify how financial entities operate, monitor, control, and restore their ICT assets, including the documentation of ICT operations. Article 8 1. {critical function} For the purposes of point (d), financial entities shall, where appropriate in collaboration with the ICT third-party service provider, monitor the version and possible updates of the third-party libraries. In case of ready to use (off-the-shelf) ICT assets or components of ICT assets acquired and used in the operation of ICT services not supporting critical or important functions, financial entities shall track the usage to the extent possible of third-party libraries, including open-source libraries. Article 10 2 ¶ 4 The vulnerability management procedures referred to in paragraph 1 shall: track the usage of: ICT services developed by the financial entity itself or specifically customised or developed for the financial entity by an ICT third-party service provider; Article 10 2 ¶ 1(d)(ii) {capacity management procedure} The capacity and performance management procedures referred to in paragraph 1 shall ensure that financial entities take measures that are appropriate to cater for the specificities of ICT systems with long or complex procurement or approval processes or ICT systems that are resource-intensive. Article 9 2. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: monitor and manage the lifecycle of all ICT assets; Article 34 ¶ 1(a) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: monitor whether the ICT assets are supported by ICT third-party service providers of financial entities, where applicable; Article 34 ¶ 1(b)] | Monitor and Evaluate Occurrences | Detective | |
| Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 | Communicate | Corrective | |
| Establish, implement, and maintain Security Control System monitoring and reporting procedures. CC ID 12506 [{mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 criteria for the selection of cryptographic techniques and use practices, taking into account leading practices, and standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and the classification of relevant ICT assets established in accordance with Article 8(1) of Regulation (EU) 2022/2554. Financial entities that are not able to adhere to the leading practices or standards, or to use the most reliable techniques, shall " class="term_primary-verb">adopt mitigation and monitoring measures that ensure resilience against cyber threats. Article 6 3. {be resilient} {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 provisions for updating or changing, where necessary, the cryptographic technology on the basis of developments in cryptanalysis. Those updates or changes shall ensure that the cryptographic technology remains resilient against cyber threats, as required by Article 10(2), point (a). Financial entities that are not able to update or change the cryptographic technology shall adopt mitigation and monitoring measures that ensure olor:#F0BBBC;" class="termolor:#CBD0E5;" class="term_secondary-verb">_primary-noun">resilience against cyber threats. Article 6 4.] | Establish/Maintain Documentation | Preventive | |
| Include detecting and reporting the failure of a security testing tool in the Security Control System monitoring and reporting procedures. CC ID 15488 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain monitoring and logging operations. CC ID 00637 [Financial entities shall, as part of the safeguards against intrusions and data misuse, develop, document, and implement logging procedures, protocols and tools. Article 12 1.] | Log Management | Detective | |
| Establish, implement, and maintain an audit and accountability policy. CC ID 14035 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the audit and accountability policy. CC ID 14103 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the audit and accountability policy. CC ID 14102 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the audit and accountability policy. CC ID 14100 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the audit and accountability policy. CC ID 14098 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the audit and accountability policy. CC ID 14097 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the audit and accountability policy. CC ID 14096 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 | Communicate | Preventive | |
| Establish, implement, and maintain audit and accountability procedures. CC ID 14057 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 | Communicate | Preventive | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Process or Activity | Preventive | |
| Monitor and evaluate system telemetry data. CC ID 14929 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: contain safeguards against intrusions and data misuse; Article 2 1(b)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: impact of climate change and environment degradation related events, natural disasters, pandemics, and physical attacks, including intrusions and terrorist attacks; Article 26 2(f)] | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 | Establish/Maintain Documentation | Preventive | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: identify anomalous activities and behaviour, and implement tools generating alerts for anomalous activities and behaviour, at least for ICT assets and information assets supporting critical or important functions; Article 23 2 ¶ 1(b)] | Monitor and Evaluate Occurrences | Detective | |
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Acquisition/Sale of Assets or Services | Preventive | |
| Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: identify anomalous activities and behaviour, and implement tools generating alerts for anomalous activities and behaviour, at least for ICT assets and information assets supporting critical or important functions; Article 23 2 ¶ 1(b)] | Monitor and Evaluate Occurrences | Detective | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 [{audit trail information} The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: protocols for audit-trail and system log information; Article 8 2 ¶ 1(b)(iii) {audit trail information} The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: protocols for audit-trail and system log information; Article 8 2 ¶ 1(b)(iii) For the purposes of point (f), financial entities shall align the level of detail of the logs with their purpose and usage of the ICT asset producing those logs. Article 34 ¶ 2] | Log Management | Detective | |
| Establish, implement, and maintain an event logging policy. CC ID 15217 | Establish/Maintain Documentation | Preventive | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Data and Information Management | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Data and Information Management | Preventive | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 | Technical Security | Preventive | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Log Management | Detective | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Technical Security | Detective | |
| Document the event information to be logged in the event information log specification. CC ID 00639 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the identification of the events to be logged, the retention period of the logs, and the measures to secure and handle the log data, considering the purpose for which the logs are created; Article 12 2 ¶ 1(a)] | Configuration | Preventive | |
| Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 | Configuration | Preventive | |
| Enable and configure logging on network access controls in accordance with organizational standards. CC ID 01963 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the requirement to log events related to all of the following: network traffic activities, including ICT network performance; Article 12 2 ¶ 1(c)(v)] | Configuration | Preventive | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: without prejudice to any applicable regulatory requirements under Union or national law, the synchronisation of the clocks of each of the financial entity's ICT systems upon a documented reliable reference time source. Article 12 2 ¶ 1(f)] | Configuration | Preventive | |
| Review and update the list of auditable events in the event logging procedures. CC ID 10097 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the alignment of the level of detail of the logs with their purpose and usage to enable the effective detection of anomalous activities as referred to in Article 24; Article 12 2 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Monitor and evaluate system performance. CC ID 00651 [{capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the monitoring procedures for maintaining and improving: the efficiency of ICT systems; Article 9 1(c)(ii)] | Monitor and Evaluate Occurrences | Detective | |
| Monitor for and react to when suspicious activities are detected. CC ID 00586 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: record, analyse, and evaluate any relevant information on all anomalous activities and behaviours automatically or manually. Article 23 2 ¶ 1(d) {cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish, implement, and operate technical, organisational, and operational mechanisms to support the ICT-related incident management process, including mechanisms to enable a prompt detection of anomalous activities and behaviours in accordance with Article 23 of this Regulation; Article 22 ¶ 1(c) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: identify and implement measures to monitor and analyse information on anomalous activities and behaviour for critical or important ICT operations; Article 34 ¶ 1(g)] | Monitor and Evaluate Occurrences | Detective | |
| Erase payment applications when suspicious activity is confirmed. CC ID 12193 | Technical Security | Corrective | |
| Establish, implement, and maintain network monitoring operations. CC ID 16444 | Monitor and Evaluate Occurrences | Preventive | |
| Monitor and evaluate the effectiveness of detection tools. CC ID 13505 | Investigate | Detective | |
| Monitor and review retail payment activities, as necessary. CC ID 13541 | Monitor and Evaluate Occurrences | Detective | |
| Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 | Investigate | Detective | |
| Review retail payment service reports, as necessary. CC ID 13545 | Investigate | Detective | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Process or Activity | Detective | |
| Monitor for and report when a software configuration is updated. CC ID 06746 [{critical function} For the purposes of point (d), financial entities shall, where appropriate in collaboration with the ICT third-party service provider, monitor the version and possible updates of the third-party libraries. In case of ready to use (off-the-shelf) ICT assets or components of ICT assets acquired and used in the operation of ICT services not supporting critical or important functions, financial entities shall track the usage to the extent possible of third-party libraries, including open-source libraries. Article 10 2 ¶ 4] | Monitor and Evaluate Occurrences | Detective | |
| Log account usage times. CC ID 07099 | Log Management | Detective | |
| Log account usage durations. CC ID 12117 | Monitor and Evaluate Occurrences | Detective | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Communicate | Detective | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on the monitoring of: any changes to the ICT risk and cyber threat landscape; Article 3 ¶ 1(e)(i) Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on the monitoring of: ICT risk of the financial entity that enables prompt detection of changes that could affect its ICT risk profile; Article 3 ¶ 1(e)(iii) {ICT risk management procedure} For the purposes of the first paragraph, point (c), the procedure referred to in that point shall ensure: the monitoring of the effectiveness of the ICT risk treatment measures implemented; Article 3 ¶ 2(a)] | Establish/Maintain Documentation | Preventive | |
| Monitor the organization's exposure to threats, as necessary. CC ID 06494 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on the monitoring of: any changes to the ICT risk and cyber threat landscape; Article 3 ¶ 1(e)(i) Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on the monitoring of: internal and external vulnerabilities and threats: Article 3 ¶ 1(e)(ii) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to monitor relevant and up-to-date information about cyber threats; Article 34 ¶ 1(h) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates. Article 34 ¶ 1(i) The financial entities referred to in paragraph 1 shall continuously monitor threats and vulnerabilities that are relevant to their critical or important functions, and information assets and ICT assets, and shall regularly review the risk scenarios impacting those critical or important functions. Article 31 3.] | Monitor and Evaluate Occurrences | Preventive | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitor and Evaluate Occurrences | Detective | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Process or Activity | Corrective | |
| Monitor for new vulnerabilities. CC ID 06843 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on the monitoring of: internal and external vulnerabilities and threats: Article 3 ¶ 1(e)(ii) The financial entities referred to in paragraph 1 shall continuously monitor threats and vulnerabilities that are relevant to their critical or important functions, and information assets and ICT assets, and shall regularly review the risk scenarios impacting those critical or important functions. Article 31 3.] | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a system security plan. CC ID 01922 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1] | Testing | Preventive | |
| Include a system description in the system security plan. CC ID 16467 | Establish/Maintain Documentation | Preventive | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Establish/Maintain Documentation | Preventive | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Establish/Maintain Documentation | Preventive | |
| Include the information types in the system security plan. CC ID 14696 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the system security plan. CC ID 14274 | Establish/Maintain Documentation | Preventive | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Establish/Maintain Documentation | Preventive | |
| Include threats in the system security plan. CC ID 14693 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: take into account material changes concerning the financial entity, including material changes to the activities or processes of the financial entity, to the cyber threat landscape, or to applicable legal obligations. Article 2 2(k)] | Establish/Maintain Documentation | Preventive | |
| Include network diagrams in the system security plan. CC ID 14273 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the design of networks in line with the ICT security requirements established by the financial entity, taking into account leading practices to ensure the confidentiality, integrity, and availability of the network; Article 13 ¶ 1(f)] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Establish/Maintain Documentation | Preventive | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption. Article 8 2 ¶ 1(c)(iii)] | Establish/Maintain Documentation | Preventive | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Establish/Maintain Documentation | Preventive | |
| Include remote access methods in the system security plan. CC ID 16441 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Communicate | Preventive | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Establish/Maintain Documentation | Preventive | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Establish/Maintain Documentation | Preventive | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Establish/Maintain Documentation | Preventive | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Process or Activity | Preventive | |
| Include security controls in the system security plan. CC ID 14239 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Establish/Maintain Documentation | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Establish/Maintain Documentation | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Establish/Maintain Documentation | Preventive | |
| Approve the system security plan. CC ID 14241 | Business Processes | Preventive | |
| Establish, implement, and maintain a testing program. CC ID 00654 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall establish and implement an ICT security testing plan to validate the effectiveness of their ICT security measures developed in accordance with Articles 33, 34 and 35 and Articles 37 and 38 of this Regulation. Financial entities shall ensure that that plan considers threats and vulnerabilities identified as part of the simplified ICT risk management framework referred to in Article 31 of this Article 36 1.] | Behavior | Preventive | |
| Conduct Red Team exercises, as necessary. CC ID 12131 | Technical Security | Detective | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Communicate | Preventive | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Communicate | Preventive | |
| Test security systems and associated security procedures, as necessary. CC ID 11901 [{assess} The financial entities referred to in paragraph 1 shall review, asses and test ICT security measures, taking into consideration the overall risk profile of the ICT assets of the financial entity. Article 36 2.] | Technical Security | Detective | |
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Human Resources Management | Preventive | |
| Enable security controls which were disabled to conduct testing. CC ID 17031 | Testing | Preventive | |
| Document improvement actions based on test results and exercises. CC ID 16840 | Establish/Maintain Documentation | Preventive | |
| Disable dedicated accounts after testing is complete. CC ID 17033 | Testing | Preventive | |
| Protect systems and data during testing in the production environment. CC ID 17198 [{ICT security} For the purposes of point (b)(vii), the policies and procedures referred to in paragraph 1 shall provide that the instances in which testing is performed in a production environment are clearly identified, reasoned, are for limited periods of time, and are approved by the relevant function in accordance with Article 16(6). Financial entities shall ensure the availability, confidentiality, integrity, and authenticity of ICT systems and production data during development and test activities in the production environment. Article 8 2 ¶ 3] | Testing | Preventive | |
| Delete personal data upon data subject's withdrawal from testing. CC ID 17238 | Data and Information Management | Preventive | |
| Define the criteria to conduct testing in the production environment. CC ID 17197 [{ICT security} For the purposes of point (b)(vii), the policies and procedures referred to in paragraph 1 shall provide that the instances in which testing is performed in a production environment are clearly identified, reasoned, are for limited periods of time, and are approved by the relevant function in accordance with Article 16(6). Financial entities shall ensure the availability, confidentiality, integrity, and authenticity of ICT systems and production data during development and test activities in the production environment. Article 8 2 ¶ 3] | Testing | Preventive | |
| Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232 | Behavior | Preventive | |
| Suspend testing in a production environment, as necessary. CC ID 17231 | Testing | Preventive | |
| Define the test requirements for each testing program. CC ID 13177 | Establish/Maintain Documentation | Preventive | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Testing | Detective | |
| Include test requirements for the use of production data in the testing program. CC ID 17201 [By way of derogation from paragraph 5, the procedure referred to in paragraph 2 may provide that production data are stored only for specific testing occasions, for limited periods of time, and following the approval by the relevant function and the reporting of such occasions to the ICT risk management function. Article 16 6.] | Testing | Preventive | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Testing | Preventive | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Testing | Preventive | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Testing | Preventive | |
| Notify interested personnel and affected parties prior to performing testing. CC ID 17034 | Communicate | Preventive | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Testing | Preventive | |
| Identify risk management measures when testing in scope systems. CC ID 14960 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall establish and implement an ICT security testing plan to validate the effectiveness of their ICT security measures developed in accordance with Articles 33, 34 and 35 and Articles 37 and 38 of this Regulation. Financial entities shall ensure that that plan considers threats and vulnerabilities identified as part of the simplified ICT risk management framework referred to in Article 31 of this Article 36 1.] | Process or Activity | Detective | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Establish/Maintain Documentation | Preventive | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the identification and implementation of network access controls to prevent and detect connections to the financial entity's network by any unauthorised device or system, or any endpoint not meeting the financial entity's security requirements; Article 13 ¶ 1(d)] | Configuration | Preventive | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Establish/Maintain Documentation | Preventive | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Communicate | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Communicate | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Communicate | Preventive | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Establish/Maintain Documentation | Preventive | |
| Request an extension of the validity period of technical documentation assessment certificates, as necessary. CC ID 17228 | Process or Activity | Preventive | |
| Define the validity period for technical documentation assessment certificates. CC ID 17227 | Process or Activity | Preventive | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Testing | Preventive | |
| Perform conformity assessments, as necessary. CC ID 15095 | Testing | Detective | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Technical Security | Detective | |
| Define the test frequency for each testing program. CC ID 13176 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Establish/Maintain Documentation | Preventive | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Testing | Detective | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Testing | Corrective | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Process or Activity | Preventive | |
| Prevent adversaries from disabling or compromising security controls. CC ID 17057 | Technical Security | Preventive | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Establish/Maintain Documentation | Preventive | |
| Include facilities in the business line testing strategy. CC ID 13253 | Establish/Maintain Documentation | Preventive | |
| Include electrical systems in the business line testing strategy. CC ID 13251 | Establish/Maintain Documentation | Preventive | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Establish/Maintain Documentation | Preventive | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Establish/Maintain Documentation | Preventive | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Establish/Maintain Documentation | Preventive | |
| Include environmental controls in the business line testing strategy. CC ID 13246 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement vulnerability management procedures. Article 10 1. {critical function} The vulnerability management procedures referred to in paragraph 1 shall: track the usage of: third-party libraries, including open-source libraries, used by ICT services supporting critical or important functions; Article 10 2 ¶ 1(d)(i) The vulnerability management procedures referred to in paragraph 1 shall: verify whether: ICT third-party service providers handle vulnerabilities related to the ICT services provided to the financial entity; Article 10 2 ¶ 1(c)(i)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 [{vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b) {vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Perform vulnerability scans, as necessary. CC ID 11637 [{vulnerability assessment} {critical function} For the purposes of point (b), financial entities shall perform the automated vulnerability scanning and assessments on ICT assets for the ICT assets supporting critical or important functions on at least a weekly basis. Article 10 2 ¶ 2 {vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b) {vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b)] | Technical Security | Detective | |
| Conduct scanning activities in a test environment. CC ID 17036 | Testing | Preventive | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Testing | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: vulnerabilities and threats that affect or may affect the supported business functions, the ICT systems and ICT assets supporting those functions; Article 3 ¶ 1(b)(i) The vulnerability management procedures referred to in paragraph 1 shall: require the recording of any detected vulnerabilities affecting ICT systems and the monitoring of their resolution. Article 10 2 ¶ 1(h) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates. Article 34 ¶ 1(i)] | Technical Security | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 | Investigate | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Technical Security | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Technical Security | Detective | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Communicate | Preventive | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Records Management | Preventive | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Technical Security | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 [{vulnerability assessment} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: perform automated vulnerability scanning and assessments of ICT assets commensurate to their classification as referred to in Article 30(1) and to the overall risk profile of the ICT asset, and deploy patches to address identified vulnerabilities; Article 34 ¶ 1(d)] | Testing | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Technical Security | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Technical Security | Detective | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Configuration | Corrective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Technical Security | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Technical Security | Detective | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Business Processes | Preventive | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Testing | Preventive | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Technical Security | Detective | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Behavior | Corrective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 [{vulnerability assessment} {critical function} For the purposes of point (b), financial entities shall perform the automated vulnerability scanning and assessments on ICT assets for the ICT assets supporting critical or important functions on at least a weekly basis. Article 10 2 ¶ 2 The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: identify and analyse vulnerabilities and anomalies in the source code; Article 16 3(a) {vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b) {vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b) {vulnerability assessment} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: perform automated vulnerability scanning and assessments of ICT assets commensurate to their classification as referred to in Article 30(1) and to the overall risk profile of the ICT asset, and deploy patches to address identified vulnerabilities; Article 34 ¶ 1(d)] | Technical Security | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Technical Security | Detective | |
| Test the system for unvalidated input. CC ID 01318 | Testing | Detective | |
| Test the system for proper error handling. CC ID 01324 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: Article 8 2 ¶ 1(c)] | Testing | Detective | |
| Test the system for insecure data storage. CC ID 01325 | Testing | Detective | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Testing | Detective | |
| Approve the vulnerability management program. CC ID 15722 | Process or Activity | Preventive | |
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Establish Roles | Preventive | |
| Document and maintain test results. CC ID 17028 [The financial entities referred to in paragraph 1 shall monitor and evaluate the results of the security tests and update their security measures accordingly without undue delay in the case of ICT systems supporting critical or important functions. Article 36 3.] | Testing | Preventive | |
| Include the pass or fail test status in the test results. CC ID 17106 | Establish/Maintain Documentation | Preventive | |
| Include time information in the test results. CC ID 17105 | Establish/Maintain Documentation | Preventive | |
| Include a description of the system tested in the test results. CC ID 17104 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103 | Communicate | Preventive | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Configuration | Corrective | |
| Recommend mitigation techniques based on penetration test results. CC ID 04881 [The financial entities referred to in paragraph 1 shall monitor and evaluate the results of the security tests and update their security measures accordingly without undue delay in the case of ICT systems supporting critical or important functions. Article 36 3.] | Establish/Maintain Documentation | Corrective | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Technical Security | Corrective | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: the availability, authenticity, integrity and confidentiality of data during network transmission, and the establishment of procedures to assess compliance with those requirements; Article 14 1(a)] | Establish/Maintain Documentation | Preventive | |
| Correct compliance violations. CC ID 13515 | Process or Activity | Corrective | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Communicate | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: contain indicators and measures to: ensure that the digital operational resilience of the financial entity is ensured in case of exceptions as referred to in point (ii); Article 2 2(c)(iii)] | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: contain indicators and measures to: monitor the implementation of the ICT security policies, procedures, protocols, and tools; Article 2 2(c)(i)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the identification of the events to be logged, the retention period of the logs, and the measures to secure and handle the log data, considering the purpose for which the logs are created; Article 12 2 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
| Include transfer procedures in the log management program. CC ID 17077 | Establish/Maintain Documentation | Preventive | |
| Protect logs from unauthorized activity. CC ID 01345 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: measures to protect logging systems and log information against tampering, deletion, and unauthorised access at rest, in transit, and, where relevant, in use; Article 12 2 ¶ 1(d) The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the identification of the events to be logged, the retention period of the logs, and the measures to secure and handle the log data, considering the purpose for which the logs are created; Article 12 2 ¶ 1(a)] | Log Management | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security reports. CC ID 16882 [{review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: an executive level summary of the current and near-term ICT risk identified, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 41 2(a)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include data handling procedures in the security report. CC ID 16889 | Establish/Maintain Documentation | Preventive | |
| Include a description of changes that have occurred in the security report. CC ID 16976 | Establish/Maintain Documentation | Preventive | |
| Include the implemented controls in the security report. CC ID 16974 | Establish/Maintain Documentation | Preventive | |
| Include a description of the computing environment in the security report. CC ID 16972 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions taken in the security report. CC ID 16967 | Establish/Maintain Documentation | Preventive | |
| Include the inspection schedule in the security report. CC ID 16966 | Establish/Maintain Documentation | Preventive | |
| Include audit reports in the security report. CC ID 16964 | Establish/Maintain Documentation | Preventive | |
| Include third party certifications in the security report. CC ID 16960 | Establish/Maintain Documentation | Preventive | |
| Include disclosures of restricted data in the security report. CC ID 16892 | Establish/Maintain Documentation | Preventive | |
| Include re-disclosure agreements in the security report. CC ID 16895 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security report to interested personnel and affected parties. CC ID 16888 | Communicate | Preventive | |
| Include a list of authorized personnel in the security report. CC ID 16887 | Establish/Maintain Documentation | Preventive | |
| Include the uses of restricted data in the security report. CC ID 16886 | Establish/Maintain Documentation | Preventive | |
| Include the completion date in the corrective action plan. CC ID 13272 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: an expected date for implementing the measures and dates related to the internal control of the implementation, including information on the state of progress of the implementation of those measures as at the date of drafting of the report, explaining, where applicable, if there is a risk that deadlines may not be respected; Article 27 2 ¶ 1(h)(ii)] | Establish/Maintain Documentation | Preventive | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Business Processes | Preventive | |
| Establish, implement, and maintain cyber threat intelligence tools. CC ID 12696 | Technical Security | Preventive | |
| Leverage cyber threat intelligence when employing Technical Surveillance Countermeasures. CC ID 12697 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: potential internal and external cyber threats, considering scenarios commonly used by threat actors and scenarios based on threat intelligence activity; Article 23 2 ¶ 1(a)(ii)] | Technical Security | Preventive | |
| Evaluate cyber threat intelligence. CC ID 12747 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: potential internal and external cyber threats, considering scenarios commonly used by threat actors and scenarios based on threat intelligence activity; Article 23 2 ¶ 1(a)(ii)] | Process or Activity | Detective | |
Operational and Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a business continuity policy. CC ID 12405 | Establish/Maintain Documentation | Preventive | |
| Include escalation procedures in the business continuity policy. CC ID 17203 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the governance and organisation to implement the ICT business continuity policy, including roles, responsibilities and escalation procedures ensuring that sufficient resources are available; Article 24 1(b)(i)] | Systems Continuity | Preventive | |
| Include coordination amongst entities in the business continuity policy. CC ID 14235 [In addition to the requirements referred to in paragraph 1, central securities depositories shall ensure that their ICT business continuity policy: takes into account any links and interdependencies to users, critical utilities and critical service providers, other central securities depositories and other market infrastructures; Article 24 3(a)] | Establish/Maintain Documentation | Preventive | |
| Include the scope in the business continuity policy. CC ID 14231 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the scope of the ICT business continuity arrangements, plans, procedures, and mechanisms, including limitations and exclusions; Article 24 1(a)(ii) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the timeframe to be covered by the ICT business continuity arrangements, plans, procedures, and mechanisms; Article 24 1(a)(iii)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a business continuity testing policy. CC ID 13235 | Establish/Maintain Documentation | Preventive | |
| Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 [The testing of business continuity plans referred to in paragraph 1 shall demonstrate that the financial entities referred to in that paragraph are able to sustain the viability of their businesses until critical operations are re-established and identify any deficiencies in those plans. Article 40 2.] | Establish/Maintain Documentation | Preventive | |
| Include testing critical applications in the business continuity testing strategy. CC ID 13261 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: Article 25 2 ¶ 1 {continuity test} For the purposes of point (c), the testing shall verify whether at least critical or important functions can be operated appropriately for a sufficient period of time, and whether the normal functioning may be restored. Article 25 2 ¶ 4] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a continuity framework. CC ID 00732 | Establish/Maintain Documentation | Preventive | |
| Explain any exclusions to the scope of the continuity framework. CC ID 12236 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the scope of the ICT business continuity arrangements, plans, procedures, and mechanisms, including limitations and exclusions; Article 24 1(a)(ii)] | Establish/Maintain Documentation | Preventive | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Records Management | Preventive | |
| Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 [{political issue} {social issue} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: political and social instability, including, where relevant, in the ICT third-party service provider's jurisdiction and the location where the data are stored and processed; Article 26 2(h)] | Establish/Maintain Documentation | Preventive | |
| Include a pandemic plan in the continuity plan. CC ID 06800 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: impact of climate change and environment degradation related events, natural disasters, pandemics, and physical attacks, including intrusions and terrorist attacks; Article 26 2(f)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the governance and organisation to implement the ICT business continuity policy, including roles, responsibilities and escalation procedures ensuring that sufficient resources are available; Article 24 1(b)(i) {response measure} {recovery measure} The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the business continuity plans of the financial entity, and the response and recovery measures referred to in Article 16(1), point (f), of Regulation (EU) 2022/2554; Article 28 2(d)(ii)] | Establish Roles | Preventive | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment between the ICT business continuity plans and the overall business continuity plans, concerning at least all of the following: Article 24 1(b)(ii)] | Systems Continuity | Preventive | |
| Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: impact of climate change and environment degradation related events, natural disasters, pandemics, and physical attacks, including intrusions and terrorist attacks; Article 26 2(f)] | Monitor and Evaluate Occurrences | Detective | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on a process to ensure that any changes to the business strategy and the digital operational resilience strategy of the financial entity are taken into account. Article 3 ¶ 1(f) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the objectives of the ICT business continuity policy, including the interrelation of ICT and overall business continuity, and considering the results of the business impact analysis (BIA) referred to in Article 11(5) of Regulation (EU) 2022/2554; Article 24 1(a)(i) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: Article 26 1 ¶ 1 The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: impact of climate change and environment degradation related events, natural disasters, pandemics, and physical attacks, including intrusions and terrorist attacks; Article 26 2(f) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop their ICT business continuity plans considering the results of the analysis of their exposures to and potential impact of severe business disruptions and scenarios to which their ICT assets supporting critical or important functions might be exposed, including a cyber-attack scenario. Article 39 1.] | Systems Continuity | Detective | |
| Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 [The financial entities referred to in paragraph 1 shall continuously monitor threats and vulnerabilities that are relevant to their critical or important functions, and information assets and ICT assets, and shall regularly review the risk scenarios impacting those critical or important functions. Article 31 3.] | Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [{response measure} {recovery measure} The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the business continuity plans of the financial entity, and the response and recovery measures referred to in Article 16(1), point (f), of Regulation (EU) 2022/2554; Article 28 2(d)(ii) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop their ICT business continuity plans considering the results of the analysis of their exposures to and potential impact of severe business disruptions and scenarios to which their ICT assets supporting critical or important functions might be exposed, including a cyber-attack scenario. Article 39 1. The ICT business continuity plans referred to in paragraph 1 shall: be approved by the management body of the financial entity; Article 39 2¶ 1(a) {be readily accessible} The ICT business continuity plans referred to in paragraph 1 shall: be documented and readily accessible in the event of an emergency or crisis; Article 39 2¶ 1(b) The ICT business continuity plans referred to in paragraph 1 shall: be updated in line with lessons learned from incidents, tests, new risks, and threats identified, changed recovery objectives, major changes to the financial entity's organisation, and to the ICT assets supporting critical or business functions. Article 39 2¶ 1(j)] | Establish/Maintain Documentation | Preventive | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the criteria to activate and deactivate ICT business continuity plans, ICT response and recovery plans, and crisis communications plans; Article 24 1(a)(iv) The ICT business continuity plans referred to in paragraph 1 shall: identify the conditions that may prompt the activation of the ICT business continuity plans and what actions are to be taken to ensure the availability, continuity, and recovery of the financial entities' ICT assets supporting critical or important functions; Article 39 2¶ 1(e)] | Systems Continuity | Corrective | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Communicate | Preventive | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the governance and organisation to implement the ICT business continuity policy, including roles, responsibilities and escalation procedures ensuring that sufficient resources are available; Article 24 1(b)(i)] | Human Resources Management | Preventive | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Establish/Maintain Documentation | Preventive | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: allocates and reviews at least once a year the budget necessary to fulfil the financial entity's digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training and ICT skills for all staff; Article 28 2(e) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the governance and organisation to implement the ICT business continuity policy, including roles, responsibilities and escalation procedures ensuring that sufficient resources are available; Article 24 1(b)(i) The ICT business continuity plans referred to in paragraph 1 shall: allocate sufficient resources for their execution; Article 39 2¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 [{continuity arrangement} For the purposes of point (c)(i), arrangements referred to in that point shall address the availability of adequate human resources, the maximum downtime of critical functions, and fail over and recovery to a secondary site. Article 24 2 ¶ 3 {be unavailable} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: the non-availability of a critical number of staff or staff members in charge of guaranteeing the continuity of operations; Article 26 2(e)] | Human Resources Management | Preventive | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Systems Continuity | Preventive | |
| Include the system description in the continuity plan. CC ID 16241 | Systems Continuity | Preventive | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Configuration | Preventive | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Establish/Maintain Documentation | Preventive | |
| Restore systems and environments to be operational. CC ID 13476 | Systems Continuity | Corrective | |
| Include tolerance levels in the continuity plan. CC ID 17305 | Systems Continuity | Preventive | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [{disseminate and communicate} {response plan} {recovery plan} For the purposes of point (d), financial entities shall clearly specify roles and responsibilities. Article 26 1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Document and use the lessons learned to update the continuity plan. CC ID 10037 [{response plan} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: Article 26 2. The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups, and redundant facilities; Article 26 2(a) The ICT business continuity plans referred to in paragraph 1 shall: be updated in line with lessons learned from incidents, tests, new risks, and threats identified, changed recovery objectives, major changes to the financial entity's organisation, and to the ICT assets supporting critical or business functions. Article 39 2¶ 1(j)] | Establish/Maintain Documentation | Preventive | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Process or Activity | Preventive | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Process or Activity | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Establish/Maintain Documentation | Preventive | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Establish/Maintain Documentation | Preventive | |
| Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment between the ICT business continuity plans and the overall business continuity plans, concerning at least all of the following: potential failure scenarios, including the scenarios referred to in Article 26(2) of this Regulation; Article 24 1(b)(ii)(1) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: provide for both short-term and long-term recovery options, including partial systems recovery; Article 26 1 ¶ 1(e) {response plan} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: Article 26 2. {response plan} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: Article 26 2. {response plan} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: Article 26 2. The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups, and redundant facilities; Article 26 2(a) The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups, and redundant facilities; Article 26 2(a) Where the primary recovery measures may not be feasible in the short term because of costs, risks, logistics, or unforeseen circumstances, the ICT response and recovery plans referred to in paragraph 1 shall consider alternative options. Article 26 3. The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: scenarios in which the quality of the provision of a critical or important function deteriorates to an unacceptable level or fails, and duly consider the potential impact of the insolvency, or other failures, of any relevant ICT third-party service provider; Article 26 2(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop their ICT business continuity plans considering the results of the analysis of their exposures to and potential impact of severe business disruptions and scenarios to which their ICT assets supporting critical or important functions might be exposed, including a cyber-attack scenario. Article 39 1. The ICT business continuity plans referred to in paragraph 1 shall: consider alternative options where recovery may not be feasible in the short term because of costs, risks, logistics, or unforeseen circumstances; Article 39 2¶ 1(h)] | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Establish Roles | Preventive | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Establish/Maintain Documentation | Corrective | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Communicate | Preventive | |
| Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the ICT business continuity requirements, including recovery time objectives and recovery point objectives; Article 4 2(b)(vi)] | Establish/Maintain Documentation | Preventive | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the organization's call tree. CC ID 01167 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on: Article 22 ¶ 1(b) {cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on: vulnerability management; Article 22 ¶ 1(b)(iii) {cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on: the detection of anomalous activities; Article 22 ¶ 1(b)(ii)] | Testing | Detective | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 [{response plan} Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development, testing and review of ICT response and recovery plans, in accordance with Articles 25 and 26 of this Regulation; Article 24 1(b)(iv) {response plan} Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development, testing and review of ICT response and recovery plans, in accordance with Articles 25 and 26 of this Regulation; Article 24 1(b)(iv) {response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d) {response plan} {success} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: lay down the objectives of ICT response and recovery plans and the conditions to declare a successful execution of those plans. Article 26 1 ¶ 1(f)] | Establish/Maintain Documentation | Preventive | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 | Establish/Maintain Documentation | Preventive | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Establish/Maintain Documentation | Preventive | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Establish/Maintain Documentation | Preventive | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Establish/Maintain Documentation | Preventive | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Human Resources Management | Preventive | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Establish/Maintain Documentation | Preventive | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for activation in the recovery plan. CC ID 13293 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the criteria to activate and deactivate ICT business continuity plans, ICT response and recovery plans, and crisis communications plans; Article 24 1(a)(iv) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: specify the conditions prompting their activation or deactivation, and any exceptions for such activation or deactivation; Article 26 1 ¶ 1(a) {detection process} {incident response process} Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554: indications that malicious activity may have been carried out in an ICT system or network, or that such ICT system or network may have been compromised; Article 23 5(a) {detection process} {incident response process} Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554: adverse impact detected on financial entity's transactions and operations; Article 23 5(c) {detection process} {incident response process} Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554: data losses detected in relation to the availability, authenticity, integrity, and confidentiality of data; Article 23 5(b) {detection process} {incident response process} Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554: ICT systems' and network unavailability. Article 23 5(d) {trigger} {detection process} {incident response process} Article 23 6. For the purposes of paragraph 5, financial entities shall also consider the criticality of the services affected. Article 23 6.] | Establish/Maintain Documentation | Preventive | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Establish/Maintain Documentation | Preventive | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Establish/Maintain Documentation | Preventive | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Investigate | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 [{response plan} Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development, testing and review of ICT response and recovery plans, in accordance with Articles 25 and 26 of this Regulation; Article 24 1(b)(iv)] | Testing | Detective | |
| Test the backup information, as necessary. CC ID 13303 | Testing | Detective | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 [{response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d)] | Communicate | Preventive | |
| Include restoration procedures in the continuity plan. CC ID 01169 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: backup and restore requirements of ICT systems; Article 8 2 ¶ 1(b)(i) {restoration measure} The ICT business continuity plans referred to in paragraph 1 shall: identify the restoration and recovery measures for critical or important business functions, supporting processes, information assets, and their interdependencies to avoid adverse effects on the functioning of the financial entities; Article 39 2¶ 1(f)] | Establish Roles | Preventive | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development of ICT business continuity plans for severe business disruptions as part of those plans, and the prioritisation of ICT business continuity actions using a risk-based approach; Article 24 1(b)(iii)] | Establish/Maintain Documentation | Preventive | |
| Include the recovery plan in the continuity plan. CC ID 01377 [When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: describe what actions are to be taken to ensure the availability, integrity, continuity, and recovery of at least ICT systems and services supporting critical or important functions of the financial entity; Article 26 1 ¶ 1(b) {restoration measure} The ICT business continuity plans referred to in paragraph 1 shall: identify the restoration and recovery measures for critical or important business functions, supporting processes, information assets, and their interdependencies to avoid adverse effects on the functioning of the financial entities; Article 39 2¶ 1(f)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Systems Continuity | Preventive | |
| Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045 | Communicate | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: substantial failure of ICT assets or of the communication infrastructure; Article 26 2(d) The ICT business continuity plans referred to in paragraph 1 shall: identify the conditions that may prompt the activation of the ICT business continuity plans and what actions are to be taken to ensure the availability, continuity, and recovery of the financial entities' ICT assets supporting critical or important functions; Article 39 2¶ 1(e)] | Establish/Maintain Documentation | Preventive | |
| Include emergency operating procedures in the continuity plan. CC ID 11694 | Establish/Maintain Documentation | Preventive | |
| Include load-shedding in the emergency operating procedures. CC ID 17133 | Establish/Maintain Documentation | Preventive | |
| Include redispatch of generation requests in the emergency operating procedures. CC ID 17132 | Establish/Maintain Documentation | Preventive | |
| Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130 | Establish/Maintain Documentation | Preventive | |
| Include outages in the emergency operating procedures. CC ID 17129 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development of ICT business continuity plans for severe business disruptions as part of those plans, and the prioritisation of ICT business continuity actions using a risk-based approach; Article 24 1(b)(iii) {widespread interruption} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: widespread power outages. Article 26 2(i)] | Establish/Maintain Documentation | Preventive | |
| Include energy resource management in the emergency operating procedures. CC ID 17128 | Establish/Maintain Documentation | Preventive | |
| Define and prioritize critical business functions. CC ID 00736 [As part of the simplified ICT risk management framework referred to in Article 16(1), point (a), of Regulation (EU) 2022/2554, the financial entities referred to in paragraph 1 of that Article shall identify, classify, and document all critical or important functions, the information assets and ICT assets supporting them and their interdependencies. Financial entities shall review that identification and classification as needed. Article 30 1.] | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the ICT business continuity requirements, including recovery time objectives and recovery point objectives; Article 4 2(b)(vi) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: describe what actions are to be taken to ensure the availability, integrity, continuity, and recovery of at least ICT systems and services supporting critical or important functions of the financial entity; Article 26 1 ¶ 1(b) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be designed to meet the recovery objectives of the operations of the financial entities; Article 26 1 ¶ 1(c) {recovery time objective} {recovery point objective} The ICT business continuity plans referred to in paragraph 1 shall: establish planned recovery levels and timeframes for the recovery and resumption of functions and key internal and external dependencies, including ICT third-party service providers; Article 39 2¶ 1(d)] | Systems Continuity | Preventive | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Configuration | Corrective | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the ICT business continuity requirements, including recovery time objectives and recovery point objectives; Article 4 2(b)(vi) {recovery time objective} In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: contains a maximum recovery time for their critical functions that is not longer than 2 hours; Article 24 2 ¶ 1(a) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment between the ICT business continuity plans and the overall business continuity plans, concerning at least all of the following: recovery objectives, specifying that the financial entity shall be able to recover the operations of its critical or important functions after disruptions within a recovery time objective and a recovery point objective; Article 24 1(b)(ii)(2) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment between the ICT business continuity plans and the overall business continuity plans, concerning at least all of the following: recovery objectives, specifying that the financial entity shall be able to recover the operations of its critical or important functions after disruptions within a recovery time objective and a recovery point objective; Article 24 1(b)(ii)(2) In addition to the requirements referred to in paragraph 1, central securities depositories shall ensure that their ICT business continuity policy: requires its ICT business continuity arrangements to ensure that the recovery time objective for their critical or important functions shall not be longer than 2 hours. Article 24 3(b) In addition to the requirements referred to in paragraph 1, trading venues shall ensure that their ICT business continuity policy ensures that: trading can be resumed within or close to 2 hours of a disruptive incident; Article 24 4(a) {recovery time objective} {recovery point objective} The ICT business continuity plans referred to in paragraph 1 shall: establish planned recovery levels and timeframes for the recovery and resumption of functions and key internal and external dependencies, including ICT third-party service providers; Article 39 2¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
| Include the capacity of critical resources in the critical resource list. CC ID 17099 | Establish/Maintain Documentation | Preventive | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 [In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: requires that arrangements are in place to: ensure the continuity of critical or important functions of the central counterparty based on disaster scenarios; Article 24 2 ¶ 1(c)(i)] | Establish/Maintain Documentation | Preventive | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Establish/Maintain Documentation | Preventive | |
| Include telecommunications continuity procedures in the continuity plan. CC ID 11691 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: substantial failure of ICT assets or of the communication infrastructure; Article 26 2(d)] | Establish/Maintain Documentation | Preventive | |
| Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: scenarios in which the quality of the provision of a critical or important function deteriorates to an unacceptable level or fails, and duly consider the potential impact of the insolvency, or other failures, of any relevant ICT third-party service provider; Article 26 2(b) As part of the ICT response and recovery plans referred to in paragraph 1, financial entities shall consider and implement continuity measures to mitigate failures of ICT third-party service providers of ICT services supporting critical or important functions of the financial entity. Article 26 4.] | Establish/Maintain Documentation | Detective | |
| Designate an alternate facility in the continuity plan. CC ID 00742 [In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: requires that arrangements are in place to: consider the need for additional processing sites, in particular where the diversity of the risk profiles of the primary and secondary sites does not provide sufficient confidence that the central counterparty's business continuity objectives will be met in all scenarios. Article 24 2 ¶ 1(c)(iv)] | Establish/Maintain Documentation | Detective | |
| Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 [{geographical risk factor} For the purposes of point (c)(ii), the secondary processing site referred to in that point shall have a geographical risk profile which is distinct from that of the primary site. Article 24 2 ¶ 4] | Physical and Environmental Protection | Preventive | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Establish/Maintain Documentation | Preventive | |
| Include naming conventions in the backup policy. CC ID 16218 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: backup and restore requirements of ICT systems; Article 8 2 ¶ 1(b)(i) The ICT business continuity plans referred to in paragraph 1 shall: identify backup procedures and measures that specify the scope of the data that are subject to the backup, and the minimum frequency of the backup, based on the criticality of the function using those data; Article 39 2¶ 1(g)] | Systems Continuity | Preventive | |
| Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271 | Communicate | Preventive | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Systems Continuity | Preventive | |
| Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 [{response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d) {response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d)] | Systems Continuity | Preventive | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Data and Information Management | Preventive | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Data and Information Management | Preventive | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Data and Information Management | Preventive | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Data and Information Management | Preventive | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the criteria to activate and deactivate ICT business continuity plans, ICT response and recovery plans, and crisis communications plans; Article 24 1(a)(iv) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment of the ICT business continuity policy to: the communication policy referred to in Article 14(2) of Regulation (EU) 2022/2554; Article 24 1(b)(vi)(1) {communication protocol} {incident communication protocol} Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment of the ICT business continuity policy to: the communication and crisis communication actions referred to in Article 11(2), point (e), of Regulation (EU) 2022/2554. Article 24 1(b)(vi)(2) {communication protocol} The ICT business continuity plans referred to in paragraph 1 shall: specify the internal and external communication arrangements, including escalation plans; Article 39 2¶ 1(i)] | Establish/Maintain Documentation | Preventive | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Business Processes | Detective | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Establish/Maintain Documentation | Detective | |
| Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 [{be readily accessible} The ICT business continuity plans referred to in paragraph 1 shall: be documented and readily accessible in the event of an emergency or crisis; Article 39 2¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Prepare the alternate facility for an emergency offsite relocation. CC ID 00744 [{backup site} In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: requires that arrangements are in place to: maintain or have immediate access to a secondary business site, to allow staff to ensure continuity of the service if the primary location of business is not available; Article 24 2 ¶ 1(c)(iii) {continuity arrangement} For the purposes of point (c)(i), arrangements referred to in that point shall address the availability of adequate human resources, the maximum downtime of critical functions, and fail over and recovery to a secondary site. Article 24 2 ¶ 3 The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: partial or total failure of premises, including office and business premises, and data centres; Article 26 2(c)] | Systems Continuity | Preventive | |
| Include alert processes in Service Level Agreements for alternate facilities. CC ID 17127 | Establish/Maintain Documentation | Preventive | |
| Include monitoring and logging processes in Service Level Agreements for alternate facilities. CC ID 17126 | Establish/Maintain Documentation | Preventive | |
| Include recovery time in Service Level Agreements for all alternate facilities. CC ID 16331 | Establish/Maintain Documentation | Preventive | |
| Include priority-of-service provisions in Service Level Agreements for all alternate facilities. CC ID 16330 | Establish/Maintain Documentation | Preventive | |
| Include backup media transportation in Service Level Agreements for alternate facilities. CC ID 16329 | Establish/Maintain Documentation | Preventive | |
| Include transportation services in Service Level Agreements for alternate facilities. CC ID 16328 | Establish/Maintain Documentation | Preventive | |
| Configure the alternate facility to meet the least needed operational capabilities. CC ID 01395 [{backup site} {be identical} In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: requires that arrangements are in place to: maintain a secondary processing site capable of ensuring continuity of critical or important functions of the central counterparty identical to the primary site; Article 24 2 ¶ 1(c)(ii)] | Configuration | Preventive | |
| Establish, implement, and maintain logical access controls at alternate facilities. CC ID 13227 | Technical Security | Preventive | |
| Establish, implement, and maintain physical access controls for alternate facilities. CC ID 13226 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain physical security controls at the alternate facility. CC ID 17125 | Physical and Environmental Protection | Preventive | |
| Notify the primary facilities of any changes at the alternate facilities that could affect the continuity plan. CC ID 13225 | Communicate | Preventive | |
| Train personnel on the continuity plan. CC ID 00759 [{ICT third-party service provider} {assets} {digital operational resilience} For the purposes of point (k), financial entities shall consider the following: the need to ensure and maintain adequate competences within the financial entity in the management and security of the service used; Article 11 2 ¶ 3(c)] | Behavior | Preventive | |
| Include coordination and interfaces among third parties in continuity plan training. CC ID 17102 | Training | Preventive | |
| Include cross-team coordination in continuity plan training. CC ID 16235 | Training | Preventive | |
| Include stay at home order training in the continuity plan training. CC ID 14382 | Training | Preventive | |
| Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Training | Preventive | |
| Include personal protection in continuity plan training. CC ID 14394 | Training | Preventive | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Testing | Preventive | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 | Establish/Maintain Documentation | Preventive | |
| Include recovery procedures in the continuity test plan. CC ID 14876 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment between the ICT business continuity plans and the overall business continuity plans, concerning at least all of the following: recovery objectives, specifying that the financial entity shall be able to recover the operations of its critical or important functions after disruptions within a recovery time objective and a recovery point objective; Article 24 1(b)(ii)(2) {redundant infrastructure} Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: for financial entities, other than microenterprises, as referred to in Article 11(6), second subparagraph, of Regulation (EU) 2022/2554, contain scenarios of switchover from primary ICT infrastructure to the redundant capacity, backups and redundant facilities; Article 25 2 ¶ 1(c) {continuity test} For the purposes of point (c), the testing shall verify whether at least critical or important functions can be operated appropriately for a sufficient period of time, and whether the normal functioning may be restored. Article 25 2 ¶ 4] | Establish/Maintain Documentation | Preventive | |
| Include test objectives and scope of testing in the continuity test plan. CC ID 14874 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: be designed to challenge the assumptions on which the business continuity plans are based, including governance arrangements and crisis communication plans; Article 25 2 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
| Include test scenarios in the continuity test plan. CC ID 13506 [For the purposes of point (a), financial entities shall always include in the testing the scenarios considered for the development of the business continuity plans. Article 25 2 ¶ 2 {continuity test} For the purposes of point (b), financial entities shall duly consider scenarios linked to insolvency or failures of the ICT third-party service providers or linked to political risks in the ICT third-party service providers' jurisdictions, where relevant. Article 25 2 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include the risk assessment results in the continuity test plan. CC ID 17205 [When testing the ICT business continuity plans in accordance with Article 11(6), of Regulation (EU) 2022/2554, financial entities shall take into account the financial entity's business impact analysis (BIA) and the ICT risk assessment referred to in Article 3(1), point (b), of this Regulation. Article 25 1.] | Establish/Maintain Documentation | Preventive | |
| Include the business impact analysis test results in the continuity test plan CC ID 17204 [When testing the ICT business continuity plans in accordance with Article 11(6), of Regulation (EU) 2022/2554, financial entities shall take into account the financial entity's business impact analysis (BIA) and the ICT risk assessment referred to in Article 3(1), point (b), of this Regulation. Article 25 1.] | Establish/Maintain Documentation | Preventive | |
| Test the continuity plan, as necessary. CC ID 00755 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the review of the effectiveness of the implemented ICT business continuity arrangements, plans, procedures and mechanisms, in accordance with Article 26 of this Regulation; Article 24 1(b)(v) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall test their business continuity plans referred to in Article 39 of this Regulation, including the scenarios referred to in that Article, at least once every year for the back-up and restore procedures, or upon every major change of the business continuity plan. Article 40 1. The testing of business continuity plans referred to in paragraph 1 shall demonstrate that the financial entities referred to in that paragraph are able to sustain the viability of their businesses until critical operations are re-established and identify any deficiencies in those plans. Article 40 2.] | Testing | Detective | |
| Validate the emergency communications procedures during continuity plan tests. CC ID 12777 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: be designed to challenge the assumptions on which the business continuity plans are based, including governance arrangements and crisis communication plans; Article 25 2 ¶ 1(d)] | Testing | Preventive | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: contain the testing of ICT services provided by ICT third-party service providers, where applicable; Article 25 2 ¶ 1(b)] | Testing | Preventive | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: be designed to challenge the assumptions on which the business continuity plans are based, including governance arrangements and crisis communication plans; Article 25 2 ¶ 1(d)] | Testing | Detective | |
| Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: be performed on the basis of test scenarios that simulate potential disruptions, including an adequate set of severe but plausible scenarios; Article 25 2 ¶ 1(a) Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: contain procedures to verify the ability of the financial entities' staff, of ICT third-party service providers, of ICT systems, and ICT services to respond adequately to the scenarios duly taken into account in accordance with Article 26(2). Article 25 2 ¶ 1(e)] | Testing | Detective | |
| Analyze system interdependence during continuity plan tests. CC ID 13082 [In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: takes into account external links and interdependencies within the financial infrastructures, including trading venues cleared by the central counterparty, securities settlement and payment systems, and credit institutions used by the central counterparty or a linked central counterparty; Article 24 2 ¶ 1(b)] | Testing | Detective | |
| Test the continuity plan at the alternate facility. CC ID 01174 | Testing | Detective | |
| Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: critical utilities and critical service providers; Article 25 4(b) In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: critical utilities and critical service providers; Article 25 4(b) In addition to the requirements referred to in paragraph 2, central counterparties shall involve in the testing of their ICT business continuity plans referred to in paragraph 1: clearing members; Article 25 3(a) In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: users of the central securities depositories; Article 25 4(a) In addition to the requirements referred to in paragraph 2, central counterparties shall involve in the testing of their ICT business continuity plans referred to in paragraph 1: external providers; Article 25 3(b) In addition to the requirements referred to in paragraph 2, central counterparties shall involve in the testing of their ICT business continuity plans referred to in paragraph 1: relevant institutions in the financial infrastructure with which central counterparties have identified interdependencies in their business continuity policies. Article 25 3(c) In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: other central securities depositories; Article 25 4(c) In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: other market infrastructures; Article 25 4(d) In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: any other institutions with which central securities depositories have identified interdependencies in their business continuity policy. Article 25 4(e)] | Testing | Preventive | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [{continuity plan test} Financial entities shall document the results of the testing referred to in paragraph 1. Any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 25 5. {continuity plan test} Financial entities shall document the results of the testing referred to in paragraph 1. Any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 25 5. The financial entities referred to in paragraph 1 shall document the results of the testing of business continuity plans and any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 40 3. The financial entities referred to in paragraph 1 shall document the results of the testing of business continuity plans and any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 40 3.] | Actionable Reports or Measurements | Preventive | |
| Address identified deficiencies in the continuity plan test results. CC ID 17209 [The financial entities referred to in paragraph 1 shall document the results of the testing of business continuity plans and any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 40 3. {continuity plan test} Financial entities shall document the results of the testing referred to in paragraph 1. Any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 25 5.] | Testing | Preventive | |
| Notify interested personnel and affected parties of the time requirements for updating continuity plans. CC ID 17134 | Communicate | Preventive | |
| Approve the continuity plan test results. CC ID 15718 | Systems Continuity | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a capacity management plan. CC ID 11751 [{capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the identification of capacity requirements of their ICT systems; Article 9 1(a) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: identify capacity requirements of their ICT assets and measures to maintain and improve the availability and efficiency of ICT systems and prevent ICT capacity shortages before they materialise; Article 34 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
| Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: identify capacity requirements of their ICT assets and measures to maintain and improve the availability and efficiency of ICT systems and prevent ICT capacity shortages before they materialise; Article 34 ¶ 1(c)] | Business Processes | Preventive | |
| Establish, implement, and maintain workload forecasting tools. CC ID 00936 | Systems Design, Build, and Implementation | Preventive | |
| Utilize resource capacity management controls. CC ID 00939 [{capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the application of resource optimisation; Article 9 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: identify capacity requirements of their ICT assets and measures to maintain and improve the availability and efficiency of ICT systems and prevent ICT capacity shortages before they materialise; Article 34 ¶ 1(c)] | Testing | Detective | |
| Follow the resource workload schedule. CC ID 00941 | Business Processes | Detective | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [{governance, risk, and compliance framework} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk to achieve a high level of digital operational resilience. Article 28 1.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Establish/Maintain Documentation | Preventive | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the compliance policy. CC ID 14812 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Communicate | Preventive | |
| Include management commitment in the compliance policy. CC ID 14808 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Establish/Maintain Documentation | Preventive | |
| Conduct governance meetings, as necessary. CC ID 16946 | Process or Activity | Preventive | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Communicate | Preventive | |
| Include governance threshold requirements in the governance policy. CC ID 16933 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Establish/Maintain Documentation | Preventive | |
| Define the scope for the internal control framework. CC ID 16325 | Business Processes | Preventive | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: Article 8 2 ¶ 1(b)] | Business Processes | Preventive | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Establish/Maintain Documentation | Preventive | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Establish/Maintain Documentation | Preventive | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Establish/Maintain Documentation | Preventive | |
| Include cloud services in the internal control framework. CC ID 17262 | Establish/Maintain Documentation | Preventive | |
| Include cloud security controls in the internal control framework. CC ID 17264 | Establish/Maintain Documentation | Preventive | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 [The financial entities referred to in paragraph 1 shall set out alert thresholds and criteria to trigger and initiate ICT- related incident response processes. Article 31 4.] | Establish/Maintain Documentation | Preventive | |
| Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Process or Activity | Preventive | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Communicate | Preventive | |
| Establish, implement, and maintain a cybersecurity framework. CC ID 17276 | Establish/Maintain Documentation | Preventive | |
| Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279 | Establish/Maintain Documentation | Preventive | |
| Include protection measures in the cybersecurity framework. CC ID 17278 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the cybersecurity framework. CC ID 17277 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Communicate | Preventive | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: Article 2 1. The ICT security measures shall include all of the measures referred to in Articles 30 to 38. Article 29 2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include system development in the information security program. CC ID 12389 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: identify security practices and methodologies relating to the acquisition, development, and maintenance of ICT systems; Article 16 1(a)] | Establish/Maintain Documentation | Preventive | |
| Include system maintenance in the information security program. CC ID 12388 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: identify security practices and methodologies relating to the acquisition, development, and maintenance of ICT systems; Article 16 1(a) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include system acquisition in the information security program. CC ID 12387 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: identify security practices and methodologies relating to the acquisition, development, and maintenance of ICT systems; Article 16 1(a)] | Establish/Maintain Documentation | Preventive | |
| Include access control in the information security program. CC ID 12386 [{access rights} The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: a reference to the section of the policy on control of access management rights referred to in Article 21, first paragraph, point (g); Article 18 2 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
| Include operations management in the information security program. CC ID 12385 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT operations security; Article 1 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Establish/Maintain Documentation | Preventive | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Establish/Maintain Documentation | Preventive | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Establish/Maintain Documentation | Preventive | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Establish/Maintain Documentation | Preventive | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Communicate | Preventive | |
| Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Communicate | Preventive | |
| Include risk management in the information security program. CC ID 12378 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT operations security; Article 1 ¶ 1(b) When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity's activities. Article 1 ¶ 1(e) Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: Article 2 1. When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 [{assess} The financial entities referred to in paragraph 1 shall review, asses and test ICT security measures, taking into consideration the overall risk profile of the ICT assets of the financial entity. Article 36 2.] | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: consider leading practices and, where applicable, standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012; Article 2 2(h) Financial entities shall ensure that the ICT security policies referred to in paragraph 1: take into account material changes concerning the financial entity, including material changes to the activities or processes of the financial entity, to the cyber threat landscape, or to applicable legal obligations. Article 2 2(k) Financial entities shall ensure that the ICT security policies referred to in paragraph 1: are reviewed in accordance with Article 6(5) of Regulation (EU) 2022/2554; Article 2 2(j) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide. Article 29 1.] | Establish/Maintain Documentation | Preventive | |
| Include data localization requirements in the information security policy. CC ID 16932 | Establish/Maintain Documentation | Preventive | |
| Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: specify the responsibilities of staff at all levels to ensure the financial entity's ICT security; Article 2 2(d) {digital operational resilience} For the purposes of point (k), financial entities shall consider the following: a clear allocation of information security roles and responsibilities between the financial entity and the ICT third-party service provider, in accordance with the principle of full responsibility of the financial entity over its ICT third-party service provider referred to in Article 28(1), point (a), of Regulation (EU) 2022/2554, and for financial entities referred to in Article 28(2) of that Regulation, and in accordance with the financial entity's policy on the use of ICT services supporting critical or important functions; Article 11 2 ¶ 3 (b) Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements: the identification and assignment of any specific ICT security responsibilities; Article 19 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: take into account material changes concerning the financial entity, including material changes to the activities or processes of the financial entity, to the cyber threat landscape, or to applicable legal obligations. Article 2 2(k)] | Establish/Maintain Documentation | Preventive | |
| Include information security objectives in the information security policy. CC ID 13493 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: are aligned to the financial entity's information security objectives included in the digital operational resilience strategy referred to in Article 6(8) of Regulation (EU) 2022/2554; Article 2 2(a) The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: sets out information security objectives and ICT requirements; Article 28 2(c)] | Establish/Maintain Documentation | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a data and system security procedure. Article 11 1.] | Business Processes | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Establish/Maintain Documentation | Preventive | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Process or Activity | Preventive | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: identify the roles and responsibilities for the development, implementation and maintenance of ICT security policies, procedures, protocols, and tools; Article 2 2(i)] | Human Resources Management | Preventive | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Business Processes | Preventive | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Business Processes | Preventive | |
| Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Communicate | Preventive | |
| Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Communicate | Preventive | |
| Perform social network analysis, as necessary. CC ID 14864 | Investigate | Detective | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement policies and procedures to manage the ICT operations. Those policies and procedures shall specify how financial entities operate, monitor, control, and restore their ICT assets, including the documentation of ICT operations. Article 8 1.] | Establish/Maintain Documentation | Preventive | |
| Define the nomenclature requirements in the operating instructions. CC ID 17112 | Establish/Maintain Documentation | Preventive | |
| Define the situations that require time information in the operating instructions. CC ID 17111 | Establish/Maintain Documentation | Preventive | |
| Implement alternative actions for oral communications not received or understood. CC ID 17122 | Communicate | Preventive | |
| Reissue operating instructions, as necessary. CC ID 17121 | Communicate | Preventive | |
| Include congestion management actions in the operational control procedures. CC ID 17135 | Establish/Maintain Documentation | Preventive | |
| Update the congestion management actions in a timely manner. CC ID 17145 | Establish/Maintain Documentation | Preventive | |
| Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Process or Activity | Preventive | |
| Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Process or Activity | Preventive | |
| Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Establish/Maintain Documentation | Preventive | |
| Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Communicate | Detective | |
| Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Communicate | Preventive | |
| Include continuous monitoring in the operational control procedures. CC ID 17137 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: Article 8 2 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Communicate | Preventive | |
| Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Establish/Maintain Documentation | Preventive | |
| Coordinate the transmission of electricity between affected parties. CC ID 17114 | Business Processes | Preventive | |
| Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Behavior | Detective | |
| Include coordination amongst entities in the operational control procedures. CC ID 17147 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an outage coordination process. CC ID 17161 | Process or Activity | Preventive | |
| Coordinate outages with affected parties. CC ID 17160 | Process or Activity | Preventive | |
| Coordinate energy resource management with affected parties. CC ID 17150 | Process or Activity | Preventive | |
| Coordinate the control of voltage with affected parties. CC ID 17149 | Process or Activity | Preventive | |
| Coordinate energy shortages with affected parties. CC ID 17148 | Process or Activity | Preventive | |
| Include roles and responsibilities in the operational control procedures. CC ID 17159 | Establish/Maintain Documentation | Preventive | |
| Include alternative actions in the operational control procedures. CC ID 17096 | Establish/Maintain Documentation | Preventive | |
| Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
| Approve or deny requests in a timely manner. CC ID 17095 | Process or Activity | Preventive | |
| Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Business Processes | Preventive | |
| Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 | Communicate | Preventive | |
| Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Communicate | Preventive | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement policies and procedures to manage the ICT operations. Those policies and procedures shall specify how financial entities operate, monitor, control, and restore their ICT assets, including the documentation of ICT operations. Article 8 1.] | Establish/Maintain Documentation | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
| Include system use information in the standard operating procedures manual. CC ID 17240 | Establish/Maintain Documentation | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
| Include logging procedures in the standard operating procedures manual. CC ID 17214 | Establish/Maintain Documentation | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
| Include resources in the standard operating procedures manual. CC ID 17212 | Establish/Maintain Documentation | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
| Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Establish/Maintain Documentation | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: scheduling requirements, taking into consideration interdependencies among the ICT systems; Article 8 2 ¶ 1(b)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 [{personally owned device} The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the implementation of security measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the ICT security of the financial entity; Article 11 2 ¶ 1(j) {employee-owned device} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the financial entity's ability to carry out its critical activities in an adequate, timely, and secure manner. Article 35 ¶ 1(g)] | Establish/Maintain Documentation | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding the management of information assets used by ICT assets, including their processing and handling, both automated and manual; Article 8 2 ¶ 1(a)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 [{residual risk} The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the following requirements to secure the use of portable endpoint devices and private non-portable endpoint devices: the requirement to use removable data storage devices only where the residual ICT risk remains within the financial entity's risk tolerance level referred to in Article 3, first subparagraph, point (a); Article 11 2 ¶ 1(f)(iii)] | Data and Information Management | Preventive | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the identification of security measures to ensure that only authorised data storage media, systems, and endpoint devices are used to transfer and store data of the financial entity; Article 11 2 ¶ 1(e)] | Establish/Maintain Documentation | Preventive | |
| Include usage restrictions in the Acceptable Use Policy. CC ID 15311 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Establish/Maintain Documentation | Preventive | |
| Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Establish/Maintain Documentation | Preventive | |
| Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Communicate | Preventive | |
| Validate recipients prior to sending electronic messages. CC ID 16981 | Business Processes | Preventive | |
| Establish, implement, and maintain a Global Address List. CC ID 16934 | Data and Information Management | Preventive | |
| Include roles and responsibilities in the e-mail policy. CC ID 17040 | Establish/Maintain Documentation | Preventive | |
| Include content requirements in the e-mail policy. CC ID 17041 | Establish/Maintain Documentation | Preventive | |
| Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Establish/Maintain Documentation | Preventive | |
| Include usage restrictions in the e-mail policy. CC ID 17039 | Establish/Maintain Documentation | Preventive | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Establish/Maintain Documentation | Preventive | |
| Include message format requirements in the e-mail policy. CC ID 17038 | Establish/Maintain Documentation | Preventive | |
| Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Communicate | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 | Data and Information Management | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [{nondisclosure agreement} As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: that requirements on confidentiality or non-disclosure arrangements reflecting the financial entity's needs for the protection of information for both the staff of the financial entity and of third parties are implemented, documented, and regularly reviewed. Article 14 1(c)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Communicate | Preventive | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Establish/Maintain Documentation | Preventive | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Establish/Maintain Documentation | Preventive | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Establish/Maintain Documentation | Preventive | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Business Processes | Preventive | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Business Processes | Preventive | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Business Processes | Preventive | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Business Processes | Preventive | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: specify the consequences of non-compliance by staff of the financial entity with the ICT security policies, where provisions to that effect are not laid down in other policies of the financial entity; Article 2 2(e)] | Process or Activity | Corrective | |
| Review systems for compliance with organizational information security policies. CC ID 12004 [{assess} The financial entities referred to in paragraph 1 shall review, asses and test ICT security measures, taking into consideration the overall risk profile of the ICT assets of the financial entity. Article 36 2.] | Business Processes | Preventive | |
| Establish, implement, and maintain system administration procedures. CC ID 16481 [For the purposes of point (e)(ii), financial entities shall, where possible, use dedicated accounts for the performance of administrative tasks on ICT systems. Where feasible and appropriate, financial entities shall deploy automated solutions for the privilege access management. Article 21 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Business Processes | Preventive | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a policy on management of ICT assets. Article 4 1.] | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Business Processes | Preventive | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 [Financial entities shall develop, document, and implement a procedure for the management of ICT assets. Article 5 1. The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding the management of information assets used by ICT assets, including their processing and handling, both automated and manual; Article 8 2 ¶ 1(a)(ii) {legacy system} The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding the identification and control of legacy ICT systems; Article 8 2 ¶ 1(a)(iii) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: monitor and manage the lifecycle of all ICT assets; Article 34 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
| Include installation requirements in the asset management program. CC ID 17195 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system; Article 8 2 ¶ 1(a)(i)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 [As part of the simplified ICT risk management framework referred to in Article 16(1), point (a), of Regulation (EU) 2022/2554, the financial entities referred to in paragraph 1 of that Article shall identify, classify, and document all critical or important functions, the information assets and ICT assets supporting them and their interdependencies. Financial entities shall review that identification and classification as needed. Article 30 1. The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the classification of information assets of the financial entity as referred to in Article 30(1) of this Regulation, the list of main risks identified, and the business impact analysis and related policies; Article 28 2(d)(i)] | Establish/Maintain Documentation | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Systems Design, Build, and Implementation | Preventive | |
| Define confidentiality controls. CC ID 01908 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques; Article 2 1(c) The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets, information assets, and physical access control devices of the financial entity through the appropriate maintenance; Article 18 2 ¶ 1(d) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1 The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures that ensure the availability, authenticity, integrity, and confidentiality of data during network transmissions; Article 35 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 | Establish/Maintain Documentation | Preventive | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 [{continuity arrangement} For the purposes of point (c)(i), arrangements referred to in that point shall address the availability of adequate human resources, the maximum downtime of critical functions, and fail over and recovery to a secondary site. Article 24 2 ¶ 3] | Process or Activity | Preventive | |
| Define integrity controls. CC ID 01909 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques; Article 2 1(c) The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets, information assets, and physical access control devices of the financial entity through the appropriate maintenance; Article 18 2 ¶ 1(d) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: describe what actions are to be taken to ensure the availability, integrity, continuity, and recovery of at least ICT systems and services supporting critical or important functions of the financial entity; Article 26 1 ¶ 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1 The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Define availability controls. CC ID 01911 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques; Article 2 1(c) The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets, information assets, and physical access control devices of the financial entity through the appropriate maintenance; Article 18 2 ¶ 1(d) {capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the monitoring procedures for maintaining and improving: the availability of data and ICT systems; Article 9 1(c)(i) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: describe what actions are to be taken to ensure the availability, integrity, continuity, and recovery of at least ICT systems and services supporting critical or important functions of the financial entity; Article 26 1 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Communicate | Preventive | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 [As part of the simplified ICT risk management framework referred to in Article 16(1), point (a), of Regulation (EU) 2022/2554, the financial entities referred to in paragraph 1 of that Article shall identify, classify, and document all critical or important functions, the information assets and ICT assets supporting them and their interdependencies. Financial entities shall review that identification and classification as needed. Article 30 1. The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the classification> of all tyle="background-color:#F0BBBC;" class="term_primary-noun">ICT assets, as referred to in Article 8(1) of Regulation (EU) 2022/2254; Article 4 2(b)(iii) The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the classification> of all tyle="background-color:#F0BBBC;" class="term_primary-noun">ICT assets, as referred to in Article 8(1) of Regulation (EU) 2022/2254; Article 4 2(b)(iii)] | Establish Roles | Preventive | |
| Classify virtual systems by type and purpose. CC ID 16332 | Business Processes | Preventive | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 [Financial entities shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorised access, disclosure, and modification. Financial entities shall design those controls on the basis of the results of the approved data classification and the ICT risk assessment. Article 7 2. The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: identifies and implements procedures, ICT protocols, and tools that are necessary to protect all information assets and ICT assets; Article 28 2(g) {unsupported asset} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: manage the risks related to outdated, unsupported, or legacy ICT assets; Article 34 ¶ 1(e)] | Establish Roles | Preventive | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [{storage device} {critical function} {keep up to date} Financial entities shall create and maintain a register for all certificates and certificate-storing devices for at least ICT assets supporting critical or important functions. Financial entities shall keep that register up to date. Article 7 4.] | Business Processes | Preventive | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: Article 8 2 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a storage media inventory. CC ID 00694 [{storage device} {critical function} {keep up to date} Financial entities shall create and maintain a register for all certificates and certificate-storing devices for at least ICT assets supporting critical or important functions. Financial entities shall keep that register up to date. Article 7 4.] | Establish/Maintain Documentation | Preventive | |
| Link the authentication system to the asset inventory. CC ID 13718 | Technical Security | Preventive | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the unique identifier of each ICT asset; Article 4 2(b)(i)] | Data and Information Management | Preventive | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Establish/Maintain Documentation | Preventive | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Data and Information Management | Preventive | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Data and Information Management | Preventive | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Establish/Maintain Documentation | Preventive | |
| Include source code in the asset inventory. CC ID 14858 | Records Management | Preventive | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Establish/Maintain Documentation | Preventive | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Establish/Maintain Documentation | Preventive | |
| Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the links and interdependencies among ICT assets and the business functions using each The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the links and interdependencies among ICT assets and the business functions using each | Data and Information Management | Preventive | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Establish/Maintain Documentation | Preventive | |
| Record the software version in the asset inventory. CC ID 12196 | Establish/Maintain Documentation | Preventive | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Establish/Maintain Documentation | Preventive | |
| Record the authentication system in the asset inventory. CC ID 13724 | Establish/Maintain Documentation | Preventive | |
| Tag unsupported assets in the asset inventory. CC ID 13723 [{legacy system} The policy on management of ICT assets referred to in paragraph 1 shall: for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ="background-color:#CBD0E5;" class="term_secondary-verb">imary-noun">ICT risk assessment on all legacy ICT systems referred to in Article 8(7) of Regulation (EU) 2022/2554. Article 4 2(c) {legacy system} The policy on management of ICT assets referred to in paragraph 1 shall: for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ="background-color:#CBD0E5;" class="term_secondary-verb">imary-noun">ICT risk assessment on all legacy ICT systems referred to in Article 8(7) of Regulation (EU) 2022/2554. Article 4 2(c)] | Establish/Maintain Documentation | Preventive | |
| Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: where applicable, for all ICT assets, the end dates of the ICT third-party service provider's regular, extended, and custom support services after which those ICT assets are no longer supported by their supplier or by an ICT third-party service provider; Article 4 2(b)(ix)] | Data and Information Management | Preventive | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Establish/Maintain Documentation | Preventive | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Establish/Maintain Documentation | Preventive | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Establish/Maintain Documentation | Preventive | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Establish/Maintain Documentation | Preventive | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Data and Information Management | Preventive | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Establish/Maintain Documentation | Preventive | |
| Record the related business function for applicable assets in the asset inventory. CC ID 06636 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the business functions or services supported by the ICT asset; Article 4 2(b)(v)] | Establish/Maintain Documentation | Preventive | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 [{storage device} {critical function} {keep up to date} Financial entities shall create and maintain a register for all certificates and certificate-storing devices for at least ICT assets supporting critical or important functions. Financial entities shall keep that register up to date. Article 7 4.] | Data and Information Management | Preventive | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Data and Information Management | Preventive | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the identity of ICT asset owners; Article 4 2(b)(iv)] | Establish/Maintain Documentation | Preventive | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software asset management procedures. CC ID 00895 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of security measures regarding the use of software, data storage media, systems and endpoint devices that transfer and store data of the financial entity; Article 35 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Prevent users from disabling required software. CC ID 16417 | Technical Security | Preventive | |
| Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: a process to securely dispose of, or decommission, data storage devices on premises, or data storage devices that are stored externally, that contain confidential information; Article 35 ¶ 1(f)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [The ICT project management policy referred to in paragraph 1 shall specify the elements that ensure the effective management of the ICT projects related to the acquisition, maintenance and, where applicable, development of the financial entity's ICT systems. Article 15 2.] | Establish/Maintain Documentation | Preventive | |
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Maintenance | Preventive | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Maintenance | Preventive | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Maintenance | Preventive | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Maintenance | Preventive | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: Article 16 1.] | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system; Article 8 2 ¶ 1(a)(i) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the system maintenance policy. CC ID 14214 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Communicate | Preventive | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: Article 37 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Communicate | Preventive | |
| Establish, implement, and maintain a technology refresh schedule. CC ID 16940 | Establish/Maintain Documentation | Preventive | |
| Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938 | Communicate | Preventive | |
| Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174 | Process or Activity | Preventive | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Business Processes | Preventive | |
| Log the performance of all remote maintenance. CC ID 13202 | Log Management | Preventive | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Maintenance | Preventive | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Maintenance | Preventive | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Maintenance | Preventive | |
| Restart systems on a periodic basis. CC ID 16498 | Maintenance | Preventive | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Maintenance | Preventive | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Human Resources Management | Preventive | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Process or Activity | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: Article 22 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Communicate | Preventive | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 [The financial entities referred to in paragraph 1 shall set out alert thresholds and criteria to trigger and initiate ICT- related incident response processes. Article 31 4.] | Establish/Maintain Documentation | Preventive | |
| Identify root causes of incidents that force system changes. CC ID 13482 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish and implement mechanisms to analyse significant or recurring ICT-related incidents and patterns in the number and the occurrence of ICT-related incidents. Article 22 ¶ 1(e)] | Investigate | Detective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [{internal factor} The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity; Article 23 2 ¶ 1(a)(i) {internal factor} The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity; Article 23 2 ¶ 1(a)(i)] | Process or Activity | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 [{internal factor} The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity; Article 23 2 ¶ 1(a)(i)] | Monitor and Evaluate Occurrences | Corrective | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: identify and implement measures to monitor and analyse information on anomalous activities and behaviour for critical or important ICT operations; Article 34 ¶ 1(g)] | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures in the Incident Management program. CC ID 12689 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: document the ICT-related incident management process referred to in Article 17 of Regulation (EU) 2022/2554; Article 22 ¶ 1(a) {cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish, implement, and operate technical, organisational, and operational mechanisms to support the ICT-related incident management process, including mechanisms to enable a prompt detection of anomalous activities and behaviours in accordance with Article 23 of this Regulation; Article 22 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Establish/Maintain Documentation | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: record, analyse, and evaluate any relevant information on all anomalous activities and behaviours automatically or manually. Article 23 2 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Log Management | Preventive | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Log Management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
| Analyze and respond to security alerts. CC ID 12504 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: prioritise the alerts referred to in point (b) to allow for the management of the detected ICT-related incidents within the expected resolution time, as specified by financial entities, both during and outside working hours; Article 23 2 ¶ 1(c)] | Business Processes | Detective | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 [{response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d) {response plan} {success} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: lay down the objectives of ICT response and recovery plans and the conditions to declare a successful execution of those plans. Article 26 1 ¶ 1(f)] | Establish/Maintain Documentation | Preventive | |
| Include addressing external communications in the incident response plan. CC ID 13351 | Establish/Maintain Documentation | Preventive | |
| Include addressing internal communications in the incident response plan. CC ID 13350 | Establish/Maintain Documentation | Preventive | |
| Include change control procedures in the incident response plan. CC ID 15479 | Establish/Maintain Documentation | Preventive | |
| Include addressing information sharing in the incident response plan. CC ID 13349 | Establish/Maintain Documentation | Preventive | |
| Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Establish/Maintain Documentation | Preventive | |
| Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Establish/Maintain Documentation | Preventive | |
| Include the management support needed for incident response in the incident response plan. CC ID 14300 | Establish/Maintain Documentation | Preventive | |
| Include root cause analysis in the incident response plan. CC ID 16423 | Establish/Maintain Documentation | Preventive | |
| Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Establish/Maintain Documentation | Preventive | |
| Include the resources needed for incident response in the incident response plan. CC ID 14292 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a cyber incident response plan. CC ID 13286 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838 [{response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d)] | Communicate | Preventive | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [Financial entities shall set clear roles and responsibilities to effectively detect and respond to ICT-related incidents and anomalous activities. Article 23 1.] | Establish Roles | Preventive | |
| Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 [{response measure} {recovery measure} The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the business continuity plans of the financial entity, and the response and recovery measures referred to in Article 16(1), point (f), of Regulation (EU) 2022/2554; Article 28 2(d)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include personnel contact information in the event of an incident in the Incident Response program. CC ID 06385 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on: the detection and monitoring of cyber threats; Article 22 ¶ 1(b)(i)] | Establish/Maintain Documentation | Preventive | |
| Include log management procedures in the incident response program. CC ID 17081 [{internal factor} The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity; Article 23 2 ¶ 1(a)(i)] | Establish/Maintain Documentation | Preventive | |
| Prepare for incident response notifications. CC ID 00584 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: ICT-related incident notification from an ICT third-party service provider of the financial entity detected in the ICT systems and networks of the ICT third-party service provider and that may affect the financial entity; Article 23 2 ¶ 1(a)(iii)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the incident response policy. CC ID 14105 [{disseminate and communicate} {response plan} {recovery plan} For the purposes of point (d), financial entities shall clearly specify roles and responsibilities. Article 26 1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption. Article 8 2 ¶ 1(c)(iii)] | Technical Security | Corrective | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Establish/Maintain Documentation | Preventive | |
| Retain collected evidence for potential future legal actions. CC ID 01235 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: retain all evidence relating to ICT-related incidents for a period that shall be no longer than necessary for the purposes for which the data are collected, commensurate with the criticality of the affected business functions, supporting processes, and ICT and information assets, in accordance with Article 15 of Commission Delegated Regulation (EU) 2024/1772 (12) and with any applicable retention requirement pursuant to Union law; Article 22 ¶ 1(d)] | Records Management | Preventive | |
| Protect devices containing digital forensic evidence during transport. CC ID 08687 [{data at rest} Financial entities shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use. Article 23 3.] | Investigate | Detective | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 [{data at rest} Financial entities shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use. Article 23 3.] | Investigate | Detective | |
| Include time information in the chain of custody. CC ID 17068 | Log Management | Preventive | |
| Include actions performed on evidence in the chain of custody. CC ID 17067 | Log Management | Preventive | |
| Include individuals who had custody of evidence in the chain of custody. CC ID 17066 | Log Management | Preventive | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 [{ICT-related incident} For the purposes of point (d), financial entities shall retain the evidence referred to in that point in a secure manner. Article 22 ¶ 2 {data at rest} Financial entities shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use. Article 23 3.] | Records Management | Preventive | |
| Secure devices containing digital forensic evidence. CC ID 08681 [{data at rest} Financial entities shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use. Article 23 3.] | Investigate | Detective | |
| Test the incident response procedures. CC ID 01216 [{response plan} Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development, testing and review of ICT response and recovery plans, in accordance with Articles 25 and 26 of this Regulation; Article 24 1(b)(iv)] | Testing | Detective | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 [{capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the monitoring procedures for maintaining and improving: the prevention of ICT capacity shortages. Article 9 1(c)(iii)] | Establish/Maintain Documentation | Preventive | |
| Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: for network services agreements: the identification and specification of ICT and information security measures, service levels, and management requirements of all network services; Article 13 ¶ 1(m)(i)] | Establish/Maintain Documentation | Preventive | |
| Include the management requirements for network services in the Service Level Agreement. CC ID 12025 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: for network services agreements: the identification and specification of ICT and information security measures, service levels, and management requirements of all network services; Article 13 ¶ 1(m)(i)] | Establish/Maintain Documentation | Preventive | |
| Include the service levels for network services in the Service Level Agreement. CC ID 12024 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: for network services agreements: the identification and specification of ICT and information security measures, service levels, and management requirements of all network services; Article 13 ¶ 1(m)(i)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 [{project management} When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT project and change management; Article 1 ¶ 1 (d) The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2. The ICT project management policy referred to in paragraph 1 shall contain all of the following: change management requirements; Article 15 3(f)] | Establish/Maintain Documentation | Preventive | |
| Include version control in the change control program. CC ID 13119 | Establish/Maintain Documentation | Preventive | |
| Include service design and transition in the change control program. CC ID 13920 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a back-out plan. CC ID 13623 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption. Article 8 2 ¶ 1(c)(iii)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the identification of fall-back procedures and responsibilities, including procedures and responsibilities for aborting changes or recovering from changes not successfully implemented; Article 17 1(e)] | Establish/Maintain Documentation | Preventive | |
| Include documentation of the impact level of proposed changes in the change request. CC ID 11942 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a verification of whether the ICT security requirements have been met; Article 17 1(a) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the identification of the potential impact of a change on existing ICT security measures and an assessment of whether such change requires the adoption of additional ICT security measures. Article 17 1(h) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the documentation and communication of change details, including: the expected outcomes; Article 17 1(d)(iii)] | Establish/Maintain Documentation | Preventive | |
| Document all change requests in change request forms. CC ID 06794 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: mechanisms to ensure the independence of the functions that approve changes and the functions responsible for requesting and implementing those changes; Article 17 1(b) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: changes are specified and planned; Article 17 1(c)(i) The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Establish/Maintain Documentation | Preventive | |
| Test proposed changes prior to their approval. CC ID 00548 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: the changes are tested and finalised in a controlled manner; Article 17 1(c)(iii) The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Testing | Detective | |
| Examine all changes to ensure they correspond with the change request. CC ID 12345 [The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Business Processes | Detective | |
| Approve tested change requests. CC ID 11783 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: procedures to document, re-evaluate, assess, and approve emergency changes after their implementation, including workarounds and patches; Article 17 1(g) The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Data and Information Management | Preventive | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the documentation and communication of change details, including: Article 17 1(d) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the documentation and communication of change details, including: Article 17 1(d) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the documentation and communication of change details, including: the purpose and scope of the change; Article 17 1(d)(i) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the documentation and communication of change details, including: the timeline for the implementation of the change; Article 17 1(d)(ii)] | Behavior | Preventive | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 [The patch management procedures referred to in paragraph 3 shall: identify emergency procedures for the patching and updating of ICT assets; Article 10 4(b) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: procedures, protocols, and tools to manage emergency changes that provide adequate safeguards; Article 17 1(f)] | Establish/Maintain Documentation | Preventive | |
| Perform emergency changes, as necessary. CC ID 12707 | Process or Activity | Preventive | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Process or Activity | Preventive | |
| Log emergency changes after they have been performed. CC ID 12733 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: procedures to document, re-evaluate, assess, and approve emergency changes after their implementation, including workarounds and patches; Article 17 1(g)] | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments prior to approving change requests. CC ID 00888 [{project management} When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT project and change management; Article 1 ¶ 1 (d)] | Testing | Preventive | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Process or Activity | Detective | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Investigate | Detective | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Investigate | Detective | |
| Implement changes according to the change control program. CC ID 11776 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: an adequate transition is designed; Article 17 1(c)(ii) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: the changes are tested and finalised in a controlled manner; Article 17 1(c)(iii) The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Business Processes | Preventive | |
| Establish, implement, and maintain a transition strategy. CC ID 17049 | Establish/Maintain Documentation | Preventive | |
| Include monitoring requirements in the transition strategy. CC ID 17290 | Establish/Maintain Documentation | Preventive | |
| Include resources in the transition strategy. CC ID 17289 | Establish/Maintain Documentation | Preventive | |
| Include time requirements in the transition strategy. CC ID 17288 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a patch management program. CC ID 00896 | Process or Activity | Preventive | |
| Document the sources of all software updates. CC ID 13316 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a patch management policy. CC ID 16432 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain patch management procedures. CC ID 15224 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document and implement patch management procedures. Article 10 3. The patch management procedures referred to in paragraph 3 shall: to the extent possible identify and evaluate available software and hardware patches and updates using automated tools; Article 10 4(a)] | Establish/Maintain Documentation | Preventive | |
| Review the patch log for missing patches. CC ID 13186 | Technical Security | Detective | |
| Perform a patch test prior to deploying a patch. CC ID 00898 [The patch management procedures referred to in paragraph 3 shall: test and deploy the software and hardware patches and the updates referred to in Article 8(2), points (b)(v), (vi) and (vii); Article 10 4(c)] | Testing | Detective | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 [The vulnerability management procedures referred to in paragraph 1 shall: prioritise the deployment of patches and other mitigation measures to address the vulnerabilities identified; Article 10 2 ¶ 1(f) The vulnerability management procedures referred to in paragraph 1 shall: prioritise the deployment of patches and other mitigation measures to address the vulnerabilities identified; Article 10 2 ¶ 1(f) {prioritization} {patch} {mitigation measure} For the purposes of point (f), financial entities shall consider the criticality of the vulnerability, the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and the risk profile of the ICT assets affected by the identified vulnerabilities. Article 10 2 ¶ 5 {prioritization} {patch} {mitigation measure} For the purposes of point (f), financial entities shall consider the criticality of the vulnerability, the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and the risk profile of the ICT assets affected by the identified vulnerabilities. Article 10 2 ¶ 5 The patch management procedures referred to in paragraph 3 shall: set deadlines for the installation of software and hardware patches and updates and escalation procedures in case those deadlines cannot be met. Article 10 4(d) {vulnerability assessment} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: perform automated vulnerability scanning and assessments of ICT assets commensurate to their classification as referred to in Article 30(1) and to the overall risk profile of the ICT asset, and deploy patches to address identified vulnerabilities; Article 34 ¶ 1(d)] | Business Processes | Preventive | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 | Testing | Detective | |
| Patch the operating system, as necessary. CC ID 11824 | Technical Security | Corrective | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Configuration | Corrective | |
| Remove outdated software after software has been updated. CC ID 11792 | Configuration | Corrective | |
| Review changes to computer firmware. CC ID 12226 | Testing | Detective | |
| Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Testing | Detective | |
| Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the identification of security measures to ensure that only authorised software is installed in ICT systems and endpoint devices; Article 11 2 ¶ 1(c)] | Technical Security | Detective | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 | Systems Design, Build, and Implementation | Preventive | |
| Mitigate the adverse effects of unauthorized changes. CC ID 12244 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: identify measures to mitigate the risk of unintentional alteration or intentional manipulation of the ICT systems during development and implementation in the production environment. Article 37 ¶ 1(c)] | Business Processes | Corrective | |
| Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 [The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Establish/Maintain Documentation | Detective | |
| Test the system's operational functionality after implementing approved changes. CC ID 06294 [After having made significant changes to their ICT systems, central counterparties and central securities depositories shall submit their ICT systems to stringent testing by simulating stressed conditions. Article 17 2 ¶ 1 The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Testing | Detective | |
| Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: there is an effective quality assurance; Article 17 1(c)(iv) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: procedures to document, re-evaluate, assess, and approve emergency changes after their implementation, including workarounds and patches; Article 17 1(g)] | Testing | Detective | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: log events related to logical and physical access control, ICT operations, including system and network traffic activities, and ICT change management; Article 34 ¶ 1(f)] | Configuration | Detective | |
Physical and environmental protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall specify, document, and implement a physical and environmental security policy. Financial entities shall design that policy i light of the cyber threat landscape, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and in light of the overall risk profile of ICT assets and accessible information assets. Article 18 1. As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall specify, document, and implement a physical and environmental security policy. Financial entities shall design that policy i light of the cyber threat landscape, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and in light of the overall risk profile of ICT assets and accessible information assets. Article 18 1.] | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the physical and environmental protection policy. CC ID 14174 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the physical and environmental protection policy. CC ID 14173 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the physical and environmental protection policy. CC ID 14172 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the physical and environmental protection policy. CC ID 14171 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the physical and environmental protection policy. CC ID 14170 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the physical and environmental protection policy to interested personnel and affected parties. CC ID 14169 | Communicate | Preventive | |
| Include the purpose in the physical and environmental protection policy. CC ID 14168 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061 [For the purposes of point (b), the measures to protect from environmental threats and hazards shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein. Article 18 2 ¶ 2 The protection from environmental threats and hazards shall be commensurate with the importance of the premises concerned and, where applicable, the data centres and the criticality of the operations or ICT systems located therein. Article 32 3.] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 | Communicate | Preventive | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical security procedures. CC ID 13076 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: Article 21 ¶ 1(g) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall identify and implement physical security measures designed on the basis of the threat landscape and in accordance with the classification referred to in Article 30(1) of this Regulation, the overall risk profile of ICT assets, and accessible information assets. Article 32 1.] | Establish/Maintain Documentation | Preventive | |
| Report damaged property to interested personnel and affected parties. CC ID 13702 | Communicate | Corrective | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to protect from attacks, accidents, and environmental threats and hazards, the premises, data centres of the financial entity, and sensitive designated areas identified by the financial entity, where ICT assets and information assets reside; Article 18 2 ¶ 1(b) {physical security measures} The measures referred to in paragraph 1 shall protect the premises of financial entities and, where applicable, data centres of financial entities where ICT assets and information assets reside from unauthorised access, attacks, and accidents, and from environmental threats and hazards. Article 32 2.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 [{closing procedure} For the purposes of point (a), central counterparties shall complete end of day procedures and payments on the required time and day in all circumstances. Article 24 2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Establish/Maintain Documentation | Preventive | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Behavior | Preventive | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Establish/Maintain Documentation | Preventive | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Technical Security | Preventive | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Establish/Maintain Documentation | Preventive | |
| Create security zones in facilities, as necessary. CC ID 16295 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to protect from attacks, accidents, and environmental threats and hazards, the premises, data centres of the financial entity, and sensitive designated areas identified by the financial entity, where ICT assets and information assets reside; Article 18 2 ¶ 1(b)] | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Establish/Maintain Documentation | Preventive | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Establish/Maintain Documentation | Preventive | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Communicate | Preventive | |
| Detect anomalies in physical barriers. CC ID 13533 | Investigate | Detective | |
| Control physical access to (and within) the facility. CC ID 01329 [{critical asset} {ad hoc access} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the granting of physical access rights to critical ICT assets to authorised persons only, in accordance with the need-to-know and least privilege principles, and on an ad-hoc basis; Article 21 ¶ 1(g)(ii)] | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 [{logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: Article 33 ¶ 1 {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: Article 33 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and Environmental Protection | Preventive | |
| Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the identification and logging of natural persons that are authorised to access premises, data centres, and sensitive designated areas identified by the financial entity where ICT and information assets reside; Article 21 ¶ 1(g)(i) {critical asset} {ad hoc access} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the granting of physical access rights to critical ICT assets to authorised persons only, in accordance with the need-to-know and least privilege principles, and on an ad-hoc basis; Article 21 ¶ 1(g)(ii) {not be necessary} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the review of physical access rights to ensure that unnecessary access rights are promptly revoked. Article 21 ¶ 1(g)(iv) {physical access} For the purposes of point (g)(i), the identification and logging shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein. Article 21 ¶ 4] | Establish/Maintain Documentation | Preventive | |
| Log the individual's address in the facility access list. CC ID 16921 | Log Management | Preventive | |
| Log the contact information for the person authorizing access in the facility access list. CC ID 16920 | Log Management | Preventive | |
| Log the organization's name in the facility access list. CC ID 16919 | Log Management | Preventive | |
| Log the individual's name in the facility access list. CC ID 16918 | Log Management | Preventive | |
| Log the purpose in the facility access list. CC ID 16982 | Log Management | Preventive | |
| Log the level of access in the facility access list. CC ID 16975 | Log Management | Preventive | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Human Resources Management | Preventive | |
| Implement physical identification processes. CC ID 13715 | Process or Activity | Preventive | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Process or Activity | Preventive | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Establish/Maintain Documentation | Preventive | |
| Document all lost badges in a lost badge list. CC ID 12448 | Establish/Maintain Documentation | Corrective | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and Environmental Protection | Preventive | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Human Resources Management | Preventive | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and Environmental Protection | Preventive | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Establish/Maintain Documentation | Preventive | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Business Processes | Preventive | |
| Include information security in the identification issuance procedures. CC ID 15425 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Establish/Maintain Documentation | Preventive | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and Environmental Protection | Preventive | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and Environmental Protection | Preventive | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and Environmental Protection | Preventive | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Human Resources Management | Preventive | |
| Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001 | Business Processes | Preventive | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Establish/Maintain Documentation | Preventive | |
| Restrict physical access mechanisms to authorized parties. CC ID 16924 | Process or Activity | Preventive | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Establish/Maintain Documentation | Preventive | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and Environmental Protection | Preventive | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to protect from attacks, accidents, and environmental threats and hazards, the premises, data centres of the financial entity, and sensitive designated areas identified by the financial entity, where ICT assets and information assets reside; Article 18 2 ¶ 1(b) {physical security measures} The measures referred to in paragraph 1 shall protect the premises of financial entities and, where applicable, data centres of financial entities where ICT assets and information assets reside from unauthorised access, attacks, and accidents, and from environmental threats and hazards. Article 32 2.] | Physical and Environmental Protection | Preventive | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and Environmental Protection | Preventive | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and Environmental Protection | Preventive | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and Environmental Protection | Detective | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Communicate | Preventive | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the monitoring of physical access to premises, data centres, and sensitive designated areas identified by the financial entity where ICT and information assets or both reside; Article 21 ¶ 1(g)(iii) {physical access} For the purposes of point (g)(iii), the monitoring shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the criticality of the area accessed. Article 21 ¶ 5] | Monitor and Evaluate Occurrences | Detective | |
| Record the purpose of the visit in the visitor log. CC ID 16917 | Log Management | Preventive | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Establish/Maintain Documentation | Preventive | |
| Record the date and time of departure in the visitor log. CC ID 16897 | Log Management | Preventive | |
| Record the type of identification used in the visitor log. CC ID 16916 | Log Management | Preventive | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Investigate | Detective | |
| Establish, implement, and maintain a physical access log. CC ID 12080 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the identification and logging of natural persons that are authorised to access premises, data centres, and sensitive designated areas identified by the financial entity where ICT and information assets reside; Article 21 ¶ 1(g)(i) {physical access} For the purposes of point (g)(i), the identification and logging shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein. Article 21 ¶ 4] | Establish/Maintain Documentation | Preventive | |
| Log when the cabinet is accessed. CC ID 11674 | Log Management | Detective | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Monitor and Evaluate Occurrences | Preventive | |
| Include the requestor's name in the physical access log. CC ID 16922 | Log Management | Preventive | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [{unattended equipment} For the purposes of point (c), the physical and environmental security policy referred to in paragraph 1 shall contain measures to provide appropriate protection to unattended ICT assets. Article 18 2 ¶ 3] | Physical and Environmental Protection | Preventive | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Log Management | Preventive | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Technical Security | Preventive | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the media protection policy. CC ID 14182 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the media protection policy. CC ID 14167 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the media protection policy. CC ID 14166 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Communicate | Preventive | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Communicate | Preventive | |
| Treat archive media as evidence. CC ID 00960 | Records Management | Preventive | |
| Protect distributed assets against theft. CC ID 06799 | Physical and Environmental Protection | Preventive | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system; Article 8 2 ¶ 1(a)(i) The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the process to securely dispose or decommission of data storage devices present on premises of the financial entity or stored externally containing confidential information; Article 11 2 ¶ 1(h)] | Establish/Maintain Documentation | Preventive | |
| Obtain management approval prior to decommissioning assets. CC ID 17269 | Business Processes | Preventive | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Log Management | Preventive | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 [{on-site physical control} {off-site physical control} {on-site logical control} {off-site logical control} The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to secure ICT assets, both within and outside the premises of the financial entity, taking into account the results of the ICT risk assessment related to the relevant ICT assets; Article 18 2 ¶ 1(c)] | Technical Security | Preventive | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 [{on-site physical control} {off-site physical control} {on-site logical control} {off-site logical control} The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to secure ICT assets, both within and outside the premises of the financial entity, taking into account the results of the ICT risk assessment related to the relevant ICT assets; Article 18 2 ¶ 1(c)] | Technical Security | Preventive | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 [{on-site physical control} {off-site physical control} {on-site logical control} {off-site logical control} The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to secure ICT assets, both within and outside the premises of the financial entity, taking into account the results of the ICT risk assessment related to the relevant ICT assets; Article 18 2 ¶ 1(c)] | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 [{on-site physical control} {off-site physical control} {on-site logical control} {off-site logical control} The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to secure ICT assets, both within and outside the premises of the financial entity, taking into account the results of the ICT risk assessment related to the relevant ICT assets; Article 18 2 ¶ 1(c)] | Physical and Environmental Protection | Preventive | |
| Monitor the location of distributed assets. CC ID 11684 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: information on the location, either physical or logical, of all ICT assets; Article 4 2(b)(ii) The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: information on the location, either physical or logical, of all ICT assets; Article 4 2(b)(ii)] | Monitor and Evaluate Occurrences | Detective | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Technical Security | Corrective | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the following requirements to secure the use of portable endpoint devices and private non-portable endpoint devices: the requirement to use a management solution to remotely manage the endpoint devices and remotely wipe the financial entity's data; Article 11 2 ¶ 1(f)(i)] | Process or Activity | Corrective | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of security measures regarding the use of software, data storage media, systems and endpoint devices that transfer and store data of the financial entity; Article 35 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Data and Information Management | Preventive | |
| Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925 | Communicate | Preventive | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998 | Communicate | Preventive | |
| Establish, implement, and maintain mobile device activation procedures. CC ID 16999 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Establish/Maintain Documentation | Preventive | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Process or Activity | Preventive | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Establish/Maintain Documentation | Preventive | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Business Processes | Preventive | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and Environmental Protection | Preventive | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Data and Information Management | Preventive | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Process or Activity | Corrective | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 [Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements: requirements for staff of the financial entity and of the ICT third-party service providers using or accessing ICT assets of the financial entity to: for the staff, to return to the financial entity, upon termination of employment, all ICT assets and tangible information assets in their possession that belong to the financial entity. Article 19 ¶ 1(b)(iii)] | Behavior | Preventive | |
| Establish, implement, and maintain a clean desk policy. CC ID 06534 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: a clear desk policy for papers; Article 18 2 ¶ 1(e)(i)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a clear screen policy. CC ID 12436 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: a clear screen policy for information processing facilities. Article 18 2 ¶ 1(e)(ii)] | Technical Security | Preventive | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and Environmental Protection | Preventive | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and Environmental Protection | Preventive | |
| Employ environmental protections. CC ID 12570 [For the purposes of point (b), the measures to protect from environmental threats and hazards shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein. Article 18 2 ¶ 2 {physical security measures} The measures referred to in paragraph 1 shall protect the premises of financial entities and, where applicable, data centres of financial entities where ICT assets and information assets reside from unauthorised access, attacks, and accidents, and from environmental threats and hazards. Article 32 2.] | Process or Activity | Preventive | |
| Establish, implement, and maintain geomagnetic disturbance operating procedures. CC ID 17158 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the geomagnetic disturbance operating plan. CC ID 17157 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a geomagnetic disturbance operating plan. CC ID 17156 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate space weather information to interested personnel and affected parties. CC ID 17155 | Communicate | Preventive | |
| Include roles and responsibilities in the geomagnetic disturbance operating procedures. CC ID 17154 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a cold weather preparedness plan. CC ID 17131 | Establish/Maintain Documentation | Preventive | |
| Include design specifications for applicable assets in the cold weather preparedness plan. CC ID 17144 | Establish/Maintain Documentation | Preventive | |
| Include limitations in the cold weather preparedness plan. CC ID 17143 | Establish/Maintain Documentation | Preventive | |
| Include performance data in the cold weather preparedness plan. CC ID 17142 | Establish/Maintain Documentation | Preventive | |
| Include maintenance requirements in the cold weather preparedness plan. CC ID 17141 | Establish/Maintain Documentation | Preventive | |
| Include freeze protection measures in the cold weather preparedness plan. CC ID 17140 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain pest control systems in organizational facilities. CC ID 16139 | Physical and Environmental Protection | Preventive | |
| Alert appropriate personnel when an environmental control alert threshold is exceeded. CC ID 17268 | Communicate | Preventive | |
| Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 | Communicate | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: Article 18 2 ¶ 1(e) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide. Article 29 1.] | Establish/Maintain Documentation | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Data and Information Management | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Technical Security | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Data and Information Management | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Configuration | Preventive | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Testing | Detective | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Configuration | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Configuration | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Technical Security | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Data and Information Management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Log Management | Preventive | |
| Log the modification of personal data. CC ID 11844 | Log Management | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Technical Security | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 | Technical Security | Preventive | |
| Implement physical controls to protect personal data. CC ID 00355 | Testing | Preventive | |
| Limit data leakage. CC ID 00356 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the identification and implementation of security measures to prevent data loss and leakage for systems and endpoint devices; Article 11 2 ¶ 1(i)] | Data and Information Management | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Testing | Detective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Business Processes | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Data and Information Management | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Data and Information Management | Detective | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Monitor and Evaluate Occurrences | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Investigate | Detective | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Behavior | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Data and Information Management | Detective | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Log Management | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Monitor and Evaluate Occurrences | Corrective | |
| Log dates for account name changes or address changes. CC ID 04876 | Log Management | Detective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Monitor and Evaluate Occurrences | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Data and Information Management | Detective | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Acquisition/Sale of Assets or Services | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 [As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: the prevention and detection of data leakages and the secure transfer of information between the financial entity and external parties; Article 14 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates. Article 34 ¶ 1(i)] | Process or Activity | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Process or Activity | Preventive | |
| Review monitored websites for data leakage. CC ID 10593 | Monitor and Evaluate Occurrences | Detective | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 [As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: the prevention and detection of data leakages and the secure transfer of information between the financial entity and external parties; Article 14 1(b)] | Process or Activity | Corrective | |
| Establish, implement, and maintain a privacy impact assessment. CC ID 13712 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity's activities. Article 1 ¶ 1(e)] | Establish/Maintain Documentation | Preventive | |
| Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Establish/Maintain Documentation | Preventive | |
| Include how to grant consent in the privacy impact assessment. CC ID 15519 | Establish/Maintain Documentation | Preventive | |
| Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Establish/Maintain Documentation | Preventive | |
| Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Establish/Maintain Documentation | Preventive | |
| Include data handling procedures in the privacy impact assessment. CC ID 15516 | Establish/Maintain Documentation | Preventive | |
| Include the intended use of information in the privacy impact assessment. CC ID 15515 | Establish/Maintain Documentation | Preventive | |
| Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Establish/Maintain Documentation | Preventive | |
| Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Business Processes | Preventive | |
| Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Communicate | Preventive | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a records authentication system. CC ID 11648 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: Article 18 2 ¶ 1(e)] | Establish/Maintain Documentation | Preventive | |
| Remove dormant data from systems, as necessary. CC ID 13726 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: a process to securely delete data on premises, or that are stored externally, that the financial entity no longer needs to collect or store; Article 35 ¶ 1(e)] | Process or Activity | Preventive | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 [For the purposes of point (a), financial entities shall establish the retention period, taking into account the business and information security objectives, the reason for recording the event in the logs, and the results of the ICT risk assessment. Article 12 2 ¶ 2 The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the identification of the events to be logged, the retention period of the logs, and the measures to secure and handle the log data, considering the purpose for which the logs are created; Article 12 2 ¶ 1(a)] | Process or Activity | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [For the purposes of point (a), financial entities shall maintain records of all identity assignments. Those records shall be kept following a reorganisation of the financial entity or after the end of the contractual relationship without prejudice to the retention requirements laid down in applicable Union and national law. Article 20 2 ¶ 2 {access rights administration} For the purposes of point (e)(i), financial entities shall establish the retention period taking into account the business and information security objectives, the reasons for recording the event in the logs, and the results of the ICT risk assessment. Article 21 ¶ 2] | Records Management | Preventive | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the process to securely delete data, present on premises of the financial entity or stored externally, that the financial entity no longer needs to collect or to store; Article 11 2 ¶ 1(g)] | Records Management | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data accuracy controls. CC ID 00921 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques; Article 2 1(c)] | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain data processing integrity controls. CC ID 00923 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: Article 18 2 ¶ 1(e)] | Establish Roles | Preventive | |
| Compare each record's data input to its final form. CC ID 11813 | Records Management | Detective | |
| Sanitize user input in accordance with organizational standards. CC ID 16856 | Process or Activity | Preventive | |
| Provide encryption for different types of electronic storage media. CC ID 00945 [{encryption policy} {data in transit} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the encryption of data at rest and in transit; Article 6 2 ¶ 1(a)] | Technical Security | Preventive | |
| Establish, implement, and maintain data availability controls. CC ID 15301 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: Article 18 2 ¶ 1(e) {capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the monitoring procedures for maintaining and improving: the availability of data and ICT systems; Article 9 1(c)(i) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide. Article 29 1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1 The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures that ensure the availability, authenticity, integrity, and confidentiality of data during network transmissions; Article 35 ¶ 1(d)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain electronic storage media security controls. CC ID 13204 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: measures to protect logging systems and log information against tampering, deletion, and unauthorised access at rest, in transit, and, where relevant, in use; Article 12 2 ¶ 1(d) {data in transit} {data at rest} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to protect data in use, in transit, and at rest; Article 35 ¶ 1(a) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of security measures regarding the use of software, data storage media, systems and endpoint devices that transfer and store data of the financial entity; Article 35 ¶ 1(b)] | Technical Security | Preventive | |
System hardening through configuration management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a configuration management policy. CC ID 14023 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the configuration management policy. CC ID 14072 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system; Article 8 2 ¶ 1(a)(i)] | Establish/Maintain Documentation | Preventive | |
| Document external connections for all systems. CC ID 06415 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: whether the ICT asset can be or is exposed to external networks, including the internet; Article 4 2(b)(vii)] | Configuration | Preventive | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the identification of a secure configuration baseline for ICT assets that minimise exposure of those ICT assets to cyber threats and measures to verify regularly that those baselines are effectively deployed; Article 11 2 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | Establish/Maintain Documentation | Preventive | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | Establish/Maintain Documentation | Preventive | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | Establish/Maintain Documentation | Preventive | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | Establish/Maintain Documentation | Preventive | |
| Include installed custom software in the baseline configuration. CC ID 13274 | Establish/Maintain Documentation | Preventive | |
| Include network ports in the baseline configuration. CC ID 13273 | Establish/Maintain Documentation | Preventive | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | Establish/Maintain Documentation | Preventive | |
| Define the relationships and dependencies between Configurable Items. CC ID 02134 [As part of the simplified ICT risk management framework referred to in Article 16(1), point (a), of Regulation (EU) 2022/2554, the financial entities referred to in paragraph 1 of that Article shall identify, classify, and document all critical or important functions, the information assets and ICT assets supporting them and their interdependencies. Financial entities shall review that identification and classification as needed. Article 30 1.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system hardening standard. CC ID 00876 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the implementation of a secure configuration baseline of all network components, and the hardening of the network and of network devices in line with any vendor instructions, where applicable standards, as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and leading practices; Article 13 ¶ 1(k)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain configuration standards. CC ID 11953 | Configuration | Preventive | |
| Include common security parameter settings in the configuration standards for all systems. CC ID 12544 | Establish/Maintain Documentation | Preventive | |
| Apply configuration standards to all systems, as necessary. CC ID 12503 [{ICT third-party service provider} {assets} {digital operational resilience} For the purposes of point (k), financial entities shall consider the following: the implementation of vendor recommended settings on the elements operated by the financial entity; Article 11 2 ¶ 3(a)] | Configuration | Preventive | |
| Configure security parameter settings on all system components appropriately. CC ID 12041 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the implementation of a secure configuration baseline of all network components, and the hardening of the network and of network devices in line with any vendor instructions, where applicable standards, as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and leading practices; Article 13 ¶ 1(k)] | Technical Security | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | Establish/Maintain Documentation | Preventive | |
| Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards. CC ID 04490 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the procedures to limit, lock, and terminate system and remote sessions after a specified period of inactivity; Article 13 ¶ 1(l)] | Configuration | Preventive | |
| Configure the Intrusion Detection System and the Intrusion Prevention System to detect rogue devices and unauthorized connections. CC ID 04837 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the identification and implementation of network access controls to prevent and detect connections to the financial entity's network by any unauthorised device or system, or any endpoint not meeting the financial entity's security requirements; Article 13 ¶ 1(d) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to prevent and detect unauthorised connections to the financial entity's network, and to secure the network traffic between the financial entity's internal networks and the internet and other external connections; Article 35 ¶ 1(c)] | Configuration | Preventive | |
| Install critical security updates and important security updates in a timely manner. CC ID 01696 [The patch management procedures referred to in paragraph 3 shall: test and deploy the software and hardware patches and the updates referred to in Article 8(2), points (b)(v), (vi) and (vii); Article 10 4(c) The patch management procedures referred to in paragraph 3 shall: set deadlines for the installation of software and hardware patches and updates and escalation procedures in case those deadlines cannot be met. Article 10 4(d)] | Configuration | Preventive | |
| Include risk information when communicating critical security updates. CC ID 14948 | Communicate | Preventive | |
| Configure each system's security alerts to organizational standards. CC ID 12113 [For the purposes of point (b), the tools referred to in that point shall contain the tools that provide automated alerts based on pre-defined rules to identify anomalies affecting the completeness and integrity of the data sources or log collection. Article 23 2 ¶ 2] | Technical Security | Preventive | |
| Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: contain safeguards against intrusions and data misuse; Article 2 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1] | Configuration | Preventive | |
| Configure Hypertext Transfer Protocol headers in accordance with organizational standards. CC ID 16851 | Configuration | Preventive | |
| Configure Hypertext Transfer Protocol security headers in accordance with organizational standards. CC ID 16488 | Configuration | Preventive | |
| Configure "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to organizational standards. CC ID 15385 | Configuration | Preventive | |
| Configure Microsoft Attack Surface Reduction rules in accordance with organizational standards. CC ID 16478 | Configuration | Preventive | |
| Configure "Remote host allows delegation of non-exportable credentials" to organizational standards. CC ID 15379 | Configuration | Preventive | |
| Configure "Configure enhanced anti-spoofing" to organizational standards. CC ID 15376 | Configuration | Preventive | |
| Configure "Block user from showing account details on sign-in" to organizational standards. CC ID 15374 | Configuration | Preventive | |
| Configure "Configure Attack Surface Reduction rules" to organizational standards. CC ID 15370 | Configuration | Preventive | |
| Configure "Turn on e-mail scanning" to organizational standards. CC ID 15361 | Configuration | Preventive | |
| Configure "Prevent users and apps from accessing dangerous websites" to organizational standards. CC ID 15359 | Configuration | Preventive | |
| Configure "Enumeration policy for external devices incompatible with Kernel DMA Protection" to organizational standards. CC ID 15352 | Configuration | Preventive | |
| Configure "Prevent Internet Explorer security prompt for Windows Installer scripts" to organizational standards. CC ID 15351 | Configuration | Preventive | |
| Store state information from applications and software separately. CC ID 14767 | Configuration | Preventive | |
| Configure the "aufs storage" to organizational standards. CC ID 14461 | Configuration | Preventive | |
| Configure the "AppArmor Profile" to organizational standards. CC ID 14496 | Configuration | Preventive | |
| Configure the "device" argument to organizational standards. CC ID 14536 | Configuration | Preventive | |
| Configure the "Docker" group ownership to organizational standards. CC ID 14495 | Configuration | Preventive | |
| Configure the "Docker" user ownership to organizational standards. CC ID 14505 | Configuration | Preventive | |
| Configure "Allow upload of User Activities" to organizational standards. CC ID 15338 | Configuration | Preventive | |
| Configure the "ulimit" to organizational standards. CC ID 14499 | Configuration | Preventive | |
| Configure the computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender properly. CC ID 05282 | Configuration | Preventive | |
| Configure the "Turn off Help Ratings" setting. CC ID 05285 | Configuration | Preventive | |
| Configure the "Decoy Admin Account Not Disabled" policy properly. CC ID 05286 | Configuration | Preventive | |
| Configure the "Anonymous access to the registry" policy properly. CC ID 05288 | Configuration | Preventive | |
| Configure the File System Checker and Popups setting. CC ID 05289 | Configuration | Preventive | |
| Configure the System File Checker setting. CC ID 05290 | Configuration | Preventive | |
| Configure the System File Checker Progress Meter setting. CC ID 05291 | Configuration | Preventive | |
| Configure the Protect Kernel object attributes properly. CC ID 05292 | Configuration | Preventive | |
| Verify crontab files are owned by an appropriate user or group. CC ID 05305 | Configuration | Preventive | |
| Restrict the exporting of files and directories, as necessary. CC ID 16315 | Technical Security | Preventive | |
| Verify the /etc/syslog.conf file is owned by an appropriate user or group. CC ID 05322 | Configuration | Preventive | |
| Verify the traceroute executable is owned by an appropriate user or group. CC ID 05323 | Configuration | Preventive | |
| Verify the /etc/passwd file is owned by an appropriate user or group. CC ID 05325 | Configuration | Preventive | |
| Configure the "Prohibit Access of the Windows Connect Now Wizards" setting. CC ID 05380 | Configuration | Preventive | |
| Configure the "Allow remote access to the PnP interface" setting. CC ID 05381 | Configuration | Preventive | |
| Configure the "Do not create system restore point when new device driver installed" setting. CC ID 05382 | Configuration | Preventive | |
| Configure the "Turn Off Access to All Windows Update Feature" setting. CC ID 05383 | Configuration | Preventive | |
| Configure the "Turn Off Automatic Root Certificates Update" setting. CC ID 05384 | Configuration | Preventive | |
| Configure the "Turn Off Event Views 'Events.asp' Links" setting. CC ID 05385 | Configuration | Preventive | |
| Configure the "Turn Off Internet File Association Service" setting. CC ID 05389 | Configuration | Preventive | |
| Configure the "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting. CC ID 05390 | Configuration | Preventive | |
| Configure the "Turn off the 'Order Prints' Picture task" setting. CC ID 05391 | Configuration | Preventive | |
| Configure the "Turn Off Windows Movie Maker Online Web Links" setting. CC ID 05392 | Configuration | Preventive | |
| Configure the "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting. CC ID 05393 | Configuration | Preventive | |
| Configure the "Don't Display the Getting Started Welcome Screen at Logon" setting. CC ID 05394 | Configuration | Preventive | |
| Configure the "Turn off Windows Startup Sound" setting. CC ID 05395 | Configuration | Preventive | |
| Configure the "Prevent IIS Installation" setting. CC ID 05398 | Configuration | Preventive | |
| Configure the "Turn off Active Help" setting. CC ID 05399 | Configuration | Preventive | |
| Configure the "Turn off Untrusted Content" setting. CC ID 05400 | Configuration | Preventive | |
| Configure the "Turn off downloading of enclosures" setting. CC ID 05401 | Configuration | Preventive | |
| Configure "Allow indexing of encrypted files" to organizational standards. CC ID 05402 | Configuration | Preventive | |
| Configure the "Prevent indexing uncached Exchange folders" setting. CC ID 05403 | Configuration | Preventive | |
| Configure the "Turn off Windows Calendar" setting. CC ID 05404 | Configuration | Preventive | |
| Configure the "Turn off Windows Defender" setting. CC ID 05405 | Configuration | Preventive | |
| Configure the "Turn off the communication features" setting. CC ID 05410 | Configuration | Preventive | |
| Configure the "Turn off Windows Meeting Space" setting. CC ID 05413 | Configuration | Preventive | |
| Configure the "Turn on Windows Meeting Space auditing" setting. CC ID 05414 | Configuration | Preventive | |
| Configure the "Disable unpacking and installation of gadgets that are not digitally signed" setting. CC ID 05415 | Configuration | Preventive | |
| Configure the "Override the More Gadgets Link" setting. CC ID 05416 | Configuration | Preventive | |
| Configure the "Turn Off User Installed Windows Sidebar Gadgets" setting. CC ID 05417 | Configuration | Preventive | |
| Configure the "Turn off Downloading of Game Information" setting. CC ID 05419 | Configuration | Preventive | |
| Set the noexec_user_stack flag on the user stack properly. CC ID 05439 | Configuration | Preventive | |
| Configure the "restrict guest access to system log" policy, as appropriate. CC ID 06047 | Configuration | Preventive | |
| Configure the Trusted Platform Module (TPM) platform validation profile, as appropriate. CC ID 06056 | Configuration | Preventive | |
| Enable or disable the standby states, as appropriate. CC ID 06060 | Configuration | Preventive | |
| Configure the Trusted Platform Module startup options properly. CC ID 06061 | Configuration | Preventive | |
| Configure the "Obtain Software Package Updates with apt-get" setting to organizational standards. CC ID 11375 | Configuration | Preventive | |
| Configure the "display a banner before authentication" setting for "LightDM" to organizational standards. CC ID 11385 | Configuration | Preventive | |
| Configure user accounts. CC ID 07036 | Configuration | Preventive | |
| Employ multifactor authentication for accounts with administrative privilege. CC ID 12496 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: the use of strong authentication methods in accordance with leading practices and techniques for remote access to the financial entity's network, for privileged access, for access to ICT assets supporting critical or important functions or ICT assets that are publicly accessible; Article 21 ¶ 1(f)(ii) For the purposes of point (d), financial entities shall use strong authentication methods that are based on leading practices for remote access to the financial entities' network, for privileged access, and for access to ICT assets supporting critical or important functions that are publicly available. Article 33 ¶ 3] | Technical Security | Preventive | |
| Review and approve the firewall rules, as necessary. CC ID 06745 [For the purposes of point (h), financial entities shall perform the review of firewall rules and connections filters on a regular basis in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of ICT systems involved. For ICT systems that support critical or important functions, financial entities shall verify the adequacy of the existing firewall rules and connection filters at least every 6 months. Article 13 ¶ 2 For the purposes of point (h), financial entities shall perform the review of firewall rules and connections filters on a regular basis in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of ICT systems involved. For ICT systems that support critical or important functions, financial entities shall verify the adequacy of the existing firewall rules and connection filters at least every 6 months. Article 13 ¶ 2] | Configuration | Preventive | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | Configuration | Preventive | |
| Configure the log to capture the user's identification. CC ID 01334 [{generic account} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: a provision on user accountability, by limiting to the extent possible the use of generic and shared user accounts and ensuring that users are identifiable for the actions performed in the ICT systems at all times; Article 21 ¶ 1(c) {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: user accountability, which ensures that users can be identified for the actions performed in the ICT systems; Article 33 ¶ 1(b)] | Configuration | Preventive | |
| Configure the log to capture a date and time stamp. CC ID 01336 [Financial entities shall log all relevant information for each detected anomalous activity enabling: the identification of the date and time of detection of the anomalous activity; Article 23 4(b) Financial entities shall log all relevant information for each detected anomalous activity enabling: the identification of the date and time of occurrence of the anomalous activity; Article 23 4(a)] | Configuration | Preventive | |
| Configure the log to capture the type of each event. CC ID 06423 [Financial entities shall log all relevant information for each detected anomalous activity enabling: the identification of the type of the anomalous activity. Article 23 4(c)] | Configuration | Preventive | |
| Configure all logs to capture auditable events or actionable events. CC ID 06332 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the requirement to log events related to all of the following: capacity management; Article 12 2 ¶ 1(c)(ii) The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the requirement to log events related to all of the following: ICT operations, including ICT system activities; Article 12 2 ¶ 1(c)(iv) The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the requirement to log events related to all of the following: logical and physical access control, as referred to in Article 21, and identity management; Article 12 2 ¶ 1(c)(i) Financial entities shall log all relevant information for each detected anomalous activity enabling: Article 23 4. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: log events related to logical and physical access control, ICT operations, including system and network traffic activities, and ICT change management; Article 34 ¶ 1(f)] | Configuration | Preventive | |
| Configure the log to capture the amount of data uploaded and downloaded. CC ID 16494 | Log Management | Preventive | |
| Configure the log to capture startups and shutdowns. CC ID 16491 | Log Management | Preventive | |
| Configure the log to capture user queries and searches. CC ID 16479 | Log Management | Preventive | |
| Configure the log to capture Internet Protocol addresses. CC ID 16495 | Log Management | Preventive | |
| Configure the log to capture error messages. CC ID 16477 | Log Management | Preventive | |
| Configure the log to capture system failures. CC ID 16475 | Log Management | Preventive | |
| Configure the log to capture account lockouts. CC ID 16470 | Configuration | Preventive | |
| Configure the log to capture execution events. CC ID 16469 | Configuration | Preventive | |
| Configure the log to capture attempts to bypass or circumvent security controls. CC ID 17078 | Log Management | Preventive | |
| Configure the log to capture AWS Organizations changes. CC ID 15445 | Configuration | Preventive | |
| Configure the log to capture Identity and Access Management policy changes. CC ID 15442 | Configuration | Preventive | |
| Configure the log to capture management console sign-in without multi-factor authentication. CC ID 15441 | Configuration | Preventive | |
| Configure the log to capture route table changes. CC ID 15439 | Configuration | Preventive | |
| Configure the log to capture virtual private cloud changes. CC ID 15435 | Configuration | Preventive | |
| Configure the log to capture changes to encryption keys. CC ID 15432 | Configuration | Preventive | |
| Configure the log to capture unauthorized API calls. CC ID 15429 | Configuration | Preventive | |
| Configure the log to capture changes to network gateways. CC ID 15421 | Configuration | Preventive | |
| Configure the "logging level" to organizational standards. CC ID 14456 | Configuration | Detective | |
| Configure the log to capture user account additions, modifications, and deletions. CC ID 16482 | Log Management | Preventive | |
| Configure the event log settings for specific Operating System functions. CC ID 06337 | Configuration | Preventive | |
| Generate an alert when an audit log failure occurs. CC ID 06737 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: measures to detect a failure of logging systems; Article 12 2 ¶ 1(e)] | Configuration | Preventive | |
| Configure dedicated systems used for system management according to organizational standards. CC ID 12132 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the use of a separate and dedicated network for the administration of ICT assets; Article 13 ¶ 1(c)] | Configuration | Preventive | |
| Configure dedicated systems used for system management to prohibit them from composing documents. CC ID 12161 | Configuration | Preventive | |
| Configure dedicated systems used for system management so they are prohibited from accessing e-mail. CC ID 12160 | Configuration | Preventive | |
| Configure initial system hardening according to the secure configuration baseline. CC ID 13824 [For the purposes of point (b), the secure configuration baseline referred to in that point shall take into account leading practices and appropriate techniques laid down in the standards defined in Article 2, point (1), of Regulation (EU) No 1025/2012. Article 11 2 ¶ 2 Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the implementation of a secure configuration baseline of all network components, and the hardening of the network and of network devices in line with any vendor instructions, where applicable standards, as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and leading practices; Article 13 ¶ 1(k)] | Configuration | Preventive | |
| Configure the system's password field with a unique default password. CC ID 13825 | Configuration | Preventive | |
| Lock configurations to prevent circumventing security measures. CC ID 12187 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the following requirements to secure the use of portable endpoint devices and private non-portable endpoint devices: the requirement to use security mechanisms that cannot be modified, removed or bypassed by staff members or ICT third-party service providers in an unauthorised manner; Article 11 2 ¶ 1(f)(ii)] | Configuration | Preventive | |
| Audit assets after maintenance was performed. CC ID 13657 [Financial entities shall develop, document, and implement an ICT systems' acquisition, development, and maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally. Article 16 2 ¶ 1] | Audits and Risk Management | Detective | |
Systems design, build, and implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Systems design, build, and implementation CC ID 00989 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: Article 37 ¶ 1] | Systems Design, Build, and Implementation | Preventive | |
| Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386 | Establish/Maintain Documentation | Preventive | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Data and Information Management | Preventive | |
| Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469 | Communicate | Preventive | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: Article 16 1.] | Establish/Maintain Documentation | Preventive | |
| Implement manual override capability into automated systems. CC ID 14921 | Systems Design, Build, and Implementation | Preventive | |
| Define and assign the system development project team roles and responsibilities. CC ID 01061 [The ICT project management policy referred to in paragraph 1 shall ensure the secure ICT project implementation through the provision of the necessary information and expertise from the business area or functions impacted by the ICT project. Article 15 4.] | Establish Roles | Preventive | |
| Search for metadata during e-discovery. CC ID 01073 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain security design principles. CC ID 14718 | Systems Design, Build, and Implementation | Preventive | |
| Include reduced complexity of systems or system components in the security design principles. CC ID 14753 | Systems Design, Build, and Implementation | Preventive | |
| Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 | Systems Design, Build, and Implementation | Preventive | |
| Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751 | Systems Design, Build, and Implementation | Preventive | |
| Include modularity and layering of systems or system components in the security design principles. CC ID 14750 | Systems Design, Build, and Implementation | Preventive | |
| Include secure evolvability of systems or system components in the security design principles. CC ID 14749 | Systems Design, Build, and Implementation | Preventive | |
| Include continuous protection of systems or system components in the security design principles. CC ID 14748 | Establish/Maintain Documentation | Preventive | |
| Include least common mechanisms between systems or system components in the security design principles. CC ID 14747 | Systems Design, Build, and Implementation | Preventive | |
| Include secure system modification of systems or system components in the security design principles. CC ID 14746 | Systems Design, Build, and Implementation | Preventive | |
| Include clear abstractions of systems or system components in the security design principles. CC ID 14745 | Systems Design, Build, and Implementation | Preventive | |
| Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 | Systems Design, Build, and Implementation | Preventive | |
| Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743 | Systems Design, Build, and Implementation | Preventive | |
| Include least privilege of systems or system components in the security design principles. CC ID 14742 | Systems Design, Build, and Implementation | Preventive | |
| Include minimized sharing of systems or system components in the security design principles. CC ID 14741 | Systems Design, Build, and Implementation | Preventive | |
| Include acceptable security of systems or system components in the security design principles. CC ID 14740 | Systems Design, Build, and Implementation | Preventive | |
| Include minimized security elements in systems or system components in the security design principles. CC ID 14739 | Systems Design, Build, and Implementation | Preventive | |
| Include hierarchical protection in systems or system components in the security design principles. CC ID 14738 | Systems Design, Build, and Implementation | Preventive | |
| Include self-analysis of systems or system components in the security design principles. CC ID 14737 | Systems Design, Build, and Implementation | Preventive | |
| Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736 | Systems Design, Build, and Implementation | Preventive | |
| Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735 | Systems Design, Build, and Implementation | Preventive | |
| Include secure distributed composition of systems or system components in the security design principles. CC ID 14734 | Systems Design, Build, and Implementation | Preventive | |
| Include minimization of systems or system components in the security design principles. CC ID 14733 | Systems Design, Build, and Implementation | Preventive | |
| Include secure defaults in systems or system components in the security design principles. CC ID 14732 | Systems Design, Build, and Implementation | Preventive | |
| Include trusted communications channels for systems or system components in the security design principles. CC ID 14731 | Systems Design, Build, and Implementation | Preventive | |
| Include economic security in systems or system components in the security design principles. CC ID 14730 | Systems Design, Build, and Implementation | Preventive | |
| Include trusted components of systems or system components in the security design principles. CC ID 14729 | Systems Design, Build, and Implementation | Preventive | |
| Include procedural rigor in systems or system components in the security design principles. CC ID 14728 | Systems Design, Build, and Implementation | Preventive | |
| Include accountability and traceability of systems or system components in the security design principles. CC ID 14727 | Systems Design, Build, and Implementation | Preventive | |
| Include hierarchical trust in systems or system components in the security design principles. CC ID 14726 | Systems Design, Build, and Implementation | Preventive | |
| Include sufficient documentation for systems or system components in the security design principles. CC ID 14725 | Systems Design, Build, and Implementation | Preventive | |
| Include performance security of systems or system components in the security design principles. CC ID 14724 | Systems Design, Build, and Implementation | Preventive | |
| Include human factored security in systems or system components in the security design principles. CC ID 14723 | Systems Design, Build, and Implementation | Preventive | |
| Include secure metadata management of systems or system components in the security design principles. CC ID 14722 | Systems Design, Build, and Implementation | Preventive | |
| Include predicate permission of systems or system components in the security design principles. CC ID 14721 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain system design requirements. CC ID 06618 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements, including information security requirements, are clearly specified and approved by the business function concerned; Article 37 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
| Implement dual authorization in systems with critical business functions, as necessary. CC ID 14922 | Systems Design, Build, and Implementation | Preventive | |
| Resolve conflicting design and development inputs. CC ID 13703 | Process or Activity | Corrective | |
| Identify and document system development constraints. CC ID 11698 | Establish/Maintain Documentation | Preventive | |
| Review the degree of human intervention and control points in the system design requirements. CC ID 13536 | Establish/Maintain Documentation | Detective | |
| Include anti-counterfeit measures in the system requirements specification. CC ID 11547 | Physical and Environmental Protection | Preventive | |
| Include anti-counterfeit measures that make attempts to circumvent them evident during the anti-counterfeit authentication test in the system requirements specification. CC ID 11552 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 [The ICT project management policy referred to in paragraph 1 shall specify the elements that ensure the effective management of the ICT projects related to the acquisition, maintenance and, where applicable, development of the financial entity's ICT systems. Article 15 2.] | Establish/Maintain Documentation | Preventive | |
| Include data governance and management practices in the system design project management framework. CC ID 15053 | Establish/Maintain Documentation | Preventive | |
| Analyze business activities to ensure information is categorized for system design projects. CC ID 11794 | Monitor and Evaluate Occurrences | Detective | |
| Analyze existing systems during preliminary investigations for system design projects. CC ID 01043 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project risk assessment; Article 15 3(d)] | Testing | Detective | |
| Analyze current technology investment factors that could affect implementing the system design project. CC ID 01050 | Testing | Preventive | |
| Disseminate and communicate the implementation strategy to interested personnel and affected parties. CC ID 11796 | Communicate | Preventive | |
| Include system interoperability in the system requirements specification. CC ID 16256 | Systems Design, Build, and Implementation | Preventive | |
| Include equipment interoperability in the system requirements specification. CC ID 16257 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain project management standards. CC ID 00992 [{project management} When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT project and change management; Article 1 ¶ 1 (d) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document, and implement an ICT project management policy. Article 15 1. The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project governance, including roles and responsibilities; Article 15 3(b)] | Establish/Maintain Documentation | Preventive | |
| Include objectives in the project management standard. CC ID 17202 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project objectives; Article 15 3(a)] | Establish/Maintain Documentation | Preventive | |
| Include time requirements in the project management standard. CC ID 17199 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project planning, timeframe, and steps; Article 15 3(c)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain project management procedures. CC ID 17200 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project planning, timeframe, and steps; Article 15 3(c)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain integrated project plans. CC ID 01056 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an ICT project management procedure and shall specify the roles and responsibilities for its implementation. That procedure shall cover all stages of the ICT projects from their initiation to their closure. Article 38 1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an ICT project management procedure and shall specify the roles and responsibilities for its implementation. That procedure shall cover all stages of the ICT projects from their initiation to their closure. Article 38 1.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a project test plan. CC ID 01001 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: the testing of all requirements, including security requirements, and the respective approval process when deploying an ICT system in the production environment. Article 15 3(g)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a project team plan. CC ID 06533 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project governance, including roles and responsibilities; Article 15 3(b)] | Establish/Maintain Documentation | Preventive | |
| Separate the design and development environment from the production environment. CC ID 06088 [{production environment} {non-production environment} For the purposes of point (b)(v), the separation shall consider all of the components of the environment, including accounts, data or connections, as required by Article 13, first subparagraph, point (a). Article 8 2 ¶ 2 The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: requirements on the separation of ICT production environments from the development, testing, and other non-production environments; Article 8 2 ¶ 1(b)(v) The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: requirements to conduct the development and testing in environments which are separated from the production environment; Article 8 2 ¶ 1(b)(vi) The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: requirements to conduct the development and testing in production environments; Article 8 2 ¶ 1(b)(vii)] | Systems Design, Build, and Implementation | Preventive | |
| Implement security controls in development endpoints. CC ID 16389 | Testing | Preventive | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems Design, Build, and Implementation | Preventive | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems Design, Build, and Implementation | Preventive | |
| Develop new products based on best practices. CC ID 01095 | Systems Design, Build, and Implementation | Preventive | |
| Include security requirements in the system design specification. CC ID 06826 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements, including information security requirements, are clearly specified and approved by the business function concerned; Article 37 ¶ 1(a)] | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain secure update mechanisms. CC ID 14923 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates. Article 34 ¶ 1(i)] | Systems Design, Build, and Implementation | Preventive | |
| Implement cryptographic mechanisms to authenticate software updates before installation. CC ID 14925 | Systems Design, Build, and Implementation | Preventive | |
| Automate secure update mechanisms, as necessary. CC ID 14933 | Systems Design, Build, and Implementation | Preventive | |
| Follow security design requirements when developing systems. CC ID 06827 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii)] | Systems Design, Build, and Implementation | Preventive | |
| Approve the design methodology before moving forward on the system design project. CC ID 01060 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: the testing of all requirements, including security requirements, and the respective approval process when deploying an ICT system in the production environment. Article 15 3(g)] | Systems Design, Build, and Implementation | Preventive | |
| Protect source code in accordance with organizational requirements. CC ID 16855 [The procedure referred to in paragraph 2 shall contain the implementation of controls to protect the integrity of the source code of ICT systems that are developed in-house or by an ICT third-party service provider and delivered to the financial entity by an ICT third-parties service provider. Article 16 7.] | Technical Security | Preventive | |
| Perform source code analysis at each milestone or quality gate. CC ID 06832 [{open source code} The procedure referred to in paragraph 2 shall provide that proprietary software and, where feasible, the source code provided by ICT third-party service providers or coming from open-source projects, are to be analysed and tested in accordance with paragraph 3 prior to their deployment in the production environment. Article 16 8.] | Systems Design, Build, and Implementation | Corrective | |
| Document the results of the source code analysis. CC ID 14310 | Process or Activity | Detective | |
| Establish and maintain the overall system development project management roles and responsibilities. CC ID 00991 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an ICT project management procedure and shall specify the roles and responsibilities for its implementation. That procedure shall cover all stages of the ICT projects from their initiation to their closure. Article 38 1.] | Establish Roles | Preventive | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 [Financial entities shall develop, document, and implement an ICT systems' acquisition, development, and maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally. Article 16 2 ¶ 1] | Testing | Detective | |
| Disseminate and communicate the system testing policy to interested personnel and affected parties. CC ID 15473 | Communicate | Preventive | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 [Financial entities shall develop, document, and implement an ICT systems' acquisition, development, and maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally. Article 16 2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Protect test data in the development environment. CC ID 12014 [{pseudonymized data} The procedure referred to in paragraph 2 shall provide that: non-production environments only store anonymised, pseudonymised, or randomised production data; Article 16 5(a) The procedure referred to in paragraph 2 shall provide that: financial entities are to protect the integrity and confidentiality of data in non-production environments. Article 16 5(b)] | Technical Security | Preventive | |
| Test all software changes before promoting the system to a production environment. CC ID 01106 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure the testing and approval of ICT systems prior to their first use and before introducing changes to the production environment; Article 37 ¶ 1(b)] | Testing | Detective | |
| Test security functionality during the development process. CC ID 12015 [{system testing procedure} {static analysis} {dynamic analysis} The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: Article 16 3.] | Testing | Preventive | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 [The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: identify and analyse vulnerabilities and anomalies in the source code; Article 16 3(a)] | Testing | Detective | |
| Review and test source code. CC ID 01086 [{system testing procedure} {static analysis} {dynamic analysis} The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: Article 16 3.] | Testing | Detective | |
| Evaluate and document all known code anomalies and code deficiencies. CC ID 06611 [{address} {code anomalies} procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: monitor the implementation of that action plan. Article 16 3(c)] | Establish/Maintain Documentation | Preventive | |
| Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292 [The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: adopt an action plan to address those vulnerabilities and anomalies; Article 16 3(b)] | Testing | Corrective | |
| Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471 [By way of derogation from paragraph 5, the procedure referred to in paragraph 2 may provide that production data are stored only for specific testing occasions, for limited periods of time, and following the approval by the relevant function and the reporting of such occasions to the ICT risk management function. Article 16 6.] | Communicate | Preventive | |
| Perform Quality Management on all newly developed or modified software. CC ID 11798 [Financial entities shall develop, document, and implement an ICT systems' acquisition, development, and maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally. Article 16 2 ¶ 1 The procedure referred to in paragraph 2 shall contain security testing of software packages no later than at the integration phase, in accordance with Article 8(2), points (b)(v), (vi) and(vii). Article 16 4. {open source code} The procedure referred to in paragraph 2 shall provide that proprietary software and, where feasible, the source code provided by ICT third-party service providers or coming from open-source projects, are to be analysed and tested in accordance with paragraph 3 prior to their deployment in the production environment. Article 16 8.] | Testing | Detective | |
| Establish, implement, and maintain a system testing program for all system development projects. CC ID 01101 [Financial entities shall develop, document, and implement an ICT systems' acquisition, development, and maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally. Article 16 2 ¶ 1 The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure the testing and approval of ICT systems prior to their first use and before introducing changes to the production environment; Article 37 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems Design, Build, and Implementation | Preventive | |
| Implement security controls during the system implementation integration process. CC ID 11556 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: specify measures to mitigate the risk of unintentional alteration or intentional manipulation of the ICT systems during the development, maintenance, and deployment of those ICT systems in the production environment. Article 16 1(c)] | Systems Design, Build, and Implementation | Preventive | |
| Involve all stakeholders in the final acceptance test. CC ID 13168 [Central counterparties shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: clearing members and clients; Article 16 2 ¶ 2(a) {be interoperable} Central counterparties shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: interoperable central counterparties; Article 16 2 ¶ 2(b) Central counterparties shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: other interested parties. Article 16 2 ¶ 2(c) Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: users; Article 16 2 ¶ 3(a) Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: critical utilities and critical service providers; Article 16 2 ¶ 3(b) Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: other central securities depositories; Article 16 2 ¶ 3(c) Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: other market infrastructures; Article 16 2 ¶ 3(d) Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: any other institutions with which central securities depositories have identified interdependencies in their business continuity policy. Article 16 2 ¶ 3(e) {changes} Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph: any other institutions with which central securities depositories have identified interdependencies in their ICT business continuity policy. Article 17 2 ¶ 3(e) {changes} Central counterparties shall involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: clearing members and clients; Article 17 2 ¶ 2(a) {changes} {be interoperable} Central counterparties shall involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: interoperable central counterparties; Article 17 2 ¶ 2(b) {changes} Central counterparties shall involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: other interested parties, Article 17 2 ¶ 2(c) {changes} Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph: users; Article 17 2 ¶ 3(a) {changes} Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph: critical utilities and critical service providers; Article 17 2 ¶ 3(b) {changes} Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph: other central securities depositories; Article 17 2 ¶ 3(c) {changes} Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph: other market infrastructures; Article 17 2 ¶ 3(d)] | Human Resources Management | Preventive | |
| Establish and maintain end user support communications. CC ID 06615 | Business Processes | Preventive | |
| Establish, implement, and maintain a vulnerability disclosure policy. CC ID 14934 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain vulnerability disclosure procedures. CC ID 16489 [The vulnerability management procedures referred to in paragraph 1 shall: establish procedures for the responsible disclosure of vulnerabilities to clients, counterparties, and to the public; Article 10 2 ¶ 1(e)] | Establish/Maintain Documentation | Preventive | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of security measures regarding the use of software, data storage media, systems and endpoint devices that transfer and store data of the financial entity; Article 35 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Establish the criticality of the network and systems. CC ID 00006 [The procedure for management of ICT assets referred to in paragraph 1 shall specify the criteria to perform the criticality assessment of information assets and ICT assets supporting business functions. That assessment shall take into account: Article 5 2. The procedure for management of ICT assets referred to in paragraph 1 shall specify the criteria to perform the criticality assessment of information assets and ICT assets supporting business functions. That assessment shall take into account: the ICT risk related to those business functions and their dependencies on the information assets or ICT assets; Article 5 2(a) The procedure for management of ICT assets referred to in paragraph 1 shall specify the criteria to perform the criticality assessment of information assets and ICT assets supporting business functions. That assessment shall take into account: how the loss of confidentiality, integrity, and availability of such information assets and ICT assets would impact the business processes and activities of the financial entities. Article 5 2(b)] | Technical Security | Preventive | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 [As part of their control of access management rights, financial entities shall develop, document, and implement identity management policies and procedures that ensure the unique identification and authentication of natural persons and systems accessing the financial entities' information to enable assignment of user access rights in accordance with Article 21. Article 20 1. For the purposes of point (b), financial entities shall, where feasible and appropriate, deploy automated solutions for the lifecycle identity management process. Article 20 2 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Establish the requirements for Identity Assurance Levels. CC ID 13857 | Technical Security | Preventive | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 | Establish/Maintain Documentation | Preventive | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Establish/Maintain Documentation | Preventive | |
| Include termination procedures in the authorized representatives policy. CC ID 17226 | Establish/Maintain Documentation | Preventive | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Establish/Maintain Documentation | Preventive | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Establish/Maintain Documentation | Preventive | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Establish/Maintain Documentation | Preventive | |
| Implement digital identification processes. CC ID 13731 | Process or Activity | Preventive | |
| Implement identity proofing processes. CC ID 13719 | Process or Activity | Preventive | |
| Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Process or Activity | Preventive | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Process or Activity | Preventive | |
| Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Process or Activity | Detective | |
| Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Process or Activity | Preventive | |
| Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Establish/Maintain Documentation | Preventive | |
| Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Configuration | Preventive | |
| Interact with the data subject when performing remote proofing. CC ID 13777 | Process or Activity | Detective | |
| Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Process or Activity | Preventive | |
| View all applicant actions when performing remote proofing. CC ID 13804 | Process or Activity | Detective | |
| Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Process or Activity | Preventive | |
| Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Process or Activity | Detective | |
| Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Process or Activity | Detective | |
| Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Process or Activity | Preventive | |
| Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Process or Activity | Preventive | |
| Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Process or Activity | Detective | |
| Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Process or Activity | Preventive | |
| Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Configuration | Preventive | |
| Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Configuration | Preventive | |
| Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Configuration | Preventive | |
| Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Process or Activity | Preventive | |
| Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Process or Activity | Detective | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Process or Activity | Detective | |
| Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Business Processes | Detective | |
| Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Process or Activity | Detective | |
| Verify proof of identity records. CC ID 13761 | Investigate | Detective | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Process or Activity | Detective | |
| Allow records that relate to the data subject as proof of identity. CC ID 13772 | Process or Activity | Preventive | |
| Conduct in-person proofing with physical interactions. CC ID 13775 | Process or Activity | Detective | |
| Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Process or Activity | Preventive | |
| Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Process or Activity | Preventive | |
| Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Process or Activity | Preventive | |
| Refrain from approving attributes in the identity proofing process. CC ID 13716 | Process or Activity | Preventive | |
| Reperform the identity proofing process for each individual, as necessary. CC ID 13762 | Process or Activity | Detective | |
| Establish, implement, and maintain federated identity systems. CC ID 13837 | Technical Security | Preventive | |
| Authenticate all systems in a federated identity system. CC ID 13835 | Technical Security | Preventive | |
| Send and receive authentication assertions, as necessary. CC ID 13839 | Technical Security | Preventive | |
| Make the assertion reference for authentication assertions single-use. CC ID 13843 | Technical Security | Preventive | |
| Validate the issuer in the authentication assertion. CC ID 13878 | Technical Security | Detective | |
| Limit the lifetime of the assertion reference. CC ID 13874 | Technical Security | Preventive | |
| Refrain from using authentication assertions that have expired. CC ID 13872 | Technical Security | Preventive | |
| Protect the authentication assertion from unauthorized access or unauthorized disclosure. CC ID 16836 | Technical Security | Preventive | |
| Include the issuer identifier in the authentication assertion. CC ID 13865 | Technical Security | Preventive | |
| Include attribute metadata in the authentication assertion. CC ID 13856 | Technical Security | Preventive | |
| Include the authentication time in the authentication assertion. CC ID 13855 | Technical Security | Preventive | |
| Validate each element within the authentication assertion. CC ID 13853 | Technical Security | Preventive | |
| Validate the timestamp in the authentication assertion. CC ID 13875 | Technical Security | Detective | |
| Validate the digital signature in the authentication assertion. CC ID 13869 | Technical Security | Detective | |
| Validate the signature validation element in the authentication assertion. CC ID 13867 | Technical Security | Detective | |
| Validate the audience restriction element in the authentication assertion. CC ID 13866 | Technical Security | Detective | |
| Include the subject in the authentication assertion. CC ID 13852 | Technical Security | Preventive | |
| Include the target audience in the authentication assertion. CC ID 13851 | Technical Security | Preventive | |
| Include audience restrictions in the authentication assertion. CC ID 13870 | Technical Security | Preventive | |
| Include the issue date in the authentication assertion. CC ID 13850 | Technical Security | Preventive | |
| Revoke authentication assertions, as necessary. CC ID 16534 | Technical Security | Preventive | |
| Include the expiration date in the authentication assertion. CC ID 13849 | Technical Security | Preventive | |
| Include identifiers in the authentication assertion. CC ID 13848 | Technical Security | Preventive | |
| Include digital signatures in the authentication assertion. CC ID 13847 | Technical Security | Preventive | |
| Include key binding in the authentication assertion. CC ID 13846 | Technical Security | Preventive | |
| Include attribute references in the authentication assertion. CC ID 13845 | Technical Security | Preventive | |
| Include attribute values in the authentication assertion. CC ID 13844 | Technical Security | Preventive | |
| Limit the use of the assertion reference to a single organization. CC ID 13841 | Technical Security | Preventive | |
| Request attribute references instead of attribute values during the presentation of an authentication assertion. CC ID 13840 | Technical Security | Preventive | |
| Define the assertion level for authentication assertions. CC ID 13873 | Technical Security | Preventive | |
| Refrain from assigning assertion levels for authentication assertions when not defined. CC ID 13879 | Technical Security | Preventive | |
| Authenticate systems referenced in the allowlist. CC ID 13838 | Technical Security | Preventive | |
| Place nonmembers of allowlists and denylists into a gray area until a runtime decision is made during the authentication assertion. CC ID 13854 | Technical Security | Preventive | |
| Require runtime decisions regarding authentication for organizations that are excluded from the allowlist. CC ID 13842 | Technical Security | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain access control policies. CC ID 00512 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the access control policy. CC ID 14003 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: account management procedures to grant, change or revoke access rights for user and generic accounts, including generic administrator accounts, including provision on all of the following: assignment of roles and responsibilities for granting, reviewing, and revoking access rights; Article 21 ¶ 1(e)(i)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [{logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: account management procedures to grant, change, or revoke access rights for user and generic accounts, including generic administrator accounts; Article 33 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical Security | Preventive | |
| Inventory all user accounts. CC ID 13732 | Establish/Maintain Documentation | Preventive | |
| Review user accounts. CC ID 00525 [The identity management policies and procedures referred to in paragraph 1 shall contain all of the following: a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts. Article 20 2 ¶ 1(b)] | Technical Security | Detective | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Data and Information Management | Preventive | |
| Control access rights to organizational assets. CC ID 00004 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: a provision on restrictions of access to ICT assets, setting out controls and tools to prevent unauthorised access; Article 21 ¶ 1(d) {generic account} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: a provision on user accountability, by limiting to the extent possible the use of generic and shared user accounts and ensuring that users are identifiable for the actions performed in the ICT systems at all times; Article 21 ¶ 1(c)] | Technical Security | Preventive | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Configuration | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: the assignment of access rights to ICT assets based on need-to-know, need-to-use and least privilege principles, including for remote and emergency access; Article 21 ¶ 1(a) {critical asset} {ad hoc access} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the granting of physical access rights to critical ICT assets to authorised persons only, in accordance with the need-to-know and least privilege principles, and on an ad-hoc basis; Article 21 ¶ 1(g)(ii) {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: access rights to information assets, ICT assets, and their supported functions, and to critical locations of operation of the financial entity, are managed on a need-to-know, need-to-use and least privileges basis, including for remote and emergency access; Article 33 ¶ 1(a) {privileged access} {emergency access} {need-to-use basis} For the purposes of point (c), the financial entity shall assign privileged, emergency, and administrator access on a need-to- use or an ad-hoc basis for all ICT systems, and shall be logged in accordance with Article 34, first paragraph, point (f). Article 33 ¶ 2] | Technical Security | Preventive | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 [For the purposes of point (b), where encryption of data in use is not possible, financial entities shall process data in use in a separated and tyle="background-color:#F0BBBC;" class="term_primary-noun">protected environment, or take equivalent measures to ensure the confidentiality, integrity, authenticity, and availability of data. For the purposes of point (b), where encryption of data in use is not possible, financial entities shall process data in use in a separated and protected environment, or take equivalent measures to ensure the confidentiality, integrity, authenticity, and availability of data. Article 6 2 ¶ 2] | Configuration | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Configuration | Preventive | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Communicate | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Communicate | Corrective | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the procedures to limit, lock, and terminate system and remote sessions after a specified period of inactivity; Article 13 ¶ 1(l)] | Configuration | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Configuration | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Configuration | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Configuration | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Configuration | Preventive | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the access restrictions referred to in Article 21 of this Regulation, supporting the protection requirements for each level of classification; Article 11 2 ¶ 1(a) As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: the use of authentication methods commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and to the overall risk profile of ICT assets and considering leading practices; Article 21 ¶ 1(f)(i) {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: authentication methods that are commensurate to the classification referred to in Article 30(1) and to the overall risk profile of ICT assets, and which are based on leading practices; Article 33 ¶ 1(d) For the purposes of point (d), financial entities shall use strong authentication methods that are based on leading practices for remote access to the financial entities' network, for privileged access, and for access to ICT assets supporting critical or important functions that are publicly available. Article 33 ¶ 3] | Technical Security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical Security | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: mechanisms to ensure the independence of the functions that approve changes and the functions responsible for requesting and implementing those changes; Article 17 1(b)] | Technical Security | Preventive | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Establish/Maintain Documentation | Preventive | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: account management procedures to grant, change or revoke access rights for user and generic accounts, including generic administrator accounts, including provision on all of the following: withdrawal of access rights without undue delay upon termination of the employment or when the access is no longer necessary; Article 21 ¶ 1(e)(iii) The identity management policies and procedures referred to in paragraph 1 shall contain all of the following: a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts. Article 20 2 ¶ 1(b) {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: access rights are periodically reviewed and are withdrawn when no longer required. Article 33 ¶ 1(e)] | Behavior | Corrective | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: account management procedures to grant, change or revoke access rights for user and generic accounts, including generic administrator accounts, including provision on all of the following: update of access rights where changes are necessary and at least once a year for all ICT systems, other than ICT systems supporting critical or important functions and at least every 6 months for ICT systems supporting critical or important functions; Article 21 ¶ 1(e)(iv)] | Behavior | Corrective | |
| Review each user's access capabilities when their role changes. CC ID 00524 [{logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: access rights are periodically reviewed and are withdrawn when no longer required. Article 33 ¶ 1(e)] | Technical Security | Preventive | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 [The identity management policies and procedures referred to in paragraph 1 shall contain all of the following: a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts. Article 20 2 ¶ 1(b)] | Technical Security | Preventive | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 [{logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: Article 33 ¶ 1 {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: Article 33 ¶ 1] | Technical Security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: account management procedures to grant, change or revoke access rights for user and generic accounts, including generic administrator accounts, including provision on all of the following: Article 21 ¶ 1(e) The identity management policies and procedures referred to in paragraph 1 shall contain all of the following: a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts. Article 20 2 ¶ 1(b)] | Technical Security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical Security | Preventive | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Communicate | Detective | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Establish/Maintain Documentation | Preventive | |
| Enforce the password policy. CC ID 16347 | Technical Security | Preventive | |
| Maintain a log of the overrides of the biometric system. CC ID 17000 | Log Management | Preventive | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain access control procedures. CC ID 11663 | Establish/Maintain Documentation | Preventive | |
| Grant access to authorized personnel or systems. CC ID 12186 | Configuration | Preventive | |
| Document approving and granting access in the access control log. CC ID 06786 [{privileged access} {emergency access} {need-to-use basis} For the purposes of point (c), the financial entity shall assign privileged, emergency, and administrator access on a need-to- use or an ad-hoc basis for all ICT systems, and shall be logged in accordance with Article 34, first paragraph, point (f). Article 33 ¶ 2 The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: log events related to logical and physical access control, ICT operations, including system and network traffic activities, and ICT change management; Article 34 ¶ 1(f)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Communicate | Preventive | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 [For the purposes of point (a), financial entities shall maintain records of all identity assignments. Those records shall be kept following a reorganisation of the financial entity or after the end of the contractual relationship without prejudice to the retention requirements laid down in applicable Union and national law. Article 20 2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: Article 21 ¶ 1(f) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide. Article 29 1.] | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Establish/Maintain Documentation | Preventive | |
| Establish the requirements for Authentication Assurance Levels. CC ID 16958 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Communicate | Preventive | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets, information assets, and physical access control devices of the financial entity through the appropriate maintenance; Article 18 2 ¶ 1(d) As part of their control of access management rights, financial entities shall develop, document, and implement identity management policies and procedures that ensure the unique identification and authentication of natural persons and systems accessing the financial entities' information to enable assignment of user access rights in accordance with Article 21. Article 20 1.] | Establish/Maintain Documentation | Preventive | |
| Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 | Technical Security | Preventive | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Communicate | Preventive | |
| Employ unique identifiers. CC ID 01273 [As part of their control of access management rights, financial entities shall develop, document, and implement identity management policies and procedures that ensure the unique identification and authentication of natural persons and systems accessing the financial entities' information to enable assignment of user access rights in accordance with Article 21. Article 20 1. The identity management policies and procedures referred to in paragraph 1 shall contain all of the following: without prejudice to Article 21, first paragraph, point (c), a unique identity corresponding to a unique user account shall be assigned to each staff member of the financial entity or staff of the ICT third-party service providers accessing the information assets and ICT assets of the financial entity; Article 20 2 ¶ 1(a)] | Testing | Detective | |
| Establish, implement, and maintain a system and information integrity policy. CC ID 14034 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide. Article 29 1.] | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the system and information integrity policy. CC ID 14151 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the system and information integrity policy. CC ID 14150 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the system and information integrity policy. CC ID 14149 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the system and information integrity policy. CC ID 14148 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the system and information integrity policy. CC ID 14147 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the system and information integrity policy. CC ID 14146 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system and information integrity policy to interested personnel and affected parties. CC ID 14145 | Communicate | Preventive | |
| Establish, implement, and maintain system and information integrity procedures. CC ID 14051 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142 | Communicate | Preventive | |
| Identify and control all network access controls. CC ID 00529 | Technical Security | Preventive | |
| Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective. CC ID 04589 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1] | Technical Security | Detective | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain network segmentation requirements. CC ID 16380 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: the criticality or importance of the function those ICT systems and networks support; Article 13 ¶ 1(a)(i) Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: Article 13 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
| Enforce the network segmentation requirements. CC ID 16381 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: the overall risk profile of ICT assets using those ICT systems and networks; Article 13 ¶ 1(a)(iii)] | Process or Activity | Preventive | |
| Protect system or device management and control planes from unwanted user plane traffic. CC ID 17063 | Technical Security | Preventive | |
| Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical Security | Preventive | |
| Establish, implement, and maintain a network security policy. CC ID 06440 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: network security; Article 1 ¶ 1(c) Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: ensure the security of networks; Article 2 1(a) Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: Article 13 ¶ 1 Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the design of networks in line with the ICT security requirements established by the financial entity, taking into account leading practices to ensure the confidentiality, integrity, and availability of the network; Article 13 ¶ 1(f)] | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the network security policy. CC ID 14205 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the network security policy. CC ID 14203 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the network security policy. CC ID 14201 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the network security policy. CC ID 14200 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Communicate | Preventive | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Communicate | Preventive | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Establish/Maintain Documentation | Preventive | |
| Maintain up-to-date network diagrams. CC ID 00531 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the performance of reviews of the network architecture and of the network security design once a year, and periodically for microenterprises, to identify potential vulnerabilities; Article 13 ¶ 1(i)] | Establish/Maintain Documentation | Preventive | |
| Include the date of the most recent update on the network diagram. CC ID 14319 | Establish/Maintain Documentation | Preventive | |
| Include virtual systems in the network diagram. CC ID 16324 | Data and Information Management | Preventive | |
| Include the organization's name in the network diagram. CC ID 14318 | Establish/Maintain Documentation | Preventive | |
| Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Process or Activity | Detective | |
| Include Internet Protocol addresses in the network diagram. CC ID 16244 | Establish/Maintain Documentation | Preventive | |
| Include Domain Name System names in the network diagram. CC ID 16240 | Establish/Maintain Documentation | Preventive | |
| Accept, by formal signature, the security implications of the network topology. CC ID 12323 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the performance of reviews of the network architecture and of the network security design once a year, and periodically for microenterprises, to identify potential vulnerabilities; Article 13 ¶ 1(i)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Communicate | Preventive | |
| Maintain up-to-date data flow diagrams. CC ID 10059 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the documentation of all of the financial entity's network connections and data flows; Article 13 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Process or Activity | Detective | |
| Establish, implement, and maintain a sensitive information inventory. CC ID 13736 | Establish/Maintain Documentation | Detective | |
| Include information flows to third parties in the data flow diagram. CC ID 13185 | Establish/Maintain Documentation | Preventive | |
| Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Communicate | Preventive | |
| Implement segregation of duties. CC ID 11843 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: specify the segregation of duties arrangements in the context of the three lines of defence model or other internal risk management and control model, as applicable, to avoid conflicts of interest; Article 2 2(g) As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: the segregation of duties designed to prevent unjustified access to critical data or to prevent the allocation of combinations of access rights that may be used to circumvent controls; Article 21 ¶ 1(b) The financial entities referred to in paragraph 1 shall ensure an appropriate segregation and the independence of control functions and internal audit functions. Article 28 4.] | Technical Security | Preventive | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Establish/Maintain Documentation | Preventive | |
| Segregate systems in accordance with organizational standards. CC ID 12546 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: the criticality or importance of the function those ICT systems and networks support; Article 13 ¶ 1(a)(i) Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: Article 13 ¶ 1(a) Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554; Article 13 ¶ 1(a)(ii) Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: the overall risk profile of ICT assets using those ICT systems and networks; Article 13 ¶ 1(a)(iii)] | Technical Security | Preventive | |
| Implement gateways between security domains. CC ID 16493 | Systems Design, Build, and Implementation | Preventive | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the measures to temporarily isolate, where necessary, subnetworks, and network components and devices; Article 13 ¶ 1(j)] | Technical Security | Preventive | |
| Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical Security | Preventive | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical Security | Preventive | |
| Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical Security | Preventive | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical Security | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Data and Information Management | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone to destination addresses within the Demilitarized Zone. CC ID 11998 | Technical Security | Preventive | |
| Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical Security | Preventive | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 | Data and Information Management | Preventive | |
| Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the securing of network traffic between the internal networks and the internet and other external connections; Article 13 ¶ 1(g) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to prevent and detect unauthorised connections to the financial entity's network, and to secure the network traffic between the financial entity's internal networks and the internet and other external connections; Article 35 ¶ 1(c)] | Technical Security | Preventive | |
| Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903 [For the purposes of point (h), financial entities shall perform the review of firewall rules and connections filters on a regular basis in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of ICT systems involved. For ICT systems that support critical or important functions, financial entities shall verify the adequacy of the existing firewall rules and connection filters at least every 6 months. Article 13 ¶ 2 For the purposes of point (h), financial entities shall perform the review of firewall rules and connections filters on a regular basis in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of ICT systems involved. For ICT systems that support critical or important functions, financial entities shall verify the adequacy of the existing firewall rules and connection filters at least every 6 months. Article 13 ¶ 2] | Technical Security | Corrective | |
| Configure network access and control points to protect restricted information and restricted functions. CC ID 01284 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the encryption of network connections passing over corporate networks, public networks, domestic networks, third-party networks, and wireless networks, for communication protocols used, taking into account the results of the approved data classification, the results of the ICT risk assessment and the encryption of network connections referred to in Article 6(2); Article 13 ¶ 1(e)] | Configuration | Preventive | |
| Protect data stored at external locations. CC ID 16333 | Data and Information Management | Preventive | |
| Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical Security | Preventive | |
| Filter packets based on IPv6 header fields. CC ID 17048 | Technical Security | Preventive | |
| Filter traffic at firewalls based on application layer attributes. CC ID 17054 | Technical Security | Preventive | |
| Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to prevent and detect unauthorised connections to the financial entity's network, and to secure the network traffic between the financial entity's internal networks and the internet and other external connections; Article 35 ¶ 1(c)] | Testing | Preventive | |
| Document information flow anomalies that do not fit normal traffic patterns. CC ID 12163 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: log events related to logical and physical access control, ICT operations, including system and network traffic activities, and ICT change management; Article 34 ¶ 1(f)] | Investigate | Detective | |
| Establish, implement, and maintain information flow procedures. CC ID 04542 [{refrain from disrupting} {without undue delay} Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: guarantee an accurate and prompt data transmission without major disruptions and undue delays. Article 2 1(d)] | Establish/Maintain Documentation | Preventive | |
| Review and approve information exchange system connections. CC ID 07143 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the documentation of all of the financial entity's network connections and data flows; Article 13 ¶ 1(b)] | Technical Security | Preventive | |
| Establish, implement, and maintain a data loss prevention program. CC ID 13050 | Establish/Maintain Documentation | Preventive | |
| Include the data loss prevention strategy as part of the data loss prevention program. CC ID 13051 [In addition to the requirements referred to in paragraph 1, trading venues shall ensure that their ICT business continuity policy ensures that: the maximum amount of data that may be lost from any IT service of the trading venue after a disruptive incident is close to zero. Article 24 4(b)] | Establish/Maintain Documentation | Preventive | |
| Enforce privileged and non-privileged accounts for system access. CC ID 00558 [{privileged access} {emergency access} {need-to-use basis} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: account management procedures to grant, change or revoke access rights for user and generic accounts, including generic administrator accounts, including provision on all of the following: assignment of privileged, emergency, and administrator access on a need-to-use or an ad-hoc basis for all ICT systems; Article 21 ¶ 1(e)(ii) For the purposes of point (e)(ii), financial entities shall, where possible, use dedicated accounts for the performance of administrative tasks on ICT systems. Where feasible and appropriate, financial entities shall deploy automated solutions for the privilege access management. Article 21 ¶ 3] | Technical Security | Preventive | |
| Control all methods of remote access and teleworking. CC ID 00559 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the following requirements to secure the use of portable endpoint devices and private non-portable endpoint devices: the requirement to use a management solution to remotely manage the endpoint devices and remotely wipe the financial entity's data; Article 11 2 ¶ 1(f)(i)] | Technical Security | Preventive | |
| Assign virtual escorting to authorized personnel. CC ID 16440 | Process or Activity | Preventive | |
| Establish, implement, and maintain a remote access and teleworking program. CC ID 04545 | Establish/Maintain Documentation | Preventive | |
| Include information security requirements in the remote access and teleworking program. CC ID 15704 [{personally owned device} The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the implementation of security measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the ICT security of the financial entity; Article 11 2 ¶ 1(j) {employee-owned device} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the financial entity's ability to carry out its critical activities in an adequate, timely, and secure manner. Article 35 ¶ 1(g)] | Establish/Maintain Documentation | Preventive | |
| Employ multifactor authentication for remote access to the organization's network. CC ID 12505 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: the use of strong authentication methods in accordance with leading practices and techniques for remote access to the financial entity's network, for privileged access, for access to ICT assets supporting critical or important functions or ICT assets that are publicly accessible; Article 21 ¶ 1(f)(ii) For the purposes of point (d), financial entities shall use strong authentication methods that are based on leading practices for remote access to the financial entities' network, for privileged access, and for access to ICT assets supporting critical or important functions that are publicly available. Article 33 ¶ 3] | Technical Security | Preventive | |
| Implement multifactor authentication techniques. CC ID 00561 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: the use of strong authentication methods in accordance with leading practices and techniques for remote access to the financial entity's network, for privileged access, for access to ICT assets supporting critical or important functions or ICT assets that are publicly accessible; Article 21 ¶ 1(f)(ii) As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: the use of strong authentication methods in accordance with leading practices and techniques for remote access to the financial entity's network, for privileged access, for access to ICT assets supporting critical or important functions or ICT assets that are publicly accessible; Article 21 ¶ 1(f)(ii)] | Configuration | Preventive | |
| Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173 | Technical Security | Preventive | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical Security | Preventive | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Establish/Maintain Documentation | Preventive | |
| Limit the source addresses from which remote administration is performed. CC ID 16393 | Technical Security | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 [{be resilient} {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 provisions for updating or changing, where necessary, the cryptographic technology on the basis of developments in cryptanalysis. Those updates or changes shall ensure that the cryptographic technology remains resilient against cyber threats, as required by Article 10(2), point (a). Financial entities that are not able to update or change the cryptographic technology shall adopt mitigation and monitoring measures that ensure resilience against cyber threats. Article 6 4.] | Technical Security | Preventive | |
| Comply with the encryption laws of the local country. CC ID 16377 | Business Processes | Preventive | |
| Employ cryptographic controls that comply with applicable requirements. CC ID 12491 [{mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 criteria for the selection of cryptographic techniques and use practices, taking into account leading practices, and standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and the classification of relevant ICT assets established in accordance with Article 8(1) of Regulation (EU) 2022/2554. Financial entities that are not able to adhere to the leading practices or standards, or to use the most reliable techniques, shall adopt mitigation and monitoring measures that ensure resilience against cyber threats. Article 6 3. {be resilient} {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 provisions for updating or changing, where necessary, the cryptographic technology on the basis of developments in cryptanalysis. Those updates or changes shall ensure that the cryptographic technology remains resilient against cyber threats, as required by Article 10(2), point (a). Financial entities that are not able to update or change the cryptographic technology shall adopt mitigation and monitoring measures that ensure resilience against cyber threats. Article 6 4.] | Technical Security | Preventive | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Data and Information Management | Preventive | |
| Include the expiration date in digital signatures. CC ID 13833 | Data and Information Management | Preventive | |
| Include audience restrictions in digital signatures. CC ID 13834 | Data and Information Management | Preventive | |
| Include the subject in digital signatures. CC ID 13832 | Data and Information Management | Preventive | |
| Include the issuer in digital signatures. CC ID 13831 | Data and Information Management | Preventive | |
| Include identifiers in the digital signature. CC ID 13829 | Data and Information Management | Preventive | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: encryption and cryptography; Article 1 ¶ 1(a) As part of their ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a policy on encryption and cryptographic controls. Article 6 1. {encryption policy} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: Article 6 2 ¶ 1 {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 a requirement to record the adoption of mitigation and monitoring measures adopted in accordance with paragraphs 3 and 4 and to provide a reasoned explanation for doing so. Article 6 2(d) ¶ 5.] | Establish/Maintain Documentation | Preventive | |
| Include monitoring procedures in the encryption management and cryptographic controls policy. CC ID 17207 [{mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 a requirement to record the adoption of mitigation and monitoring measures adopted in accordance with paragraphs 3 and 4 and to provide a reasoned explanation for doing so. Article 6 5.] | Establish/Maintain Documentation | Preventive | |
| Include mitigation measures in the encryption management and cryptographic controls policy. CC ID 17206 [{mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 a requirement to record the adoption of mitigation and monitoring measures adopted in accordance with paragraphs 3 and 4 and to provide a reasoned explanation for doing so. Article 6 5.] | Establish/Maintain Documentation | Preventive | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques; Article 2 1(c) {encryption policy} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the encryption of data in use, where necessary; Article 6 2 ¶ 1(b)] | Data and Information Management | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Data and Information Management | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Data and Information Management | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Data and Information Management | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Communicate | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Data and Information Management | Preventive | |
| Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Communicate | Preventive | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: encryption and cryptography; Article 1 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
| Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Establish Roles | Preventive | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [{encryption policy} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the cryptographic key management referred to in Article 7, laying down rules on the correct use, protection, and lifecycle of cryptographic keys. Article 6 2 ¶ 1(d) Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1. {be resilient} {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 provisions for updating or changing, where necessary, the cryptographic technology on the basis of developments in cryptanalysis. Those updates or changes shall ensure that the cryptographic technology remains resilient against cyber threats, as required by Article 10(2), point (a). Financial entities that are not able to update or change the cryptographic technology shall adopt mitigation and monitoring measures that ensure olor:#F0BBBC;" class="termolor:#CBD0E5;" class="term_secondary-verb">_primary-noun">resilience against cyber threats. Article 6 4.] | Establish/Maintain Documentation | Preventive | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Establish/Maintain Documentation | Preventive | |
| Include cryptographic key expiration in the cryptographic key management procedures. CC ID 17079 | Establish/Maintain Documentation | Preventive | |
| Generate strong cryptographic keys. CC ID 01299 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Data and Information Management | Preventive | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical Security | Preventive | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Data and Information Management | Preventive | |
| Store cryptographic keys securely. CC ID 01298 [Financial entities shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorised access, disclosure, and modification. Financial entities shall design those controls on the basis of the results of the approved data classification and the ICT risk assessment. Article 7 2. Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Data and Information Management | Preventive | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties upon cryptographic key supersession. CC ID 17084 | Communicate | Preventive | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Data and Information Management | Preventive | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical Security | Preventive | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1. Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Data and Information Management | Corrective | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 [Financial entities shall develop and implement methods to replace the cryptographic keys in the case of loss, or where those keys are compromised or damaged. Article 7 3.] | Data and Information Management | Corrective | |
| Archive outdated cryptographic keys. CC ID 06884 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Data and Information Management | Preventive | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Establish Roles | Preventive | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 [Financial entities shall ensure the prompt renewal of certificates in advance of their expiration. Article 7 5.] | Establish/Maintain Documentation | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [{encryption policy} {data in transit} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the encryption of data at rest and in transit; Article 6 2 ¶ 1(a) The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: measures to protect logging systems and log information against tampering, deletion, and unauthorised access at rest, in transit, and, where relevant, in use; Article 12 2 ¶ 1(d) As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: Article 14 1. As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: the availability, authenticity, integrity and confidentiality of data during network transmission, and the establishment of procedures to assess compliance with those requirements; Article 14 1(a) As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: the prevention and detection of data leakages and the secure transfer of information between the financial entity and external parties; Article 14 1(b) Financial entities shall design the policies, procedures, protocols, and tools to protect the information in transit referred to in paragraph 1 on the basis of the results of the approved data classification and of the ICT risk assessment. Article 14 2. {data in transit} {data at rest} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to protect data in use, in transit, and at rest; Article 35 ¶ 1(a) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures that ensure the availability, authenticity, integrity, and confidentiality of data during network transmissions; Article 35 ¶ 1(d) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures that ensure the availability, authenticity, integrity, and confidentiality of data during network transmissions; Article 35 ¶ 1(d)] | Technical Security | Preventive | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 [{encryption policy} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the encryption of internal network connections and traffic with external parties; Article 6 2 ¶ 1(c)] | Technical Security | Preventive | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical Security | Preventive | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 [{encryption policy} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the encryption of internal network connections and traffic with external parties; Article 6 2 ¶ 1(c)] | Technical Security | Preventive | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the identification of security measures against malicious codes; Article 11 2 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
| Scan for malicious code, as necessary. CC ID 11941 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates. Article 34 ¶ 1(i)] | Investigate | Detective | |
| Remove malware when malicious code is discovered. CC ID 13691 | Process or Activity | Corrective | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Communicate | Corrective | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Include contingency plans in the third party management plan. CC ID 10030 | Establish/Maintain Documentation | Preventive | |
| Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 [{restoration measure} {recovery measure} For the purposes of point (f), the measures referred to in that point shall provide for the mitigation of failures of critical third-party providers. Article 39 2¶ 2] | Systems Continuity | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: for network services agreements: whether those services are provided by an ICT intra-group service provider or by ICT third-party service providers. Article 13 ¶ 1(m)(ii)] | Process or Activity | Detective | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the information flow agreement. CC ID 17016 | Establish/Maintain Documentation | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Establish/Maintain Documentation | Preventive | |
| Include the costs in the information flow agreement. CC ID 17018 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Establish/Maintain Documentation | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Establish/Maintain Documentation | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Establish/Maintain Documentation | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Establish/Maintain Documentation | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Establish/Maintain Documentation | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Establish/Maintain Documentation | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Establish/Maintain Documentation | Preventive | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Establish/Maintain Documentation | Preventive | |
| Include on-site visits in third party contracts. CC ID 17306 | Establish/Maintain Documentation | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Acquisition/Sale of Assets or Services | Preventive | |
| Include location requirements in third party contracts. CC ID 16915 | Acquisition/Sale of Assets or Services | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Establish/Maintain Documentation | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Establish/Maintain Documentation | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Establish/Maintain Documentation | Preventive | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Systems Continuity | Preventive | |
| Review third party recovery plans. CC ID 17123 | Systems Continuity | Detective | |
| Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301 | Communicate | Preventive | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 | Establish/Maintain Documentation | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Establish/Maintain Documentation | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 [The financial entities referred to in paragraph 1 shall identify all critical or important functions supported by ICT third-party service providers. Article 30 2.] | Establish/Maintain Documentation | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 [For the purposes of point (c), financial entities shall request that ICT third-party service providers investigate the relevant vulnerabilities, determine the root causes, and implement appropriate mitigating action. Article 10 2 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 | Testing | Detective | |
| Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187 [{assets} {digital operational resilience} For the purposes of point (k), financial entities shall consider the following: technical and organisational measures to minimise the risks related to the infrastructure used by the ICT third-party service provider for its ICT services, considering leading practices, and standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012. Article 11 2 ¶ 3(d)] | Establish/Maintain Documentation | Preventive | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: for ICT assets or services operated by an ICT third-party service provider, the identification and implementation of requirements to maintain digital operational resilience, in accordance with the results of the data classification and ICT risk assessment. Article 11 2 ¶ 1(k)] | Business Processes | Detective | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Establish/Maintain Documentation | Preventive | |
| Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130 [{be responsible} The financial entities referred to in paragraph 1 may, in accordance with Union and national sectoral law, outsource the tasks of verifying compliance with ICT risk management requirements to ICT intra-group or ICT third-party service providers. In case of such outsourcing, financial entities shall remain fully responsible for the verification of compliance with the ICT risk management requirements. Article 28 3.] | Establish/Maintain Documentation | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Preventive | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Corrective | |
| Include equipment interoperability in the system requirements specification. CC ID 16257 | Systems design, build, and implementation | Preventive | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Perform a due diligence assessment on bidding suppliers prior to acquiring assets. CC ID 15714 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Obtain user documentation before acquiring products and services. CC ID 14283 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Preventive | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Third Party and supply chain oversight | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Preventive | |
| Include location requirements in third party contracts. CC ID 16915 | Third Party and supply chain oversight | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Leadership and high level objectives | Preventive | |
| Submit closure reports at the conclusion of each information technology project. CC ID 16948 [{individual} In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: individually or in aggregation, depending on the importance and size of the ICT projects; Article 15 5(a)] | Leadership and high level objectives | Preventive | |
| Review and approve the closure report. CC ID 16947 | Leadership and high level objectives | Preventive | |
| Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 [In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: periodically and, where necessary, on an event-driven basis. Article 15 5(b)] | Leadership and high level objectives | Preventive | |
| Include significant security risks in the Information Technology Plan status reports. CC ID 06939 [{individual} In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: individually or in aggregation, depending on the importance and size of the ICT projects; Article 15 5(a) In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: periodically and, where necessary, on an event-driven basis. Article 15 5(b) {critical function} In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: Article 15 5.] | Leadership and high level objectives | Preventive | |
| Monitor and evaluate system telemetry data. CC ID 14929 | Monitoring and measurement | Detective | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Detective | |
| Include the date of the audit in the audit report. CC ID 07024 [{review} {ICT risk management framework} {start date} Financial entities shall include all of the following information in the report referred to in paragraph 1: the start and end dates of the review period; Article 27 2 ¶ 1(d)] | Audits and risk management | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: clearly identifies the financial entity that is the subject of the report, and describes its group structure, where relevant; Article 27 2 ¶ 1(a)(i) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: describes the context of the report in terms of the nature, scale, and complexity of the financial entity's services, activities, and operations, its organisation, identified critical functions, strategy, major ongoing projects or activities, relationships and its dependence on in-house and contracted ICT services and systems or the implications that a total loss or severe degradation of such systems would have in terms of critical or important functions and market efficiency; Article 27 2 ¶ 1(a)(ii) {review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: a description of the context of the report in terms of the nature, scale, and complexity of the financial entity's services, activities, and operations, the financial entity's organisation, identified critical functions, strategy, major ongoing projects or activities, and relationships, and the financial entity's dependence on in-house and outsourced ICT services and systems, or the implications that a total loss or severe degradation of such systems would have on critical or important functions and market efficiency; Article 41 2(a)(i) {review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: an executive level summary of the current and near-term ICT risk identified, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 41 2(a)(ii) {review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: information about the reported area; Article 41 2(a)(iii) {review} {ICT risk management framework} {be internal} {be external} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: tools to be used, and the identification of the function responsible for carrying out the measures, detailing whether the tools and functions are internal or external; Article 27 2 ¶ 1(h)(iii) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: the person responsible for the review; Article 41 2(e) {review} {ICT risk management framework} {be responsible} Financial entities shall include all of the following information in the report referred to in paragraph 1: an indication of the function responsible for the review; Article 27 2 ¶ 1(e)] | Audits and risk management | Preventive | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 [The vulnerability management procedures referred to in paragraph 1 shall: require the recording of any detected vulnerabilities affecting ICT systems and the monitoring of their resolution. Article 10 2 ¶ 1(h) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: an expected date for implementing the measures and dates related to the internal control of the implementation, including information on the state of progress of the implementation of those measures as at the date of drafting of the report, explaining, where applicable, if there is a risk that deadlines may not be respected; Article 27 2 ¶ 1(h)(ii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: information on past reviews, including: where applicable, a state of implementation of the corrective measures identified by the last report; Article 27 2 ¶ 1(k)(ii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: information on past reviews, including: where the proposed corrective measures in past reviews have proven ineffective or have created unexpected challenges, a description of how those corrective measures could be improved or of those unexpected challenges; Article 27 2 ¶ 1(k)(iii) {ICT risk management framework} {review} {remedial measure} The report referred to in paragraph 1 shall contain all of the following information: remedying measures identified to address weaknesses, deficiencies, and gaps in the simplified ICT risk management framework, and the expected date for implementing those measures, including the follow-up on weaknesses, deficiencies, and gaps identified in previous reports, where those weaknesses, deficiencies, and gaps have not yet been remedied; Article 41 2(g)] | Audits and risk management | Corrective | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [{continuity plan test} Financial entities shall document the results of the testing referred to in paragraph 1. Any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 25 5. {continuity plan test} Financial entities shall document the results of the testing referred to in paragraph 1. Any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 25 5. The financial entities referred to in paragraph 1 shall document the results of the testing of business continuity plans and any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 40 3. The financial entities referred to in paragraph 1 shall document the results of the testing of business continuity plans and any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 40 3.] | Operational and Systems Continuity | Preventive | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Operational management | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities' audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity. Article 28 5.] | Audits and risk management | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Detective | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 [{ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a summary of findings, and a self-assessment of the severity of the weaknesses, deficiencies, and gaps identified in ICT risk management framework for the review period, including a detailed analysis thereof; Article 41 2(f)] | Audits and risk management | Preventive | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 [The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities' audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity. Article 28 5.] | Audits and risk management | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Detective | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Detective | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Detective | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 | Audits and risk management | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Preventive | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Preventive | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Preventive | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Preventive | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Detective | |
| Include the cost of corrective action in the audit report. CC ID 17015 | Audits and risk management | Preventive | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Preventive | |
| Include the organization's in scope system description in the audit report. CC ID 11626 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: describes the context of the report in terms of the nature, scale, and complexity of the financial entity's services, activities, and operations, its organisation, identified critical functions, strategy, major ongoing projects or activities, relationships and its dependence on in-house and contracted ICT services and systems or the implications that a total loss or severe degradation of such systems would have in terms of critical or important functions and market efficiency; Article 27 2 ¶ 1(a)(ii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: sources of information used in the preparation of the report, including all of the following: Article 27 2 ¶ 1(l)] | Audits and risk management | Preventive | |
| Include the scope and work performed in the audit report. CC ID 11621 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: sources of information used in the preparation of the report, including all of the following: external sources. Article 27 2 ¶ 1 (l)(iv) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a description of the reasons for the review, including: Article 41 2(c) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a description of the reasons for the review, including: where the review has been initiated following supervisory instructions, evidence of such instructions; Article 41 2(c)(i)] | Audits and risk management | Preventive | |
| Review management's response to issues raised in past audit reports. CC ID 01149 [{ICT risk management framework} {review} {remedial measure} The report referred to in paragraph 1 shall contain all of the following information: remedying measures identified to address weaknesses, deficiencies, and gaps in the simplified ICT risk management framework, and the expected date for implementing those measures, including the follow-up on weaknesses, deficiencies, and gaps identified in previous reports, where those weaknesses, deficiencies, and gaps have not yet been remedied; Article 41 2(g)] | Audits and risk management | Detective | |
| Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Preventive | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Detective | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: the quantitative or qualitative indicators to measure the impact and likelihood of the vulnerabilities and threats referred to in point (i); Article 3 ¶ 1(b)(ii)] | Audits and risk management | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Detective | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Preventive | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: the quantitative or qualitative indicators to measure the impact and likelihood of the vulnerabilities and threats referred to in point (i); Article 3 ¶ 1(b)(ii)] | Audits and risk management | Detective | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: specifies and implements the policies and measures included in Chapters I, II and III of this Title to identify, assess and manage the ICT risk the financial entity is exposed to; Article 28 2(f) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the identification and assessment of the ICT risks to which the financial entity is exposed; Article 31 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the identification and assessment of any ICT and information security risks resulting from any major change in ICT system or ICT services, processes, or procedures, and from ICT security testing results and after any major ICT-related incident. Article 31 1(e)] | Audits and risk management | Preventive | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Detective | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Financial entities shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorised access, disclosure, and modification. Financial entities shall design those controls on the basis of the results of the approved data classification and the ICT risk assessment. Article 7 2. {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 criteria for the selection of cryptographic techniques and use practices, taking into account leading practices, and standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and the classification of relevant ICT assets established in accordance with Article 8(1) of Regulation (EU) 2022/2554. Financial entities that are not able to adhere to the leading practices or standards, or to use the most reliable techniques, shall kground-color:#B7D8ED;" class="term_primary-verb">adopt mitigation and monitoring measures that ensure resilience against cyber threats. Article 6 3.] | Audits and risk management | Preventive | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Preventive | |
| Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Detective | |
| Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Detective | |
| Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: network security; Article 1 ¶ 1(c)] | Audits and risk management | Preventive | |
| Audit assets after maintenance was performed. CC ID 13657 [Financial entities shall develop, document, and implement an ICT systems' acquisition, development, and maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally. Article 16 2 ¶ 1] | System hardening through configuration management | Detective | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a testing program. CC ID 00654 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall establish and implement an ICT security testing plan to validate the effectiveness of their ICT security measures developed in accordance with Articles 33, 34 and 35 and Articles 37 and 38 of this Regulation. Financial entities shall ensure that that plan considers threats and vulnerabilities identified as part of the simplified ICT risk management framework referred to in Article 31 of this Article 36 1.] | Monitoring and measurement | Preventive | |
| Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232 | Monitoring and measurement | Preventive | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Corrective | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Detective | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: account management procedures to grant, change or revoke access rights for user and generic accounts, including generic administrator accounts, including provision on all of the following: withdrawal of access rights without undue delay upon termination of the employment or when the access is no longer necessary; Article 21 ¶ 1(e)(iii) The identity management policies and procedures referred to in paragraph 1 shall contain all of the following: a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts. Article 20 2 ¶ 1(b) {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: access rights are periodically reviewed and are withdrawn when no longer required. Article 33 ¶ 1(e)] | Technical security | Corrective | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: account management procedures to grant, change or revoke access rights for user and generic accounts, including generic administrator accounts, including provision on all of the following: update of access rights where changes are necessary and at least once a year for all ICT systems, other than ICT systems supporting critical or important functions and at least every 6 months for ICT systems supporting critical or important functions; Article 21 ¶ 1(e)(iv)] | Technical security | Corrective | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Preventive | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 [Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements: requirements for staff of the financial entity and of the ICT third-party service providers using or accessing ICT assets of the financial entity to: for the staff, to return to the financial entity, upon termination of employment, all ICT assets and tangible information assets in their possession that belong to the financial entity. Article 19 ¶ 1(b)(iii)] | Physical and environmental protection | Preventive | |
| Train personnel on the continuity plan. CC ID 00759 [{ICT third-party service provider} {assets} {digital operational resilience} For the purposes of point (k), financial entities shall consider the following: the need to ensure and maintain adequate competences within the financial entity in the management and security of the service used; Article 11 2 ¶ 3(c)] | Operational and Systems Continuity | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements: requirements for staff of the financial entity and of the ICT third-party service providers using or accessing ICT assets of the financial entity to: be aware of the reporting channels put in place by the financial entity for the detection of anomalous behaviour, including, where applicable, the reporting channels established in line with Directive (EU) 2019/1937 of the European Parliament and of the Council (11); Article 19 ¶ 1(b)(ii)] | Human Resources management | Preventive | |
| Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Operational management | Detective | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the documentation and communication of change details, including: Article 17 1(d) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the documentation and communication of change details, including: Article 17 1(d) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the documentation and communication of change details, including: the purpose and scope of the change; Article 17 1(d)(i) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the documentation and communication of change details, including: the timeline for the implementation of the change; Article 17 1(d)(ii)] | Operational management | Preventive | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Detective | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 [{reporting requirements} The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: establishes reporting arrangements, including the frequency, form, and content of reporting to the management body on the information security and digital operational resilience. Article 28 2(i)] | Leadership and high level objectives | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Preventive | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 [{reporting requirements} The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: establishes reporting arrangements, including the frequency, form, and content of reporting to the management body on the information security and digital operational resilience. Article 28 2(i)] | Leadership and high level objectives | Preventive | |
| Include transactions and events as a part of internal reporting. CC ID 12413 | Leadership and high level objectives | Preventive | |
| Identify the material topics required to be reported on. CC ID 15654 | Leadership and high level objectives | Preventive | |
| Identify threats that could affect achieving organizational objectives. CC ID 12827 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: vulnerabilities and threats that affect or may affect the supported business functions, the ICT systems and ICT assets supporting those functions; Article 3 ¶ 1(b)(i)] | Leadership and high level objectives | Preventive | |
| Correct errors and deficiencies in a timely manner. CC ID 13501 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: procedures and protocols for handling errors; Article 8 2 ¶ 1(c)(i)] | Leadership and high level objectives | Corrective | |
| Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Leadership and high level objectives | Preventive | |
| Approve the system security plan. CC ID 14241 | Monitoring and measurement | Preventive | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Preventive | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Monitoring and measurement | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Corrective | |
| Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Detective | |
| Integrate the risk management program with the organization's business activities. CC ID 13661 | Audits and risk management | Preventive | |
| Integrate the risk management program into daily business decision-making. CC ID 13659 | Audits and risk management | Preventive | |
| Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: ensures that the staff of the financial entity is kept up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, commensurate to the ICT risk being managed; Article 28 2(h)] | Audits and risk management | Preventive | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the classification of information assets of the financial entity as referred to in Article 30(1) of this Regulation, the list of main risks identified, and the business impact analysis and related >policies; Article 28 2(d)(i)] | Audits and risk management | Preventive | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 [{residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): provisions on the review of the accepted residual ICT risks at least once a year, including: Article 3 ¶ 1(d)(iv) {residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): the development of an inventory of the accepted residual ICT risks, including a justification for their acceptance; Article 3 ¶ 1(d)(iii) {residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): provisions on the review of the accepted residual ICT risks at least once a year, including: the identification of any changes to the residual ICT risks; Article 3 ¶ 1(d)(iv)(1) {residual risk} {be valid} {be applicable} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): provisions on the review of the accepted residual ICT risks at least once a year, including: the assessment of whether the reasons justifying the acceptance of residual ICT risks are still valid and applicable at the date of the review; Article 3 ¶ 1(d)(iv) (3)] | Audits and risk management | Preventive | |
| Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Preventive | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Preventive | |
| Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Technical security | Detective | |
| Comply with the encryption laws of the local country. CC ID 16377 | Technical security | Preventive | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Preventive | |
| Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001 | Physical and environmental protection | Preventive | |
| Obtain management approval prior to decommissioning assets. CC ID 17269 | Physical and environmental protection | Preventive | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Preventive | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Operational and Systems Continuity | Detective | |
| Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: identify capacity requirements of their ICT assets and measures to maintain and improve the availability and efficiency of ICT systems and prevent ICT capacity shortages before they materialise; Article 34 ¶ 1(c)] | Operational management | Preventive | |
| Follow the resource workload schedule. CC ID 00941 | Operational management | Detective | |
| Define the scope for the internal control framework. CC ID 16325 | Operational management | Preventive | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: Article 8 2 ¶ 1(b)] | Operational management | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a data and system security procedure. Article 11 1.] | Operational management | Preventive | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Preventive | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Preventive | |
| Coordinate the transmission of electricity between affected parties. CC ID 17114 | Operational management | Preventive | |
| Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Operational management | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
| Validate recipients prior to sending electronic messages. CC ID 16981 | Operational management | Preventive | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Preventive | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Preventive | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Preventive | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Preventive | |
| Review systems for compliance with organizational information security policies. CC ID 12004 [{assess} The financial entities referred to in paragraph 1 shall review, asses and test ICT security measures, taking into consideration the overall risk profile of the ICT assets of the financial entity. Article 36 2.] | Operational management | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Preventive | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Preventive | |
| Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Preventive | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [{storage device} {critical function} {keep up to date} Financial entities shall create and maintain a register for all certificates and certificate-storing devices for at least ICT assets supporting critical or important functions. Financial entities shall keep that register up to date. Article 7 4.] | Operational management | Preventive | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
| Analyze and respond to security alerts. CC ID 12504 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: prioritise the alerts referred to in point (b) to allow for the management of the detected ICT-related incidents within the expected resolution time, as specified by financial entities, both during and outside working hours; Article 23 2 ¶ 1(c)] | Operational management | Detective | |
| Examine all changes to ensure they correspond with the change request. CC ID 12345 [The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Operational management | Detective | |
| Implement changes according to the change control program. CC ID 11776 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: an adequate transition is designed; Article 17 1(c)(ii) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: the changes are tested and finalised in a controlled manner; Article 17 1(c)(iii) The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Operational management | Preventive | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 [The vulnerability management procedures referred to in paragraph 1 shall: prioritise the deployment of patches and other mitigation measures to address the vulnerabilities identified; Article 10 2 ¶ 1(f) The vulnerability management procedures referred to in paragraph 1 shall: prioritise the deployment of patches and other mitigation measures to address the vulnerabilities identified; Article 10 2 ¶ 1(f) {prioritization} {patch} {mitigation measure} For the purposes of point (f), financial entities shall consider the criticality of the vulnerability, the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and the risk profile of the ICT assets affected by the identified vulnerabilities. Article 10 2 ¶ 5 {prioritization} {patch} {mitigation measure} For the purposes of point (f), financial entities shall consider the criticality of the vulnerability, the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and the risk profile of the ICT assets affected by the identified vulnerabilities. Article 10 2 ¶ 5 The patch management procedures referred to in paragraph 3 shall: set deadlines for the installation of software and hardware patches and updates and escalation procedures in case those deadlines cannot be met. Article 10 4(d) {vulnerability assessment} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: perform automated vulnerability scanning and assessments of ICT assets commensurate to their classification as referred to in Article 30(1) and to the overall risk profile of the ICT asset, and deploy patches to address identified vulnerabilities; Article 34 ¶ 1(d)] | Operational management | Preventive | |
| Mitigate the adverse effects of unauthorized changes. CC ID 12244 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: identify measures to mitigate the risk of unintentional alteration or intentional manipulation of the ICT systems during development and implementation in the production environment. Article 37 ¶ 1(c)] | Operational management | Corrective | |
| Establish and maintain end user support communications. CC ID 06615 | Systems design, build, and implementation | Preventive | |
| Obtain authorization for marketing new products. CC ID 16805 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Preventive | |
| Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Privacy protection for information and data | Preventive | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: for ICT assets or services operated by an ICT third-party service provider, the identification and implementation of requirements to maintain digital operational resilience, in accordance with the results of the data classification and ICT risk assessment. Article 11 2 ¶ 1(k)] | Third Party and supply chain oversight | Detective | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Preventive | |
| Provide identifying information about the organization to the responsible party. CC ID 16715 | Leadership and high level objectives | Preventive | |
| Prioritize material topics used in reporting. CC ID 15678 | Leadership and high level objectives | Preventive | |
| Include time requirements in the external reporting program. CC ID 16566 | Leadership and high level objectives | Preventive | |
| Submit certification letters to interested personnel and affected parties. CC ID 16969 | Leadership and high level objectives | Preventive | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Leadership and high level objectives | Preventive | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Leadership and high level objectives | Preventive | |
| Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 | Monitoring and measurement | Corrective | |
| Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 | Monitoring and measurement | Preventive | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Monitoring and measurement | Detective | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Monitoring and measurement | Preventive | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Monitoring and measurement | Preventive | |
| Notify interested personnel and affected parties prior to performing testing. CC ID 17034 | Monitoring and measurement | Preventive | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Monitoring and measurement | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Monitoring and measurement | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the security report to interested personnel and affected parties. CC ID 16888 | Monitoring and measurement | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Preventive | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Preventive | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Preventive | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Preventive | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Preventive | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Preventive | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Audits and risk management | Preventive | |
| Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Audits and risk management | Preventive | |
| Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Audits and risk management | Preventive | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Preventive | |
| Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Preventive | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Audits and risk management | Preventive | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Technical security | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Corrective | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Detective | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Preventive | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Technical security | Preventive | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Technical security | Preventive | |
| Disseminate and communicate the system and information integrity policy to interested personnel and affected parties. CC ID 14145 | Technical security | Preventive | |
| Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142 | Technical security | Preventive | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Technical security | Preventive | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Technical security | Preventive | |
| Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Technical security | Preventive | |
| Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Technical security | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Preventive | |
| Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Technical security | Preventive | |
| Notify interested personnel and affected parties upon cryptographic key supersession. CC ID 17084 | Technical security | Preventive | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Corrective | |
| Disseminate and communicate the physical and environmental protection policy to interested personnel and affected parties. CC ID 14169 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 | Physical and environmental protection | Preventive | |
| Report damaged property to interested personnel and affected parties. CC ID 13702 | Physical and environmental protection | Corrective | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998 | Physical and environmental protection | Preventive | |
| Disseminate and communicate space weather information to interested personnel and affected parties. CC ID 17155 | Physical and environmental protection | Preventive | |
| Alert appropriate personnel when an environmental control alert threshold is exceeded. CC ID 17268 | Physical and environmental protection | Preventive | |
| Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 | Physical and environmental protection | Preventive | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 [{response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d)] | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271 | Operational and Systems Continuity | Preventive | |
| Notify the primary facilities of any changes at the alternate facilities that could affect the continuity plan. CC ID 13225 | Operational and Systems Continuity | Preventive | |
| Notify interested personnel and affected parties of the time requirements for updating continuity plans. CC ID 17134 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Preventive | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Preventive | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Preventive | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Preventive | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Preventive | |
| Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Operational management | Preventive | |
| Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Operational management | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
| Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Operational management | Preventive | |
| Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Operational management | Preventive | |
| Implement alternative actions for oral communications not received or understood. CC ID 17122 | Operational management | Preventive | |
| Reissue operating instructions, as necessary. CC ID 17121 | Operational management | Preventive | |
| Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Operational management | Detective | |
| Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Operational management | Preventive | |
| Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Operational management | Preventive | |
| Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 | Operational management | Preventive | |
| Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Operational management | Preventive | |
| Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Operational management | Preventive | |
| Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Operational management | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Preventive | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Preventive | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Preventive | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Preventive | |
| Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938 | Operational management | Preventive | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Operational management | Preventive | |
| Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838 [{response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d)] | Operational management | Preventive | |
| Include risk information when communicating critical security updates. CC ID 14948 | System hardening through configuration management | Preventive | |
| Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469 | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate the implementation strategy to interested personnel and affected parties. CC ID 11796 | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate the system testing policy to interested personnel and affected parties. CC ID 15473 | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471 [By way of derogation from paragraph 5, the procedure referred to in paragraph 2 may provide that production data are stored only for specific testing occasions, for limited periods of time, and following the approval by the relevant function and the reporting of such occasions to the ICT risk management function. Article 16 6.] | Systems design, build, and implementation | Preventive | |
| Require third parties to disclose all known vulnerabilities in third party products and services. CC ID 15491 [For the purposes of point (c), financial entities shall request that ICT third-party service providers investigate the relevant vulnerabilities, determine the root causes, and implement appropriate mitigating action. Article 10 2 ¶ 3 For the purposes of point (c), financial entities shall request that ICT third-party service providers investigate the relevant vulnerabilities, determine the root causes, and implement appropriate mitigating action. Article 10 2 ¶ 3 The vulnerability management procedures referred to in paragraph 1 shall: verify whether: whether those service providers report to the financial entity at least the critical vulnerabilities and statistics and trends in a timely manner; Article 10 2 ¶ 1(c)(ii)] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301 | Third Party and supply chain oversight | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Document the event information to be logged in the event information log specification. CC ID 00639 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the identification of the events to be logged, the retention period of the logs, and the measures to secure and handle the log data, considering the purpose for which the logs are created; Article 12 2 ¶ 1(a)] | Monitoring and measurement | Preventive | |
| Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 | Monitoring and measurement | Preventive | |
| Enable and configure logging on network access controls in accordance with organizational standards. CC ID 01963 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the requirement to log events related to all of the following: network traffic activities, including ICT network performance; Article 12 2 ¶ 1(c)(v)] | Monitoring and measurement | Preventive | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: without prejudice to any applicable regulatory requirements under Union or national law, the synchronisation of the clocks of each of the financial entity's ICT systems upon a documented reliable reference time source. Article 12 2 ¶ 1(f)] | Monitoring and measurement | Preventive | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the identification and implementation of network access controls to prevent and detect connections to the financial entity's network by any unauthorised device or system, or any endpoint not meeting the financial entity's security requirements; Article 13 ¶ 1(d)] | Monitoring and measurement | Preventive | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Corrective | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Monitoring and measurement | Corrective | |
| Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Technical security | Preventive | |
| Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Technical security | Preventive | |
| Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Technical security | Preventive | |
| Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Technical security | Preventive | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Preventive | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 [For the purposes of point (b), where encryption of data in use is not possible, financial entities shall process data in use in a separated and tyle="background-color:#F0BBBC;" class="term_primary-noun">protected environment, or take equivalent measures to ensure the confidentiality, integrity, authenticity, and availability of data. For the purposes of point (b), where encryption of data in use is not possible, financial entities shall process data in use in a separated and protected environment, or take equivalent measures to ensure the confidentiality, integrity, authenticity, and availability of data. Article 6 2 ¶ 2] | Technical security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the procedures to limit, lock, and terminate system and remote sessions after a specified period of inactivity; Article 13 ¶ 1(l)] | Technical security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Preventive | |
| Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Preventive | |
| Configure network access and control points to protect restricted information and restricted functions. CC ID 01284 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the encryption of network connections passing over corporate networks, public networks, domestic networks, third-party networks, and wireless networks, for communication protocols used, taking into account the results of the approved data classification, the results of the ICT risk assessment and the encryption of network connections referred to in Article 6(2); Article 13 ¶ 1(e)] | Technical security | Preventive | |
| Implement multifactor authentication techniques. CC ID 00561 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: the use of strong authentication methods in accordance with leading practices and techniques for remote access to the financial entity's network, for privileged access, for access to ICT assets supporting critical or important functions or ICT assets that are publicly accessible; Article 21 ¶ 1(f)(ii) As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: the use of strong authentication methods in accordance with leading practices and techniques for remote access to the financial entity's network, for privileged access, for access to ICT assets supporting critical or important functions or ICT assets that are publicly accessible; Article 21 ¶ 1(f)(ii)] | Technical security | Preventive | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Preventive | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Operational and Systems Continuity | Corrective | |
| Configure the alternate facility to meet the least needed operational capabilities. CC ID 01395 [{backup site} {be identical} In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: requires that arrangements are in place to: maintain a secondary processing site capable of ensuring continuity of critical or important functions of the central counterparty identical to the primary site; Article 24 2 ¶ 1(c)(ii)] | Operational and Systems Continuity | Preventive | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Corrective | |
| Remove outdated software after software has been updated. CC ID 11792 | Operational management | Corrective | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: log events related to logical and physical access control, ICT operations, including system and network traffic activities, and ICT change management; Article 34 ¶ 1(f)] | Operational management | Detective | |
| Document external connections for all systems. CC ID 06415 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: whether the ICT asset can be or is exposed to external networks, including the internet; Article 4 2(b)(vii)] | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain configuration standards. CC ID 11953 | System hardening through configuration management | Preventive | |
| Apply configuration standards to all systems, as necessary. CC ID 12503 [{ICT third-party service provider} {assets} {digital operational resilience} For the purposes of point (k), financial entities shall consider the following: the implementation of vendor recommended settings on the elements operated by the financial entity; Article 11 2 ¶ 3(a)] | System hardening through configuration management | Preventive | |
| Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards. CC ID 04490 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the procedures to limit, lock, and terminate system and remote sessions after a specified period of inactivity; Article 13 ¶ 1(l)] | System hardening through configuration management | Preventive | |
| Configure the Intrusion Detection System and the Intrusion Prevention System to detect rogue devices and unauthorized connections. CC ID 04837 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the identification and implementation of network access controls to prevent and detect connections to the financial entity's network by any unauthorised device or system, or any endpoint not meeting the financial entity's security requirements; Article 13 ¶ 1(d) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to prevent and detect unauthorised connections to the financial entity's network, and to secure the network traffic between the financial entity's internal networks and the internet and other external connections; Article 35 ¶ 1(c)] | System hardening through configuration management | Preventive | |
| Install critical security updates and important security updates in a timely manner. CC ID 01696 [The patch management procedures referred to in paragraph 3 shall: test and deploy the software and hardware patches and the updates referred to in Article 8(2), points (b)(v), (vi) and (vii); Article 10 4(c) The patch management procedures referred to in paragraph 3 shall: set deadlines for the installation of software and hardware patches and updates and escalation procedures in case those deadlines cannot be met. Article 10 4(d)] | System hardening through configuration management | Preventive | |
| Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: contain safeguards against intrusions and data misuse; Article 2 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1] | System hardening through configuration management | Preventive | |
| Configure Hypertext Transfer Protocol headers in accordance with organizational standards. CC ID 16851 | System hardening through configuration management | Preventive | |
| Configure Hypertext Transfer Protocol security headers in accordance with organizational standards. CC ID 16488 | System hardening through configuration management | Preventive | |
| Configure "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to organizational standards. CC ID 15385 | System hardening through configuration management | Preventive | |
| Configure Microsoft Attack Surface Reduction rules in accordance with organizational standards. CC ID 16478 | System hardening through configuration management | Preventive | |
| Configure "Remote host allows delegation of non-exportable credentials" to organizational standards. CC ID 15379 | System hardening through configuration management | Preventive | |
| Configure "Configure enhanced anti-spoofing" to organizational standards. CC ID 15376 | System hardening through configuration management | Preventive | |
| Configure "Block user from showing account details on sign-in" to organizational standards. CC ID 15374 | System hardening through configuration management | Preventive | |
| Configure "Configure Attack Surface Reduction rules" to organizational standards. CC ID 15370 | System hardening through configuration management | Preventive | |
| Configure "Turn on e-mail scanning" to organizational standards. CC ID 15361 | System hardening through configuration management | Preventive | |
| Configure "Prevent users and apps from accessing dangerous websites" to organizational standards. CC ID 15359 | System hardening through configuration management | Preventive | |
| Configure "Enumeration policy for external devices incompatible with Kernel DMA Protection" to organizational standards. CC ID 15352 | System hardening through configuration management | Preventive | |
| Configure "Prevent Internet Explorer security prompt for Windows Installer scripts" to organizational standards. CC ID 15351 | System hardening through configuration management | Preventive | |
| Store state information from applications and software separately. CC ID 14767 | System hardening through configuration management | Preventive | |
| Configure the "aufs storage" to organizational standards. CC ID 14461 | System hardening through configuration management | Preventive | |
| Configure the "AppArmor Profile" to organizational standards. CC ID 14496 | System hardening through configuration management | Preventive | |
| Configure the "device" argument to organizational standards. CC ID 14536 | System hardening through configuration management | Preventive | |
| Configure the "Docker" group ownership to organizational standards. CC ID 14495 | System hardening through configuration management | Preventive | |
| Configure the "Docker" user ownership to organizational standards. CC ID 14505 | System hardening through configuration management | Preventive | |
| Configure "Allow upload of User Activities" to organizational standards. CC ID 15338 | System hardening through configuration management | Preventive | |
| Configure the "ulimit" to organizational standards. CC ID 14499 | System hardening through configuration management | Preventive | |
| Configure the computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender properly. CC ID 05282 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Help Ratings" setting. CC ID 05285 | System hardening through configuration management | Preventive | |
| Configure the "Decoy Admin Account Not Disabled" policy properly. CC ID 05286 | System hardening through configuration management | Preventive | |
| Configure the "Anonymous access to the registry" policy properly. CC ID 05288 | System hardening through configuration management | Preventive | |
| Configure the File System Checker and Popups setting. CC ID 05289 | System hardening through configuration management | Preventive | |
| Configure the System File Checker setting. CC ID 05290 | System hardening through configuration management | Preventive | |
| Configure the System File Checker Progress Meter setting. CC ID 05291 | System hardening through configuration management | Preventive | |
| Configure the Protect Kernel object attributes properly. CC ID 05292 | System hardening through configuration management | Preventive | |
| Verify crontab files are owned by an appropriate user or group. CC ID 05305 | System hardening through configuration management | Preventive | |
| Verify the /etc/syslog.conf file is owned by an appropriate user or group. CC ID 05322 | System hardening through configuration management | Preventive | |
| Verify the traceroute executable is owned by an appropriate user or group. CC ID 05323 | System hardening through configuration management | Preventive | |
| Verify the /etc/passwd file is owned by an appropriate user or group. CC ID 05325 | System hardening through configuration management | Preventive | |
| Configure the "Prohibit Access of the Windows Connect Now Wizards" setting. CC ID 05380 | System hardening through configuration management | Preventive | |
| Configure the "Allow remote access to the PnP interface" setting. CC ID 05381 | System hardening through configuration management | Preventive | |
| Configure the "Do not create system restore point when new device driver installed" setting. CC ID 05382 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Access to All Windows Update Feature" setting. CC ID 05383 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Automatic Root Certificates Update" setting. CC ID 05384 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Event Views 'Events.asp' Links" setting. CC ID 05385 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Internet File Association Service" setting. CC ID 05389 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting. CC ID 05390 | System hardening through configuration management | Preventive | |
| Configure the "Turn off the 'Order Prints' Picture task" setting. CC ID 05391 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Windows Movie Maker Online Web Links" setting. CC ID 05392 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting. CC ID 05393 | System hardening through configuration management | Preventive | |
| Configure the "Don't Display the Getting Started Welcome Screen at Logon" setting. CC ID 05394 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Startup Sound" setting. CC ID 05395 | System hardening through configuration management | Preventive | |
| Configure the "Prevent IIS Installation" setting. CC ID 05398 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Active Help" setting. CC ID 05399 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Untrusted Content" setting. CC ID 05400 | System hardening through configuration management | Preventive | |
| Configure the "Turn off downloading of enclosures" setting. CC ID 05401 | System hardening through configuration management | Preventive | |
| Configure "Allow indexing of encrypted files" to organizational standards. CC ID 05402 | System hardening through configuration management | Preventive | |
| Configure the "Prevent indexing uncached Exchange folders" setting. CC ID 05403 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Calendar" setting. CC ID 05404 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Defender" setting. CC ID 05405 | System hardening through configuration management | Preventive | |
| Configure the "Turn off the communication features" setting. CC ID 05410 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Meeting Space" setting. CC ID 05413 | System hardening through configuration management | Preventive | |
| Configure the "Turn on Windows Meeting Space auditing" setting. CC ID 05414 | System hardening through configuration management | Preventive | |
| Configure the "Disable unpacking and installation of gadgets that are not digitally signed" setting. CC ID 05415 | System hardening through configuration management | Preventive | |
| Configure the "Override the More Gadgets Link" setting. CC ID 05416 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off User Installed Windows Sidebar Gadgets" setting. CC ID 05417 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Downloading of Game Information" setting. CC ID 05419 | System hardening through configuration management | Preventive | |
| Set the noexec_user_stack flag on the user stack properly. CC ID 05439 | System hardening through configuration management | Preventive | |
| Configure the "restrict guest access to system log" policy, as appropriate. CC ID 06047 | System hardening through configuration management | Preventive | |
| Configure the Trusted Platform Module (TPM) platform validation profile, as appropriate. CC ID 06056 | System hardening through configuration management | Preventive | |
| Enable or disable the standby states, as appropriate. CC ID 06060 | System hardening through configuration management | Preventive | |
| Configure the Trusted Platform Module startup options properly. CC ID 06061 | System hardening through configuration management | Preventive | |
| Configure the "Obtain Software Package Updates with apt-get" setting to organizational standards. CC ID 11375 | System hardening through configuration management | Preventive | |
| Configure the "display a banner before authentication" setting for "LightDM" to organizational standards. CC ID 11385 | System hardening through configuration management | Preventive | |
| Configure user accounts. CC ID 07036 | System hardening through configuration management | Preventive | |
| Review and approve the firewall rules, as necessary. CC ID 06745 [For the purposes of point (h), financial entities shall perform the review of firewall rules and connections filters on a regular basis in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of ICT systems involved. For ICT systems that support critical or important functions, financial entities shall verify the adequacy of the existing firewall rules and connection filters at least every 6 months. Article 13 ¶ 2 For the purposes of point (h), financial entities shall perform the review of firewall rules and connections filters on a regular basis in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of ICT systems involved. For ICT systems that support critical or important functions, financial entities shall verify the adequacy of the existing firewall rules and connection filters at least every 6 months. Article 13 ¶ 2] | System hardening through configuration management | Preventive | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | System hardening through configuration management | Preventive | |
| Configure the log to capture the user's identification. CC ID 01334 [{generic account} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: a provision on user accountability, by limiting to the extent possible the use of generic and shared user accounts and ensuring that users are identifiable for the actions performed in the ICT systems at all times; Article 21 ¶ 1(c) {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: user accountability, which ensures that users can be identified for the actions performed in the ICT systems; Article 33 ¶ 1(b)] | System hardening through configuration management | Preventive | |
| Configure the log to capture a date and time stamp. CC ID 01336 [Financial entities shall log all relevant information for each detected anomalous activity enabling: the identification of the date and time of detection of the anomalous activity; Article 23 4(b) Financial entities shall log all relevant information for each detected anomalous activity enabling: the identification of the date and time of occurrence of the anomalous activity; Article 23 4(a)] | System hardening through configuration management | Preventive | |
| Configure the log to capture the type of each event. CC ID 06423 [Financial entities shall log all relevant information for each detected anomalous activity enabling: the identification of the type of the anomalous activity. Article 23 4(c)] | System hardening through configuration management | Preventive | |
| Configure all logs to capture auditable events or actionable events. CC ID 06332 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the requirement to log events related to all of the following: capacity management; Article 12 2 ¶ 1(c)(ii) The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the requirement to log events related to all of the following: ICT operations, including ICT system activities; Article 12 2 ¶ 1(c)(iv) The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the requirement to log events related to all of the following: logical and physical access control, as referred to in Article 21, and identity management; Article 12 2 ¶ 1(c)(i) Financial entities shall log all relevant information for each detected anomalous activity enabling: Article 23 4. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: log events related to logical and physical access control, ICT operations, including system and network traffic activities, and ICT change management; Article 34 ¶ 1(f)] | System hardening through configuration management | Preventive | |
| Configure the log to capture account lockouts. CC ID 16470 | System hardening through configuration management | Preventive | |
| Configure the log to capture execution events. CC ID 16469 | System hardening through configuration management | Preventive | |
| Configure the log to capture AWS Organizations changes. CC ID 15445 | System hardening through configuration management | Preventive | |
| Configure the log to capture Identity and Access Management policy changes. CC ID 15442 | System hardening through configuration management | Preventive | |
| Configure the log to capture management console sign-in without multi-factor authentication. CC ID 15441 | System hardening through configuration management | Preventive | |
| Configure the log to capture route table changes. CC ID 15439 | System hardening through configuration management | Preventive | |
| Configure the log to capture virtual private cloud changes. CC ID 15435 | System hardening through configuration management | Preventive | |
| Configure the log to capture changes to encryption keys. CC ID 15432 | System hardening through configuration management | Preventive | |
| Configure the log to capture unauthorized API calls. CC ID 15429 | System hardening through configuration management | Preventive | |
| Configure the log to capture changes to network gateways. CC ID 15421 | System hardening through configuration management | Preventive | |
| Configure the "logging level" to organizational standards. CC ID 14456 | System hardening through configuration management | Detective | |
| Configure the event log settings for specific Operating System functions. CC ID 06337 | System hardening through configuration management | Preventive | |
| Generate an alert when an audit log failure occurs. CC ID 06737 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: measures to detect a failure of logging systems; Article 12 2 ¶ 1(e)] | System hardening through configuration management | Preventive | |
| Configure dedicated systems used for system management according to organizational standards. CC ID 12132 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the use of a separate and dedicated network for the administration of ICT assets; Article 13 ¶ 1(c)] | System hardening through configuration management | Preventive | |
| Configure dedicated systems used for system management to prohibit them from composing documents. CC ID 12161 | System hardening through configuration management | Preventive | |
| Configure dedicated systems used for system management so they are prohibited from accessing e-mail. CC ID 12160 | System hardening through configuration management | Preventive | |
| Configure initial system hardening according to the secure configuration baseline. CC ID 13824 [For the purposes of point (b), the secure configuration baseline referred to in that point shall take into account leading practices and appropriate techniques laid down in the standards defined in Article 2, point (1), of Regulation (EU) No 1025/2012. Article 11 2 ¶ 2 Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the implementation of a secure configuration baseline of all network components, and the hardening of the network and of network devices in line with any vendor instructions, where applicable standards, as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and leading practices; Article 13 ¶ 1(k)] | System hardening through configuration management | Preventive | |
| Configure the system's password field with a unique default password. CC ID 13825 | System hardening through configuration management | Preventive | |
| Lock configurations to prevent circumventing security measures. CC ID 12187 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the following requirements to secure the use of portable endpoint devices and private non-portable endpoint devices: the requirement to use security mechanisms that cannot be modified, removed or bypassed by staff members or ICT third-party service providers in an unauthorised manner; Article 11 2 ¶ 1(f)(ii)] | System hardening through configuration management | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Preventive | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the data source in the data governance and management practices. CC ID 17211 | Leadership and high level objectives | Preventive | |
| Define the scope of the security policy. CC ID 07145 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1] | Leadership and high level objectives | Preventive | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Monitoring and measurement | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Preventive | |
| Delete personal data upon data subject's withdrawal from testing. CC ID 17238 | Monitoring and measurement | Preventive | |
| Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Preventive | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Technical security | Preventive | |
| Include virtual systems in the network diagram. CC ID 16324 | Technical security | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Technical security | Preventive | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 | Technical security | Preventive | |
| Protect data stored at external locations. CC ID 16333 | Technical security | Preventive | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Technical security | Preventive | |
| Include the expiration date in digital signatures. CC ID 13833 | Technical security | Preventive | |
| Include audience restrictions in digital signatures. CC ID 13834 | Technical security | Preventive | |
| Include the subject in digital signatures. CC ID 13832 | Technical security | Preventive | |
| Include the issuer in digital signatures. CC ID 13831 | Technical security | Preventive | |
| Include identifiers in the digital signature. CC ID 13829 | Technical security | Preventive | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques; Article 2 1(c) {encryption policy} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the encryption of data in use, where necessary; Article 6 2 ¶ 1(b)] | Technical security | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Preventive | |
| Generate strong cryptographic keys. CC ID 01299 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Preventive | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Preventive | |
| Store cryptographic keys securely. CC ID 01298 [Financial entities shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorised access, disclosure, and modification. Financial entities shall design those controls on the basis of the results of the approved data classification and the ICT risk assessment. Article 7 2. Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Preventive | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Preventive | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1. Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Corrective | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 [Financial entities shall develop and implement methods to replace the cryptographic keys in the case of loss, or where those keys are compromised or damaged. Article 7 3.] | Technical security | Corrective | |
| Archive outdated cryptographic keys. CC ID 06884 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Preventive | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Physical and environmental protection | Preventive | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Operational and Systems Continuity | Preventive | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Operational and Systems Continuity | Preventive | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Operational and Systems Continuity | Preventive | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Operational and Systems Continuity | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 [{residual risk} The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the following requirements to secure the use of portable endpoint devices and private non-portable endpoint devices: the requirement to use removable data storage devices only where the residual ICT risk remains within the financial entity's risk tolerance level referred to in Article 3, first subparagraph, point (a); Article 11 2 ¶ 1(f)(iii)] | Operational management | Preventive | |
| Establish, implement, and maintain a Global Address List. CC ID 16934 | Operational management | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Preventive | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the unique identifier of each ICT asset; Article 4 2(b)(i)] | Operational management | Preventive | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Preventive | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Preventive | |
| Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the links and interdependencies among ICT assets and the business functions using each The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the links and interdependencies among ICT assets and the business functions using each | Operational management | Preventive | |
| Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: where applicable, for all ICT assets, the end dates of the ICT third-party service provider's regular, extended, and custom support services after which those ICT assets are no longer supported by their supplier or by an ICT third-party service provider; Article 4 2(b)(ix)] | Operational management | Preventive | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Preventive | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 [{storage device} {critical function} {keep up to date} Financial entities shall create and maintain a register for all certificates and certificate-storing devices for at least ICT assets supporting critical or important functions. Financial entities shall keep that register up to date. Article 7 4.] | Operational management | Preventive | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Preventive | |
| Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: a process to securely dispose of, or decommission, data storage devices on premises, or data storage devices that are stored externally, that contain confidential information; Article 35 ¶ 1(f)] | Operational management | Preventive | |
| Approve tested change requests. CC ID 11783 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: procedures to document, re-evaluate, assess, and approve emergency changes after their implementation, including workarounds and patches; Article 17 1(g) The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Operational management | Preventive | |
| Establish, implement, and maintain data availability controls. CC ID 15301 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: Article 18 2 ¶ 1(e) {capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the monitoring procedures for maintaining and improving: the availability of data and ICT systems; Article 9 1(c)(i) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide. Article 29 1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1 The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures that ensure the availability, authenticity, integrity, and confidentiality of data during network transmissions; Article 35 ¶ 1(d)] | Records management | Preventive | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Systems design, build, and implementation | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Preventive | |
| Limit data leakage. CC ID 00356 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the identification and implementation of security measures to prevent data loss and leakage for systems and endpoint devices; Article 11 2 ¶ 1(i)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Detective | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Monitoring and measurement | Preventive | |
| Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 [The financial entities referred to in paragraph 1 shall ensure an appropriate segregation and the independence of control functions and internal audit functions. Article 28 4.] | Audits and risk management | Preventive | |
| Assign the audit to impartial auditors. CC ID 07118 [The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities' audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity. Article 28 5.] | Audits and risk management | Preventive | |
| Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Technical security | Preventive | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Preventive | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the governance and organisation to implement the ICT business continuity policy, including roles, responsibilities and escalation procedures ensuring that sufficient resources are available; Article 24 1(b)(i) {response measure} {recovery measure} The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the business continuity plans of the financial entity, and the response and recovery measures referred to in Article 16(1), point (f), of Regulation (EU) 2022/2554; Article 28 2(d)(ii)] | Operational and Systems Continuity | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Preventive | |
| Include restoration procedures in the continuity plan. CC ID 01169 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: backup and restore requirements of ICT systems; Article 8 2 ¶ 1(b)(i) {restoration measure} The ICT business continuity plans referred to in paragraph 1 shall: identify the restoration and recovery measures for critical or important business functions, supporting processes, information assets, and their interdependencies to avoid adverse effects on the functioning of the financial entities; Article 39 2¶ 1(f)] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 | Human Resources management | Preventive | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 [As part of the simplified ICT risk management framework referred to in Article 16(1), point (a), of Regulation (EU) 2022/2554, the financial entities referred to in paragraph 1 of that Article shall identify, classify, and document all critical or important functions, the information assets and ICT assets supporting them and their interdependencies. Financial entities shall review that identification and classification as needed. Article 30 1. The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the classification> of all tyle="background-color:#F0BBBC;" class="term_primary-noun">ICT assets, as referred to in Article 8(1) of Regulation (EU) 2022/2254; Article 4 2(b)(iii) The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the classification> of all tyle="background-color:#F0BBBC;" class="term_primary-noun">ICT assets, as referred to in Article 8(1) of Regulation (EU) 2022/2254; Article 4 2(b)(iii)] | Operational management | Preventive | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 [Financial entities shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorised access, disclosure, and modification. Financial entities shall design those controls on the basis of the results of the approved data classification and the ICT risk assessment. Article 7 2. The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: identifies and implements procedures, ICT protocols, and tools that are necessary to protect all information assets and ICT assets; Article 28 2(g) {unsupported asset} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: manage the risks related to outdated, unsupported, or legacy ICT assets; Article 34 ¶ 1(e)] | Operational management | Preventive | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [Financial entities shall set clear roles and responsibilities to effectively detect and respond to ICT-related incidents and anomalous activities. Article 23 1.] | Operational management | Preventive | |
| Establish, implement, and maintain data processing integrity controls. CC ID 00923 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: Article 18 2 ¶ 1(e)] | Records management | Preventive | |
| Define and assign the system development project team roles and responsibilities. CC ID 01061 [The ICT project management policy referred to in paragraph 1 shall ensure the secure ICT project implementation through the provision of the necessary information and expertise from the business area or functions impacted by the ICT project. Article 15 4.] | Systems design, build, and implementation | Preventive | |
| Establish and maintain the overall system development project management roles and responsibilities. CC ID 00991 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an ICT project management procedure and shall specify the roles and responsibilities for its implementation. That procedure shall cover all stages of the ICT projects from their initiation to their closure. Article 38 1.] | Systems design, build, and implementation | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain communication protocols. CC ID 12245 | Leadership and high level objectives | Preventive | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Leadership and high level objectives | Preventive | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Preventive | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 | Leadership and high level objectives | Preventive | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain warning procedures. CC ID 12407 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain alert procedures. CC ID 12406 | Leadership and high level objectives | Preventive | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Leadership and high level objectives | Preventive | |
| Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Leadership and high level objectives | Preventive | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Preventive | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Preventive | |
| Define the thresholds for reporting in the external reporting program. CC ID 15679 | Leadership and high level objectives | Preventive | |
| Include information about the organizational culture in the external reporting program. CC ID 15610 | Leadership and high level objectives | Preventive | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Preventive | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Preventive | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain data governance and management practices. CC ID 14998 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: measures to protect logging systems and log information against tampering, deletion, and unauthorised access at rest, in transit, and, where relevant, in use; Article 12 2 ¶ 1(d) {data in transit} {data at rest} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to protect data in use, in transit, and at rest; Article 35 ¶ 1(a)] | Leadership and high level objectives | Preventive | |
| Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Leadership and high level objectives | Preventive | |
| Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Leadership and high level objectives | Preventive | |
| Include bias for data sets in the data governance and management practices. CC ID 15085 | Leadership and high level objectives | Preventive | |
| Include a data strategy in the data governance and management practices. CC ID 15304 | Leadership and high level objectives | Preventive | |
| Include data monitoring in the data governance and management practices. CC ID 15303 | Leadership and high level objectives | Preventive | |
| Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Leadership and high level objectives | Preventive | |
| Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Leadership and high level objectives | Preventive | |
| Include data collection for data sets in the data governance and management practices. CC ID 15082 | Leadership and high level objectives | Preventive | |
| Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Leadership and high level objectives | Preventive | |
| Include design choices for data sets in the data governance and management practices. CC ID 15080 | Leadership and high level objectives | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
| Include contact information in the organization's policies, standards, and procedures. CC ID 17167 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: support and escalation contacts, including external support contacts in case of unexpected operational or technical issues; Article 8 2 ¶ 1(c)(ii)] | Leadership and high level objectives | Preventive | |
| Include the effective date on all organizational policies. CC ID 06820 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: indicate the date of the formal approval of the ICT security policies by the management body; Article 2 2(b) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: the date of the approval of the report by the management body of the financial entity; Article 27 2 ¶ 1(b) {review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: where applicable, the date of the approval of the report by the management body of the financial entity; Article 41 2(b)] | Leadership and high level objectives | Preventive | |
| Establish and maintain an Authority Document list. CC ID 07113 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: list the documentation to be maintained; Article 2 2(f)] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: sets out information security objectives and ICT requirements; Article 28 2(c)] | Leadership and high level objectives | Preventive | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Preventive | |
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Corrective | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Preventive | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Preventive | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: contain indicators and measures to: record exceptions from that implementation; Article 2 2(c)(ii)] | Leadership and high level objectives | Preventive | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Preventive | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Preventive | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Preventive | |
| Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 [{critical function} In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: Article 15 5.] | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 | Leadership and high level objectives | Preventive | |
| Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the objectives of the ICT business continuity policy, including the interrelation of ICT and overall business continuity, and considering the results of the business impact analysis (BIA) referred to in Article 11(5) of Regulation (EU) 2022/2554; Article 24 1(a)(i)] | Leadership and high level objectives | Preventive | |
| Align business continuity objectives with the business continuity policy. CC ID 12408 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the objectives of the ICT business continuity policy, including the interrelation of ICT and overall business continuity, and considering the results of the business impact analysis (BIA) referred to in Article 11(5) of Regulation (EU) 2022/2554; Article 24 1(a)(i)] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain Information Technology project plans. CC ID 16944 [{project management} When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT project and change management; Article 1 ¶ 1 (d) The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project planning, timeframe, and steps; Article 15 3(c)] | Leadership and high level objectives | Preventive | |
| Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 | Leadership and high level objectives | Preventive | |
| Document the business case and return on investment in each Information Technology project plan. CC ID 06846 | Leadership and high level objectives | Preventive | |
| Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 | Leadership and high level objectives | Preventive | |
| Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 | Leadership and high level objectives | Preventive | |
| Include milestones for each project phase in the Information Technology project plan. CC ID 12621 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: relevant milestones; Article 15 3(e)] | Leadership and high level objectives | Preventive | |
| Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Leadership and high level objectives | Corrective | |
| Establish, implement, and maintain Security Control System monitoring and reporting procedures. CC ID 12506 [{mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 criteria for the selection of cryptographic techniques and use practices, taking into account leading practices, and standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and the classification of relevant ICT assets established in accordance with Article 8(1) of Regulation (EU) 2022/2554. Financial entities that are not able to adhere to the leading practices or standards, or to use the most reliable techniques, shall " class="term_primary-verb">adopt mitigation and monitoring measures that ensure resilience against cyber threats. Article 6 3. {be resilient} {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 provisions for updating or changing, where necessary, the cryptographic technology on the basis of developments in cryptanalysis. Those updates or changes shall ensure that the cryptographic technology remains resilient against cyber threats, as required by Article 10(2), point (a). Financial entities that are not able to update or change the cryptographic technology shall adopt mitigation and monitoring measures that ensure olor:#F0BBBC;" class="termolor:#CBD0E5;" class="term_secondary-verb">_primary-noun">resilience against cyber threats. Article 6 4.] | Monitoring and measurement | Preventive | |
| Include detecting and reporting the failure of a security testing tool in the Security Control System monitoring and reporting procedures. CC ID 15488 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an audit and accountability policy. CC ID 14035 | Monitoring and measurement | Preventive | |
| Include compliance requirements in the audit and accountability policy. CC ID 14103 | Monitoring and measurement | Preventive | |
| Include coordination amongst entities in the audit and accountability policy. CC ID 14102 | Monitoring and measurement | Preventive | |
| Include the purpose in the audit and accountability policy. CC ID 14100 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the audit and accountability policy. CC ID 14098 | Monitoring and measurement | Preventive | |
| Include management commitment in the audit and accountability policy. CC ID 14097 | Monitoring and measurement | Preventive | |
| Include the scope in the audit and accountability policy. CC ID 14096 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain audit and accountability procedures. CC ID 14057 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: contain safeguards against intrusions and data misuse; Article 2 1(b)] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an event logging policy. CC ID 15217 | Monitoring and measurement | Preventive | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Preventive | |
| Review and update the list of auditable events in the event logging procedures. CC ID 10097 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the alignment of the level of detail of the logs with their purpose and usage to enable the effective detection of anomalous activities as referred to in Article 24; Article 12 2 ¶ 1(b)] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on the monitoring of: any changes to the ICT risk and cyber threat landscape; Article 3 ¶ 1(e)(i) Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on the monitoring of: ICT risk of the financial entity that enables prompt detection of changes that could affect its ICT risk profile; Article 3 ¶ 1(e)(iii) {ICT risk management procedure} For the purposes of the first paragraph, point (c), the procedure referred to in that point shall ensure: the monitoring of the effectiveness of the ICT risk treatment measures implemented; Article 3 ¶ 2(a)] | Monitoring and measurement | Preventive | |
| Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Preventive | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Preventive | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Preventive | |
| Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Preventive | |
| Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Preventive | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Monitoring and measurement | Preventive | |
| Include threats in the system security plan. CC ID 14693 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: take into account material changes concerning the financial entity, including material changes to the activities or processes of the financial entity, to the cyber threat landscape, or to applicable legal obligations. Article 2 2(k)] | Monitoring and measurement | Preventive | |
| Include network diagrams in the system security plan. CC ID 14273 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the design of networks in line with the ICT security requirements established by the financial entity, taking into account leading practices to ensure the confidentiality, integrity, and availability of the network; Article 13 ¶ 1(f)] | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Preventive | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption. Article 8 2 ¶ 1(c)(iii)] | Monitoring and measurement | Preventive | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Preventive | |
| Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Preventive | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Preventive | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Preventive | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Preventive | |
| Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Monitoring and measurement | Preventive | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Monitoring and measurement | Preventive | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Monitoring and measurement | Preventive | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Monitoring and measurement | Preventive | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Monitoring and measurement | Preventive | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Monitoring and measurement | Preventive | |
| Document improvement actions based on test results and exercises. CC ID 16840 | Monitoring and measurement | Preventive | |
| Define the test requirements for each testing program. CC ID 13177 | Monitoring and measurement | Preventive | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Monitoring and measurement | Preventive | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Monitoring and measurement | Preventive | |
| Define the test frequency for each testing program. CC ID 13176 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Monitoring and measurement | Preventive | |
| Include facilities in the business line testing strategy. CC ID 13253 | Monitoring and measurement | Preventive | |
| Include electrical systems in the business line testing strategy. CC ID 13251 | Monitoring and measurement | Preventive | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Monitoring and measurement | Preventive | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Monitoring and measurement | Preventive | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Monitoring and measurement | Preventive | |
| Include environmental controls in the business line testing strategy. CC ID 13246 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement vulnerability management procedures. Article 10 1. {critical function} The vulnerability management procedures referred to in paragraph 1 shall: track the usage of: third-party libraries, including open-source libraries, used by ICT services supporting critical or important functions; Article 10 2 ¶ 1(d)(i) The vulnerability management procedures referred to in paragraph 1 shall: verify whether: ICT third-party service providers handle vulnerabilities related to the ICT services provided to the financial entity; Article 10 2 ¶ 1(c)(i)] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 [{vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b) {vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b)] | Monitoring and measurement | Preventive | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Preventive | |
| Include the pass or fail test status in the test results. CC ID 17106 | Monitoring and measurement | Preventive | |
| Include time information in the test results. CC ID 17105 | Monitoring and measurement | Preventive | |
| Include a description of the system tested in the test results. CC ID 17104 | Monitoring and measurement | Preventive | |
| Recommend mitigation techniques based on penetration test results. CC ID 04881 [The financial entities referred to in paragraph 1 shall monitor and evaluate the results of the security tests and update their security measures accordingly without undue delay in the case of ICT systems supporting critical or important functions. Article 36 3.] | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: the availability, authenticity, integrity and confidentiality of data during network transmission, and the establishment of procedures to assess compliance with those requirements; Article 14 1(a)] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: contain indicators and measures to: ensure that the digital operational resilience of the financial entity is ensured in case of exceptions as referred to in point (ii); Article 2 2(c)(iii)] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: contain indicators and measures to: monitor the implementation of the ICT security policies, procedures, protocols, and tools; Article 2 2(c)(i)] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the identification of the events to be logged, the retention period of the logs, and the measures to secure and handle the log data, considering the purpose for which the logs are created; Article 12 2 ¶ 1(a)] | Monitoring and measurement | Preventive | |
| Include transfer procedures in the log management program. CC ID 17077 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain security reports. CC ID 16882 [{review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: an executive level summary of the current and near-term ICT risk identified, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 41 2(a)(ii)] | Monitoring and measurement | Preventive | |
| Include data handling procedures in the security report. CC ID 16889 | Monitoring and measurement | Preventive | |
| Include a description of changes that have occurred in the security report. CC ID 16976 | Monitoring and measurement | Preventive | |
| Include the implemented controls in the security report. CC ID 16974 | Monitoring and measurement | Preventive | |
| Include a description of the computing environment in the security report. CC ID 16972 | Monitoring and measurement | Preventive | |
| Include corrective actions taken in the security report. CC ID 16967 | Monitoring and measurement | Preventive | |
| Include the inspection schedule in the security report. CC ID 16966 | Monitoring and measurement | Preventive | |
| Include audit reports in the security report. CC ID 16964 | Monitoring and measurement | Preventive | |
| Include third party certifications in the security report. CC ID 16960 | Monitoring and measurement | Preventive | |
| Include disclosures of restricted data in the security report. CC ID 16892 | Monitoring and measurement | Preventive | |
| Include re-disclosure agreements in the security report. CC ID 16895 | Monitoring and measurement | Preventive | |
| Include a list of authorized personnel in the security report. CC ID 16887 | Monitoring and measurement | Preventive | |
| Include the uses of restricted data in the security report. CC ID 16886 | Monitoring and measurement | Preventive | |
| Include the completion date in the corrective action plan. CC ID 13272 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: an expected date for implementing the measures and dates related to the internal control of the implementation, including information on the state of progress of the implementation of those measures as at the date of drafting of the report, explaining, where applicable, if there is a risk that deadlines may not be respected; Article 27 2 ¶ 1(h)(ii)] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Preventive | |
| Establish and maintain audit terms. CC ID 13880 [Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the reason for the review of the ICT risk management framework in accordance with Article 6(5) of Regulation (EU) 2022/2554.; Article 27 2 ¶ 1(c)] | Audits and risk management | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Preventive | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Preventive | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 [For the purposes of point (f), the description shall contain an analysis of the impact of the changes on the financial entity's digital operational resilience strategy, on the financial entity's ICT internal control framework, and on the financial entity's ICT risk management governance. Article 27 2 ¶ 3] | Audits and risk management | Preventive | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 [{ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a description of the reasons for the review, including: where the review has been initiated following the occurrence of ICT-related incidents, the list of all those ICT-related incidents with related incident root-cause analysis; Article 41 2(c)(ii) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a description of the reasons for the review, including: where the review has been initiated following the occurrence of ICT-related incidents, the list of all those ICT-related incidents with related incident root-cause analysis; Article 41 2(c)(ii) {review} {ICT risk management framework} For the purposes of point (c), where the review was initiated following supervisory instructions, or conclusions derived from relevant digital operational resilience testing or audit processes, the report shall contain explicit references to such instructions or conclusions, allowing for the identification of the reason for initiating the review. Where the review was initiated following ICT-related incidents, the report shall contain the list of all ICT-related incidents with incident root-cause analysis. Article 27 2 ¶ 2] | Audits and risk management | Preventive | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Preventive | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Preventive | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Preventive | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Preventive | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Preventive | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Audits and risk management | Preventive | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities' audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity. Article 28 5.] | Audits and risk management | Preventive | |
| Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: information on the process for informing the competent authority, where appropriate; Article 27 2 ¶ 1(h)(v)] | Audits and risk management | Preventive | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: summarises the major changes in the ICT risk management framework since the previous report submitted; Article 27 2 ¶ 1(a)(iii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the major changes and improvements to the ICT risk management framework since the previous review; Article 27 2 ¶ 1(f) {review} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: a summary of the major changes in the ICT risk management framework since the previous report; Article 41 2(a)(iv) {review} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: a summary and a description of the impact of major changes to the simplified ICT risk management framework since the previous report; Article 41 2(a)(v)] | Audits and risk management | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Preventive | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 [{ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: overall conclusions on the review of the simplified ICT risk management framework, including any further planned developments. Article 41 2(h)] | Audits and risk management | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Preventive | |
| Establish and maintain organizational audit reports. CC ID 06731 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: sources of information used in the preparation of the report, including all of the following: for financial entities other than microenterprises as referred to in Article 6(6) of Regulation (EU) 2022/2554, the results of internal audits; Article 27 2 ¶ 1(l)(i) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: sources of information used in the preparation of the report, including all of the following: the results of compliance assessments; Article 27 2 ¶ 1(l)(ii)] | Audits and risk management | Preventive | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Detective | |
| Include the purpose in the audit report. CC ID 17263 | Audits and risk management | Preventive | |
| Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Preventive | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Preventive | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Preventive | |
| Include written agreements in the audit report. CC ID 17266 | Audits and risk management | Preventive | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Preventive | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Preventive | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Preventive | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Preventive | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Preventive | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Preventive | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Preventive | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Preventive | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Preventive | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Preventive | |
| Include any discussions of significant findings in the audit report. CC ID 13955 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a summary of the findings of the review and detailed analysis and assessment of the severity of the weaknesses, deficiencies, and gaps in the ICT risk management framework during the review period; Article 27 2 ¶ 1(g) {review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: an executive level summary of the current and near-term ICT risk identified, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 41 2(a)(ii) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a summary of findings, and a self-assessment of the severity of the weaknesses, deficiencies, and gaps identified in ICT risk management framework for the review period, including a detailed analysis thereof; Article 41 2(f) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a summary of findings, and a self-assessment of the severity of the weaknesses, deficiencies, and gaps identified in ICT risk management framework for the review period, including a detailed analysis thereof; Article 41 2(f) {review} {ICT risk management framework} For the purposes of point (c), where the review was initiated following supervisory instructions, or conclusions derived from relevant digital operational resilience testing or audit processes, the report shall contain explicit references to such instructions or conclusions, allowing for the identification of the reason for initiating the review. Where the review was initiated following ICT-related incidents, the report shall contain the list of all ICT-related incidents with incident root-cause analysis. Article 27 2 ¶ 2] | Audits and risk management | Preventive | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Preventive | |
| Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Preventive | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Preventive | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Preventive | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Preventive | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Preventive | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Preventive | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Preventive | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Preventive | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Preventive | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Preventive | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Preventive | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Preventive | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Preventive | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Preventive | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Preventive | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Preventive | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Preventive | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Preventive | |
| Include recommended corrective actions in the audit report. CC ID 16197 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: Article 27 2 ¶ 1(h) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: overall conclusions on the review of the simplified ICT risk management framework, including any further planned developments. Article 41 2(h) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: a summary of measures taken to remediate to identified weaknesses, deficiencies and gaps; Article 27 2 ¶ 1(h)(i)] | Audits and risk management | Preventive | |
| Include risks and opportunities in the audit report. CC ID 16196 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: provides an executive level summary of the current and near-term ICT risk profile, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 27 2 ¶ 1(a)(iv) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: provides an executive level summary of the current and near-term ICT risk profile, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 27 2 ¶ 1(a)(iv)] | Audits and risk management | Preventive | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 [{review} {ICT risk management framework} {be internal} {be external} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: tools to be used, and the identification of the function responsible for carrying out the measures, detailing whether the tools and functions are internal or external; Article 27 2 ¶ 1(h)(iii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: provides an executive level summary of the current and near-term ICT risk profile, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 27 2 ¶ 1(a)(iv)] | Audits and risk management | Preventive | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Preventive | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Preventive | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Preventive | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: sources of information used in the preparation of the report, including all of the following: results of digital operational resilience testing, and where applicable the results of advanced testing, based on threat-led penetration testing (TLPT), of ICT tools, systems, and processes; Article 27 2 ¶ 1(l)(iii)] | Audits and risk management | Preventive | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Preventive | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Preventive | |
| Review past audit reports. CC ID 01155 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: information on past reviews, including: a list of past reviews to date; Article 27 2 ¶ 1(k)(i)] | Audits and risk management | Detective | |
| Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: information on past reviews, including: Article 27 2 ¶ 1(k)] | Audits and risk management | Detective | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Preventive | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Preventive | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Preventive | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a summary of the findings of the review and detailed analysis and assessment of the severity of the weaknesses, deficiencies, and gaps in the ICT risk management framework during the review period; Article 27 2 ¶ 1(g)] | Audits and risk management | Corrective | |
| Include the results of the business impact analysis in the audit report. CC ID 17208 [{review} {ICT risk management framework} {financial resource} {human resource} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: a description of the impact of the changes envisaged in the measures on the financial entity's budgetary, human, and material resources, including resources dedicated to the implementation of any corrective measures; Article 27 2 ¶ 1(h)(iv) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: describes the context of the report in terms of the nature, scale, and complexity of the financial entity's services, activities, and operations, its organisation, identified critical functions, strategy, major ongoing projects or activities, relationships and its dependence on in-house and contracted ICT services and systems or the implications that a total loss or severe degradation of such systems would have in terms of critical or important functions and market efficiency; Article 27 2 ¶ 1(a)(ii)] | Audits and risk management | Preventive | |
| Include an audit opinion in the audit report. CC ID 07017 [Financial entities shall include all of the following information in the report referred to in paragraph 1: conclusions resulting from the review of the ICT risk management framework; Article 27 2 ¶ 1(j) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: provides an executive level summary of the current and near-term ICT risk profile, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 27 2 ¶ 1(a)(iv)] | Audits and risk management | Preventive | |
| Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Preventive | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Corrective | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Preventive | |
| Include items that pertain to third parties in the audit report. CC ID 07008 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: describes the context of the report in terms of the nature, scale, and complexity of the financial entity's services, activities, and operations, its organisation, identified critical functions, strategy, major ongoing projects or activities, relationships and its dependence on in-house and contracted ICT services and systems or the implications that a total loss or severe degradation of such systems would have in terms of critical or important functions and market efficiency; Article 27 2 ¶ 1(a)(ii)] | Audits and risk management | Preventive | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Preventive | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Preventive | |
| Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 [{review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: an executive level summary of the current and near-term ICT risk identified, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 41 2(a)(ii)] | Audits and risk management | Preventive | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Corrective | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Preventive | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [{be searchable} Financial entities shall submit the report on the review of the ICT risk management framework referred to in Article 6(5) of Regulation (EU) 2022/2554 in a searchable electronic format. Article 27 1. {be searchable} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall submit the report on the review of the ICT risk management framework referred to in paragraph 2 of that Article in a searchable electronic format. Article 41 1.] | Audits and risk management | Preventive | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [{be critical} Based on the outcome of the audit referred to in paragraph 5, the financial entities referred to in paragraph 1 shall ensure the timely verification and remediation of critical ICT audit findings. Article 28 6. {review} Financial entities shall include all of the following information in the report referred to in paragraph 1: information on planned further developments of the ICT risk management framework; Article 27 2 ¶ 1(i) {ICT risk management framework} {review} {remedial measure} The report referred to in paragraph 1 shall contain all of the following information: remedying measures identified to address weaknesses, deficiencies, and gaps in the simplified ICT risk management framework, and the expected date for implementing those measures, including the follow-up on weaknesses, deficiencies, and gaps identified in previous reports, where those weaknesses, deficiencies, and gaps have not yet been remedied; Article 41 2(g)] | Audits and risk management | Corrective | |
| Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities' audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity. Article 28 5. {ICT risk management framework} {start date} The report referred to in paragraph 1 shall contain all of the following information: the start and end date of the review period; Article 41 2(d)] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1 Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: Article 3 ¶ 1 The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: specifies and implements the policies and measures included in Chapters I, II and III of this Title to identify, assess and manage the ICT risk the financial entity is exposed to; Article 28 2(f) {governance, risk, and compliance framework} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk to achieve a high level of digital operational resilience. Article 28 1.] | Audits and risk management | Preventive | |
| Include the scope of risk management activities in the risk management program. CC ID 13658 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1] | Audits and risk management | Preventive | |
| Include managing mobile risks in the risk management program. CC ID 13535 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management policy. CC ID 17192 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1 Based on their information security policy referred to in paragraph 1, the financial entities referred to in paragraph 1 shall establish and implement ICT security measures to mitigate their exposure to ICT risk, including mitigating measures implemented by ICT third-party service providers. Article 29 2 ¶ 1] | Audits and risk management | Preventive | |
| Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Preventive | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: requirements to ensure that the performance of internal audit and other testing minimises disruptions to business operations; Article 8 2 ¶ 1(b)(iv)] | Audits and risk management | Preventive | |
| Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Preventive | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Preventive | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Preventive | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Audits and risk management | Preventive | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Audits and risk management | Preventive | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Audits and risk management | Preventive | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Audits and risk management | Preventive | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Audits and risk management | Preventive | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Audits and risk management | Preventive | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Audits and risk management | Preventive | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Audits and risk management | Preventive | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Audits and risk management | Preventive | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Audits and risk management | Preventive | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Audits and risk management | Preventive | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Audits and risk management | Preventive | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Audits and risk management | Preventive | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Audits and risk management | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Preventive | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Preventive | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Preventive | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Preventive | |
| Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Preventive | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: Article 3 ¶ 1(b)] | Audits and risk management | Preventive | |
| Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 [The financial entities referred to in paragraph 1 shall carry out and document the ICT risk assessment periodically commensurate to the financial entities' ICT risk profile. Article 31 2.] | Audits and risk management | Preventive | |
| Employ risk assessment procedures that align with strategic objectives. CC ID 06474 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on a process to ensure that any changes to the business strategy and the digital operational resilience strategy of the financial entity are taken into account. Article 3 ¶ 1(f)] | Audits and risk management | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Preventive | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 [The financial entities referred to in paragraph 1 shall carry out and document the ICT risk assessment periodically commensurate to the financial entities' ICT risk profile. Article 31 2.] | Audits and risk management | Preventive | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Preventive | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Preventive | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Preventive | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Preventive | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Preventive | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Preventive | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity's activities. Article 1 ¶ 1(e) When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity's activities. Article 1 ¶ 1(e)] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Preventive | |
| Document organizational risk tolerance in a risk register. CC ID 09961 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: a determination of the risk tolerance levels for ICT risk, in accordance with the risk appetite of the financial entity; Article 31 1(a)] | Audits and risk management | Preventive | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [{ICT risk management procedure} For the purposes of the first paragraph, point (c), the procedure referred to in that point shall ensure: the assessment of whether the established risk tolerance levels of the financial entity have been attained; Article 3 ¶ 2(b) The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: bears the overall responsibility for ensuring that the simplified ICT risk management framework allows for the achievement of the financial entity's business strategy in accordance with the risk appetite of that financial entity, and ensures that ICT risk is considered in that context; Article 28 2(a)] | Audits and risk management | Preventive | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [{exceed} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the specification of mitigation strategies at least for the ICT risks that are not within the risk tolerance levels of the financial entity; Article 31 1(c)] | Audits and risk management | Preventive | |
| Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: the procedure to identify, implement, and document ICT risk treatment measures for the ICT risks identified and assessed, including the determination of ICT risk treatment measures necessary to bring ICT risk within the risk tolerance level referred to in point (a); Article 3 ¶ 1(c)] | Audits and risk management | Preventive | |
| Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Audits and risk management | Preventive | |
| Include time information in the risk treatment plan. CC ID 16993 | Audits and risk management | Preventive | |
| Include allocation of resources in the risk treatment plan. CC ID 16989 | Audits and risk management | Preventive | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Preventive | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 [{ICT risk management procedure} {risk treatment measure} For the purposes of the first paragraph, point (c), the procedure referred to in that point shall ensure: the assessment of whether the financial entity has taken actions to correct or improve those measures where necessary. Article 3 ¶ 2(c) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the monitoring of the effectiveness of the mitigation strategies referred to in point (c); Article 31 1(d)] | Audits and risk management | Preventive | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Preventive | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: the procedure to identify, implement, and document ICT risk treatment measures for the ICT risks identified and assessed, including the determination of ICT risk treatment measures necessary to bring ICT risk within the risk tolerance level referred to in point (a); Article 3 ¶ 1(c)] | Audits and risk management | Preventive | |
| Document residual risk in a residual risk report. CC ID 13664 [{residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): provisions on the identification of those residual ICT risks; Article 3 ¶ 1(d)(i) {residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): the development of an inventory of the accepted residual ICT risks, including a justification for their acceptance; Article 3 ¶ 1(d)(iii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: where the weaknesses, deficiencies, or gaps identified are not subject to corrective measures, a detailed explanation of the criteria used to analyse the impact of those weaknesses, deficiencies, or gaps, to evaluate the related residual ICT risk, and of the criteria used to accept the related residual risk; Article 27 2 ¶ 1(h)(vi)] | Audits and risk management | Corrective | |
| Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Preventive | |
| Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Preventive | |
| Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Audits and risk management | Preventive | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Preventive | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Audits and risk management | Preventive | |
| Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Preventive | |
| Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Preventive | |
| Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Preventive | |
| Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Preventive | |
| Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Preventive | |
| Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Audits and risk management | Preventive | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Preventive | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Preventive | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Preventive | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 [Based on their information security policy referred to in paragraph 1, the financial entities referred to in paragraph 1 shall establish and implement ICT security measures to mitigate their exposure to ICT risk, including mitigating measures implemented by ICT third-party service providers. Article 29 2 ¶ 1] | Audits and risk management | Preventive | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of security measures regarding the use of software, data storage media, systems and endpoint devices that transfer and store data of the financial entity; Article 35 ¶ 1(b)] | Technical security | Preventive | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 [As part of their control of access management rights, financial entities shall develop, document, and implement identity management policies and procedures that ensure the unique identification and authentication of natural persons and systems accessing the financial entities' information to enable assignment of user access rights in accordance with Article 21. Article 20 1. For the purposes of point (b), financial entities shall, where feasible and appropriate, deploy automated solutions for the lifecycle identity management process. Article 20 2 ¶ 3] | Technical security | Preventive | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 | Technical security | Preventive | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Technical security | Preventive | |
| Include termination procedures in the authorized representatives policy. CC ID 17226 | Technical security | Preventive | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Technical security | Preventive | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Technical security | Preventive | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Technical security | Preventive | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Technical security | Preventive | |
| Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Technical security | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Preventive | |
| Establish, implement, and maintain access control policies. CC ID 00512 | Technical security | Preventive | |
| Include roles and responsibilities in the access control policy. CC ID 14003 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: account management procedures to grant, change or revoke access rights for user and generic accounts, including generic administrator accounts, including provision on all of the following: assignment of roles and responsibilities for granting, reviewing, and revoking access rights; Article 21 ¶ 1(e)(i)] | Technical security | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [{logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: account management procedures to grant, change, or revoke access rights for user and generic accounts, including generic administrator accounts; Article 33 ¶ 1(c)] | Technical security | Preventive | |
| Inventory all user accounts. CC ID 13732 | Technical security | Preventive | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Technical security | Preventive | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Technical security | Preventive | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Technical security | Preventive | |
| Establish, implement, and maintain access control procedures. CC ID 11663 | Technical security | Preventive | |
| Document approving and granting access in the access control log. CC ID 06786 [{privileged access} {emergency access} {need-to-use basis} For the purposes of point (c), the financial entity shall assign privileged, emergency, and administrator access on a need-to- use or an ad-hoc basis for all ICT systems, and shall be logged in accordance with Article 34, first paragraph, point (f). Article 33 ¶ 2 The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: log events related to logical and physical access control, ICT operations, including system and network traffic activities, and ICT change management; Article 34 ¶ 1(f)] | Technical security | Preventive | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 [For the purposes of point (a), financial entities shall maintain records of all identity assignments. Those records shall be kept following a reorganisation of the financial entity or after the end of the contractual relationship without prejudice to the retention requirements laid down in applicable Union and national law. Article 20 2 ¶ 2] | Technical security | Preventive | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: Article 21 ¶ 1(f) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide. Article 29 1.] | Technical security | Preventive | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Technical security | Preventive | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Technical security | Preventive | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Technical security | Preventive | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Technical security | Preventive | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Technical security | Preventive | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Technical security | Preventive | |
| Establish the requirements for Authentication Assurance Levels. CC ID 16958 | Technical security | Preventive | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets, information assets, and physical access control devices of the financial entity through the appropriate maintenance; Article 18 2 ¶ 1(d) As part of their control of access management rights, financial entities shall develop, document, and implement identity management policies and procedures that ensure the unique identification and authentication of natural persons and systems accessing the financial entities' information to enable assignment of user access rights in accordance with Article 21. Article 20 1.] | Technical security | Preventive | |
| Establish, implement, and maintain a system and information integrity policy. CC ID 14034 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide. Article 29 1.] | Technical security | Preventive | |
| Include compliance requirements in the system and information integrity policy. CC ID 14151 | Technical security | Preventive | |
| Include coordination amongst entities in the system and information integrity policy. CC ID 14150 | Technical security | Preventive | |
| Include management commitment in the system and information integrity policy. CC ID 14149 | Technical security | Preventive | |
| Include roles and responsibilities in the system and information integrity policy. CC ID 14148 | Technical security | Preventive | |
| Include the scope in the system and information integrity policy. CC ID 14147 | Technical security | Preventive | |
| Include the purpose in the system and information integrity policy. CC ID 14146 | Technical security | Preventive | |
| Establish, implement, and maintain system and information integrity procedures. CC ID 14051 | Technical security | Preventive | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 | Technical security | Preventive | |
| Establish, implement, and maintain network segmentation requirements. CC ID 16380 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: the criticality or importance of the function those ICT systems and networks support; Article 13 ¶ 1(a)(i) Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: Article 13 ¶ 1(a)] | Technical security | Preventive | |
| Establish, implement, and maintain a network security policy. CC ID 06440 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: network security; Article 1 ¶ 1(c) Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: ensure the security of networks; Article 2 1(a) Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: Article 13 ¶ 1 Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the design of networks in line with the ICT security requirements established by the financial entity, taking into account leading practices to ensure the confidentiality, integrity, and availability of the network; Article 13 ¶ 1(f)] | Technical security | Preventive | |
| Include compliance requirements in the network security policy. CC ID 14205 | Technical security | Preventive | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Technical security | Preventive | |
| Include management commitment in the network security policy. CC ID 14203 | Technical security | Preventive | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Technical security | Preventive | |
| Include the scope in the network security policy. CC ID 14201 | Technical security | Preventive | |
| Include the purpose in the network security policy. CC ID 14200 | Technical security | Preventive | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 | Technical security | Preventive | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Technical security | Preventive | |
| Maintain up-to-date network diagrams. CC ID 00531 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the performance of reviews of the network architecture and of the network security design once a year, and periodically for microenterprises, to identify potential vulnerabilities; Article 13 ¶ 1(i)] | Technical security | Preventive | |
| Include the date of the most recent update on the network diagram. CC ID 14319 | Technical security | Preventive | |
| Include the organization's name in the network diagram. CC ID 14318 | Technical security | Preventive | |
| Include Internet Protocol addresses in the network diagram. CC ID 16244 | Technical security | Preventive | |
| Include Domain Name System names in the network diagram. CC ID 16240 | Technical security | Preventive | |
| Accept, by formal signature, the security implications of the network topology. CC ID 12323 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the performance of reviews of the network architecture and of the network security design once a year, and periodically for microenterprises, to identify potential vulnerabilities; Article 13 ¶ 1(i)] | Technical security | Preventive | |
| Maintain up-to-date data flow diagrams. CC ID 10059 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the documentation of all of the financial entity's network connections and data flows; Article 13 ¶ 1(b)] | Technical security | Preventive | |
| Establish, implement, and maintain a sensitive information inventory. CC ID 13736 | Technical security | Detective | |
| Include information flows to third parties in the data flow diagram. CC ID 13185 | Technical security | Preventive | |
| Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Technical security | Preventive | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Technical security | Preventive | |
| Establish, implement, and maintain information flow procedures. CC ID 04542 [{refrain from disrupting} {without undue delay} Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: guarantee an accurate and prompt data transmission without major disruptions and undue delays. Article 2 1(d)] | Technical security | Preventive | |
| Establish, implement, and maintain a data loss prevention program. CC ID 13050 | Technical security | Preventive | |
| Include the data loss prevention strategy as part of the data loss prevention program. CC ID 13051 [In addition to the requirements referred to in paragraph 1, trading venues shall ensure that their ICT business continuity policy ensures that: the maximum amount of data that may be lost from any IT service of the trading venue after a disruptive incident is close to zero. Article 24 4(b)] | Technical security | Preventive | |
| Establish, implement, and maintain a remote access and teleworking program. CC ID 04545 | Technical security | Preventive | |
| Include information security requirements in the remote access and teleworking program. CC ID 15704 [{personally owned device} The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the implementation of security measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the ICT security of the financial entity; Article 11 2 ¶ 1(j) {employee-owned device} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the financial entity's ability to carry out its critical activities in an adequate, timely, and secure manner. Article 35 ¶ 1(g)] | Technical security | Preventive | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Technical security | Preventive | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: encryption and cryptography; Article 1 ¶ 1(a) As part of their ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a policy on encryption and cryptographic controls. Article 6 1. {encryption policy} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: Article 6 2 ¶ 1 {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 a requirement to record the adoption of mitigation and monitoring measures adopted in accordance with paragraphs 3 and 4 and to provide a reasoned explanation for doing so. Article 6 2(d) ¶ 5.] | Technical security | Preventive | |
| Include monitoring procedures in the encryption management and cryptographic controls policy. CC ID 17207 [{mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 a requirement to record the adoption of mitigation and monitoring measures adopted in accordance with paragraphs 3 and 4 and to provide a reasoned explanation for doing so. Article 6 5.] | Technical security | Preventive | |
| Include mitigation measures in the encryption management and cryptographic controls policy. CC ID 17206 [{mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 a requirement to record the adoption of mitigation and monitoring measures adopted in accordance with paragraphs 3 and 4 and to provide a reasoned explanation for doing so. Article 6 5.] | Technical security | Preventive | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: encryption and cryptography; Article 1 ¶ 1(a)] | Technical security | Preventive | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [{encryption policy} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the cryptographic key management referred to in Article 7, laying down rules on the correct use, protection, and lifecycle of cryptographic keys. Article 6 2 ¶ 1(d) Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1. {be resilient} {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 provisions for updating or changing, where necessary, the cryptographic technology on the basis of developments in cryptanalysis. Those updates or changes shall ensure that the cryptographic technology remains resilient against cyber threats, as required by Article 10(2), point (a). Financial entities that are not able to update or change the cryptographic technology shall adopt mitigation and monitoring measures that ensure olor:#F0BBBC;" class="termolor:#CBD0E5;" class="term_secondary-verb">_primary-noun">resilience against cyber threats. Article 6 4.] | Technical security | Preventive | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Preventive | |
| Include cryptographic key expiration in the cryptographic key management procedures. CC ID 17079 | Technical security | Preventive | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Preventive | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 [Financial entities shall ensure the prompt renewal of certificates in advance of their expiration. Article 7 5.] | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 | Technical security | Preventive | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the identification of security measures against malicious codes; Article 11 2 ¶ 1(d)] | Technical security | Preventive | |
| Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall specify, document, and implement a physical and environmental security policy. Financial entities shall design that policy i light of the cyber threat landscape, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and in light of the overall risk profile of ICT assets and accessible information assets. Article 18 1. As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall specify, document, and implement a physical and environmental security policy. Financial entities shall design that policy i light of the cyber threat landscape, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and in light of the overall risk profile of ICT assets and accessible information assets. Article 18 1.] | Physical and environmental protection | Preventive | |
| Include compliance requirements in the physical and environmental protection policy. CC ID 14174 | Physical and environmental protection | Preventive | |
| Include coordination amongst entities in the physical and environmental protection policy. CC ID 14173 | Physical and environmental protection | Preventive | |
| Include management commitment in the physical and environmental protection policy. CC ID 14172 | Physical and environmental protection | Preventive | |
| Include roles and responsibilities in the physical and environmental protection policy. CC ID 14171 | Physical and environmental protection | Preventive | |
| Include the scope in the physical and environmental protection policy. CC ID 14170 | Physical and environmental protection | Preventive | |
| Include the purpose in the physical and environmental protection policy. CC ID 14168 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061 [For the purposes of point (b), the measures to protect from environmental threats and hazards shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein. Article 18 2 ¶ 2 The protection from environmental threats and hazards shall be commensurate with the importance of the premises concerned and, where applicable, the data centres and the criticality of the operations or ICT systems located therein. Article 32 3.] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security procedures. CC ID 13076 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: Article 21 ¶ 1(g) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall identify and implement physical security measures designed on the basis of the threat landscape and in accordance with the classification referred to in Article 30(1) of this Regulation, the overall risk profile of ICT assets, and accessible information assets. Article 32 1.] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to protect from attacks, accidents, and environmental threats and hazards, the premises, data centres of the financial entity, and sensitive designated areas identified by the financial entity, where ICT assets and information assets reside; Article 18 2 ¶ 1(b) {physical security measures} The measures referred to in paragraph 1 shall protect the premises of financial entities and, where applicable, data centres of financial entities where ICT assets and information assets reside from unauthorised access, attacks, and accidents, and from environmental threats and hazards. Article 32 2.] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 [{closing procedure} For the purposes of point (a), central counterparties shall complete end of day procedures and payments on the required time and day in all circumstances. Article 24 2 ¶ 2] | Physical and environmental protection | Preventive | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Preventive | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Preventive | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 [{logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: Article 33 ¶ 1 {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: Article 33 ¶ 1] | Physical and environmental protection | Preventive | |
| Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the identification and logging of natural persons that are authorised to access premises, data centres, and sensitive designated areas identified by the financial entity where ICT and information assets reside; Article 21 ¶ 1(g)(i) {critical asset} {ad hoc access} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the granting of physical access rights to critical ICT assets to authorised persons only, in accordance with the need-to-know and least privilege principles, and on an ad-hoc basis; Article 21 ¶ 1(g)(ii) {not be necessary} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the review of physical access rights to ensure that unnecessary access rights are promptly revoked. Article 21 ¶ 1(g)(iv) {physical access} For the purposes of point (g)(i), the identification and logging shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein. Article 21 ¶ 4] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Preventive | |
| Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Corrective | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Preventive | |
| Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Physical and environmental protection | Preventive | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Preventive | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a physical access log. CC ID 12080 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the identification and logging of natural persons that are authorised to access premises, data centres, and sensitive designated areas identified by the financial entity where ICT and information assets reside; Article 21 ¶ 1(g)(i) {physical access} For the purposes of point (g)(i), the identification and logging shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein. Article 21 ¶ 4] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Physical and environmental protection | Preventive | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Physical and environmental protection | Preventive | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Physical and environmental protection | Preventive | |
| Include management commitment in the media protection policy. CC ID 14182 | Physical and environmental protection | Preventive | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Physical and environmental protection | Preventive | |
| Include the scope in the media protection policy. CC ID 14167 | Physical and environmental protection | Preventive | |
| Include the purpose in the media protection policy. CC ID 14166 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Physical and environmental protection | Preventive | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system; Article 8 2 ¶ 1(a)(i) The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the process to securely dispose or decommission of data storage devices present on premises of the financial entity or stored externally containing confidential information; Article 11 2 ¶ 1(h)] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of security measures regarding the use of software, data storage media, systems and endpoint devices that transfer and store data of the financial entity; Article 35 ¶ 1(b)] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device activation procedures. CC ID 16999 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Physical and environmental protection | Preventive | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a clean desk policy. CC ID 06534 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: a clear desk policy for papers; Article 18 2 ¶ 1(e)(i)] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain geomagnetic disturbance operating procedures. CC ID 17158 | Physical and environmental protection | Preventive | |
| Include coordination amongst entities in the geomagnetic disturbance operating plan. CC ID 17157 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a geomagnetic disturbance operating plan. CC ID 17156 | Physical and environmental protection | Preventive | |
| Include roles and responsibilities in the geomagnetic disturbance operating procedures. CC ID 17154 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a cold weather preparedness plan. CC ID 17131 | Physical and environmental protection | Preventive | |
| Include design specifications for applicable assets in the cold weather preparedness plan. CC ID 17144 | Physical and environmental protection | Preventive | |
| Include limitations in the cold weather preparedness plan. CC ID 17143 | Physical and environmental protection | Preventive | |
| Include performance data in the cold weather preparedness plan. CC ID 17142 | Physical and environmental protection | Preventive | |
| Include maintenance requirements in the cold weather preparedness plan. CC ID 17141 | Physical and environmental protection | Preventive | |
| Include freeze protection measures in the cold weather preparedness plan. CC ID 17140 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a business continuity policy. CC ID 12405 | Operational and Systems Continuity | Preventive | |
| Include coordination amongst entities in the business continuity policy. CC ID 14235 [In addition to the requirements referred to in paragraph 1, central securities depositories shall ensure that their ICT business continuity policy: takes into account any links and interdependencies to users, critical utilities and critical service providers, other central securities depositories and other market infrastructures; Article 24 3(a)] | Operational and Systems Continuity | Preventive | |
| Include the scope in the business continuity policy. CC ID 14231 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the scope of the ICT business continuity arrangements, plans, procedures, and mechanisms, including limitations and exclusions; Article 24 1(a)(ii) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the timeframe to be covered by the ICT business continuity arrangements, plans, procedures, and mechanisms; Article 24 1(a)(iii)] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a business continuity testing policy. CC ID 13235 | Operational and Systems Continuity | Preventive | |
| Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 [The testing of business continuity plans referred to in paragraph 1 shall demonstrate that the financial entities referred to in that paragraph are able to sustain the viability of their businesses until critical operations are re-established and identify any deficiencies in those plans. Article 40 2.] | Operational and Systems Continuity | Preventive | |
| Include testing critical applications in the business continuity testing strategy. CC ID 13261 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: Article 25 2 ¶ 1 {continuity test} For the purposes of point (c), the testing shall verify whether at least critical or important functions can be operated appropriately for a sufficient period of time, and whether the normal functioning may be restored. Article 25 2 ¶ 4] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity framework. CC ID 00732 | Operational and Systems Continuity | Preventive | |
| Explain any exclusions to the scope of the continuity framework. CC ID 12236 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the scope of the ICT business continuity arrangements, plans, procedures, and mechanisms, including limitations and exclusions; Article 24 1(a)(ii)] | Operational and Systems Continuity | Preventive | |
| Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 [{political issue} {social issue} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: political and social instability, including, where relevant, in the ICT third-party service provider's jurisdiction and the location where the data are stored and processed; Article 26 2(h)] | Operational and Systems Continuity | Preventive | |
| Include a pandemic plan in the continuity plan. CC ID 06800 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: impact of climate change and environment degradation related events, natural disasters, pandemics, and physical attacks, including intrusions and terrorist attacks; Article 26 2(f)] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [{response measure} {recovery measure} The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the business continuity plans of the financial entity, and the response and recovery measures referred to in Article 16(1), point (f), of Regulation (EU) 2022/2554; Article 28 2(d)(ii) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop their ICT business continuity plans considering the results of the analysis of their exposures to and potential impact of severe business disruptions and scenarios to which their ICT assets supporting critical or important functions might be exposed, including a cyber-attack scenario. Article 39 1. The ICT business continuity plans referred to in paragraph 1 shall: be approved by the management body of the financial entity; Article 39 2¶ 1(a) {be readily accessible} The ICT business continuity plans referred to in paragraph 1 shall: be documented and readily accessible in the event of an emergency or crisis; Article 39 2¶ 1(b) The ICT business continuity plans referred to in paragraph 1 shall: be updated in line with lessons learned from incidents, tests, new risks, and threats identified, changed recovery objectives, major changes to the financial entity's organisation, and to the ICT assets supporting critical or business functions. Article 39 2¶ 1(j)] | Operational and Systems Continuity | Preventive | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Preventive | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Preventive | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: allocates and reviews at least once a year the budget necessary to fulfil the financial entity's digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training and ICT skills for all staff; Article 28 2(e) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the governance and organisation to implement the ICT business continuity policy, including roles, responsibilities and escalation procedures ensuring that sufficient resources are available; Article 24 1(b)(i) The ICT business continuity plans referred to in paragraph 1 shall: allocate sufficient resources for their execution; Article 39 2¶ 1(c)] | Operational and Systems Continuity | Preventive | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Preventive | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [{disseminate and communicate} {response plan} {recovery plan} For the purposes of point (d), financial entities shall clearly specify roles and responsibilities. Article 26 1 ¶ 2] | Operational and Systems Continuity | Preventive | |
| Document and use the lessons learned to update the continuity plan. CC ID 10037 [{response plan} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: Article 26 2. The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups, and redundant facilities; Article 26 2(a) The ICT business continuity plans referred to in paragraph 1 shall: be updated in line with lessons learned from incidents, tests, new risks, and threats identified, changed recovery objectives, major changes to the financial entity's organisation, and to the ICT assets supporting critical or business functions. Article 39 2¶ 1(j)] | Operational and Systems Continuity | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Preventive | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Preventive | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Preventive | |
| Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment between the ICT business continuity plans and the overall business continuity plans, concerning at least all of the following: potential failure scenarios, including the scenarios referred to in Article 26(2) of this Regulation; Article 24 1(b)(ii)(1) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: provide for both short-term and long-term recovery options, including partial systems recovery; Article 26 1 ¶ 1(e) {response plan} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: Article 26 2. {response plan} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: Article 26 2. {response plan} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: Article 26 2. The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups, and redundant facilities; Article 26 2(a) The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups, and redundant facilities; Article 26 2(a) Where the primary recovery measures may not be feasible in the short term because of costs, risks, logistics, or unforeseen circumstances, the ICT response and recovery plans referred to in paragraph 1 shall consider alternative options. Article 26 3. The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: scenarios in which the quality of the provision of a critical or important function deteriorates to an unacceptable level or fails, and duly consider the potential impact of the insolvency, or other failures, of any relevant ICT third-party service provider; Article 26 2(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop their ICT business continuity plans considering the results of the analysis of their exposures to and potential impact of severe business disruptions and scenarios to which their ICT assets supporting critical or important functions might be exposed, including a cyber-attack scenario. Article 39 1. The ICT business continuity plans referred to in paragraph 1 shall: consider alternative options where recovery may not be feasible in the short term because of costs, risks, logistics, or unforeseen circumstances; Article 39 2¶ 1(h)] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Operational and Systems Continuity | Corrective | |
| Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the ICT business continuity requirements, including recovery time objectives and recovery point objectives; Article 4 2(b)(vi)] | Operational and Systems Continuity | Preventive | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 [{response plan} Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development, testing and review of ICT response and recovery plans, in accordance with Articles 25 and 26 of this Regulation; Article 24 1(b)(iv) {response plan} Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development, testing and review of ICT response and recovery plans, in accordance with Articles 25 and 26 of this Regulation; Article 24 1(b)(iv) {response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d) {response plan} {success} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: lay down the objectives of ICT response and recovery plans and the conditions to declare a successful execution of those plans. Article 26 1 ¶ 1(f)] | Operational and Systems Continuity | Preventive | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 | Operational and Systems Continuity | Preventive | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Preventive | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Preventive | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Operational and Systems Continuity | Preventive | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Preventive | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Preventive | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Preventive | |
| Include the criteria for activation in the recovery plan. CC ID 13293 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the criteria to activate and deactivate ICT business continuity plans, ICT response and recovery plans, and crisis communications plans; Article 24 1(a)(iv) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: specify the conditions prompting their activation or deactivation, and any exceptions for such activation or deactivation; Article 26 1 ¶ 1(a) {detection process} {incident response process} Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554: indications that malicious activity may have been carried out in an ICT system or network, or that such ICT system or network may have been compromised; Article 23 5(a) {detection process} {incident response process} Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554: adverse impact detected on financial entity's transactions and operations; Article 23 5(c) {detection process} {incident response process} Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554: data losses detected in relation to the availability, authenticity, integrity, and confidentiality of data; Article 23 5(b) {detection process} {incident response process} Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554: ICT systems' and network unavailability. Article 23 5(d) {trigger} {detection process} {incident response process} Article 23 6. For the purposes of paragraph 5, financial entities shall also consider the criticality of the services affected. Article 23 6.] | Operational and Systems Continuity | Preventive | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Preventive | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Preventive | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Detective | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development of ICT business continuity plans for severe business disruptions as part of those plans, and the prioritisation of ICT business continuity actions using a risk-based approach; Article 24 1(b)(iii)] | Operational and Systems Continuity | Preventive | |
| Include the recovery plan in the continuity plan. CC ID 01377 [When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: describe what actions are to be taken to ensure the availability, integrity, continuity, and recovery of at least ICT systems and services supporting critical or important functions of the financial entity; Article 26 1 ¶ 1(b) {restoration measure} The ICT business continuity plans referred to in paragraph 1 shall: identify the restoration and recovery measures for critical or important business functions, supporting processes, information assets, and their interdependencies to avoid adverse effects on the functioning of the financial entities; Article 39 2¶ 1(f)] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: substantial failure of ICT assets or of the communication infrastructure; Article 26 2(d) The ICT business continuity plans referred to in paragraph 1 shall: identify the conditions that may prompt the activation of the ICT business continuity plans and what actions are to be taken to ensure the availability, continuity, and recovery of the financial entities' ICT assets supporting critical or important functions; Article 39 2¶ 1(e)] | Operational and Systems Continuity | Preventive | |
| Include emergency operating procedures in the continuity plan. CC ID 11694 | Operational and Systems Continuity | Preventive | |
| Include load-shedding in the emergency operating procedures. CC ID 17133 | Operational and Systems Continuity | Preventive | |
| Include redispatch of generation requests in the emergency operating procedures. CC ID 17132 | Operational and Systems Continuity | Preventive | |
| Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130 | Operational and Systems Continuity | Preventive | |
| Include outages in the emergency operating procedures. CC ID 17129 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development of ICT business continuity plans for severe business disruptions as part of those plans, and the prioritisation of ICT business continuity actions using a risk-based approach; Article 24 1(b)(iii) {widespread interruption} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: widespread power outages. Article 26 2(i)] | Operational and Systems Continuity | Preventive | |
| Include energy resource management in the emergency operating procedures. CC ID 17128 | Operational and Systems Continuity | Preventive | |
| Define and prioritize critical business functions. CC ID 00736 [As part of the simplified ICT risk management framework referred to in Article 16(1), point (a), of Regulation (EU) 2022/2554, the financial entities referred to in paragraph 1 of that Article shall identify, classify, and document all critical or important functions, the information assets and ICT assets supporting them and their interdependencies. Financial entities shall review that identification and classification as needed. Article 30 1.] | Operational and Systems Continuity | Detective | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the ICT business continuity requirements, including recovery time objectives and recovery point objectives; Article 4 2(b)(vi) {recovery time objective} In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: contains a maximum recovery time for their critical functions that is not longer than 2 hours; Article 24 2 ¶ 1(a) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment between the ICT business continuity plans and the overall business continuity plans, concerning at least all of the following: recovery objectives, specifying that the financial entity shall be able to recover the operations of its critical or important functions after disruptions within a recovery time objective and a recovery point objective; Article 24 1(b)(ii)(2) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment between the ICT business continuity plans and the overall business continuity plans, concerning at least all of the following: recovery objectives, specifying that the financial entity shall be able to recover the operations of its critical or important functions after disruptions within a recovery time objective and a recovery point objective; Article 24 1(b)(ii)(2) In addition to the requirements referred to in paragraph 1, central securities depositories shall ensure that their ICT business continuity policy: requires its ICT business continuity arrangements to ensure that the recovery time objective for their critical or important functions shall not be longer than 2 hours. Article 24 3(b) In addition to the requirements referred to in paragraph 1, trading venues shall ensure that their ICT business continuity policy ensures that: trading can be resumed within or close to 2 hours of a disruptive incident; Article 24 4(a) {recovery time objective} {recovery point objective} The ICT business continuity plans referred to in paragraph 1 shall: establish planned recovery levels and timeframes for the recovery and resumption of functions and key internal and external dependencies, including ICT third-party service providers; Article 39 2¶ 1(d)] | Operational and Systems Continuity | Preventive | |
| Include the capacity of critical resources in the critical resource list. CC ID 17099 | Operational and Systems Continuity | Preventive | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 [In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: requires that arrangements are in place to: ensure the continuity of critical or important functions of the central counterparty based on disaster scenarios; Article 24 2 ¶ 1(c)(i)] | Operational and Systems Continuity | Preventive | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Operational and Systems Continuity | Preventive | |
| Include telecommunications continuity procedures in the continuity plan. CC ID 11691 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: substantial failure of ICT assets or of the communication infrastructure; Article 26 2(d)] | Operational and Systems Continuity | Preventive | |
| Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: scenarios in which the quality of the provision of a critical or important function deteriorates to an unacceptable level or fails, and duly consider the potential impact of the insolvency, or other failures, of any relevant ICT third-party service provider; Article 26 2(b) As part of the ICT response and recovery plans referred to in paragraph 1, financial entities shall consider and implement continuity measures to mitigate failures of ICT third-party service providers of ICT services supporting critical or important functions of the financial entity. Article 26 4.] | Operational and Systems Continuity | Detective | |
| Designate an alternate facility in the continuity plan. CC ID 00742 [In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: requires that arrangements are in place to: consider the need for additional processing sites, in particular where the diversity of the risk profiles of the primary and secondary sites does not provide sufficient confidence that the central counterparty's business continuity objectives will be met in all scenarios. Article 24 2 ¶ 1(c)(iv)] | Operational and Systems Continuity | Detective | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Operational and Systems Continuity | Preventive | |
| Include naming conventions in the backup policy. CC ID 16218 | Operational and Systems Continuity | Preventive | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the criteria to activate and deactivate ICT business continuity plans, ICT response and recovery plans, and crisis communications plans; Article 24 1(a)(iv) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment of the ICT business continuity policy to: the communication policy referred to in Article 14(2) of Regulation (EU) 2022/2554; Article 24 1(b)(vi)(1) {communication protocol} {incident communication protocol} Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment of the ICT business continuity policy to: the communication and crisis communication actions referred to in Article 11(2), point (e), of Regulation (EU) 2022/2554. Article 24 1(b)(vi)(2) {communication protocol} The ICT business continuity plans referred to in paragraph 1 shall: specify the internal and external communication arrangements, including escalation plans; Article 39 2¶ 1(i)] | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Operational and Systems Continuity | Detective | |
| Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 [{be readily accessible} The ICT business continuity plans referred to in paragraph 1 shall: be documented and readily accessible in the event of an emergency or crisis; Article 39 2¶ 1(b)] | Operational and Systems Continuity | Preventive | |
| Include alert processes in Service Level Agreements for alternate facilities. CC ID 17127 | Operational and Systems Continuity | Preventive | |
| Include monitoring and logging processes in Service Level Agreements for alternate facilities. CC ID 17126 | Operational and Systems Continuity | Preventive | |
| Include recovery time in Service Level Agreements for all alternate facilities. CC ID 16331 | Operational and Systems Continuity | Preventive | |
| Include priority-of-service provisions in Service Level Agreements for all alternate facilities. CC ID 16330 | Operational and Systems Continuity | Preventive | |
| Include backup media transportation in Service Level Agreements for alternate facilities. CC ID 16329 | Operational and Systems Continuity | Preventive | |
| Include transportation services in Service Level Agreements for alternate facilities. CC ID 16328 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 | Operational and Systems Continuity | Preventive | |
| Include recovery procedures in the continuity test plan. CC ID 14876 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment between the ICT business continuity plans and the overall business continuity plans, concerning at least all of the following: recovery objectives, specifying that the financial entity shall be able to recover the operations of its critical or important functions after disruptions within a recovery time objective and a recovery point objective; Article 24 1(b)(ii)(2) {redundant infrastructure} Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: for financial entities, other than microenterprises, as referred to in Article 11(6), second subparagraph, of Regulation (EU) 2022/2554, contain scenarios of switchover from primary ICT infrastructure to the redundant capacity, backups and redundant facilities; Article 25 2 ¶ 1(c) {continuity test} For the purposes of point (c), the testing shall verify whether at least critical or important functions can be operated appropriately for a sufficient period of time, and whether the normal functioning may be restored. Article 25 2 ¶ 4] | Operational and Systems Continuity | Preventive | |
| Include test objectives and scope of testing in the continuity test plan. CC ID 14874 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: be designed to challenge the assumptions on which the business continuity plans are based, including governance arrangements and crisis communication plans; Article 25 2 ¶ 1(d)] | Operational and Systems Continuity | Preventive | |
| Include test scenarios in the continuity test plan. CC ID 13506 [For the purposes of point (a), financial entities shall always include in the testing the scenarios considered for the development of the business continuity plans. Article 25 2 ¶ 2 {continuity test} For the purposes of point (b), financial entities shall duly consider scenarios linked to insolvency or failures of the ICT third-party service providers or linked to political risks in the ICT third-party service providers' jurisdictions, where relevant. Article 25 2 ¶ 3] | Operational and Systems Continuity | Preventive | |
| Include the risk assessment results in the continuity test plan. CC ID 17205 [When testing the ICT business continuity plans in accordance with Article 11(6), of Regulation (EU) 2022/2554, financial entities shall take into account the financial entity's business impact analysis (BIA) and the ICT risk assessment referred to in Article 3(1), point (b), of this Regulation. Article 25 1.] | Operational and Systems Continuity | Preventive | |
| Include the business impact analysis test results in the continuity test plan CC ID 17204 [When testing the ICT business continuity plans in accordance with Article 11(6), of Regulation (EU) 2022/2554, financial entities shall take into account the financial entity's business impact analysis (BIA) and the ICT risk assessment referred to in Article 3(1), point (b), of this Regulation. Article 25 1.] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: allocates and reviews at least once a year the budget necessary to fulfil the financial entity's digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training and ICT skills for all staff; Article 28 2(e)] | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 [Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements: requirements for staff of the financial entity and of the ICT third-party service providers using or accessing ICT assets of the financial entity to: be informed about, and adhere to, the financial entity's ICT security policies, procedures, and protocols; Article 19 ¶ 1(b)(i)] | Human Resources management | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 [Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements: requirements for staff of the financial entity and of the ICT third-party service providers using or accessing ICT assets of the financial entity to: be informed about, and adhere to, the financial entity's ICT security policies, procedures, and protocols; Article 19 ¶ 1(b)(i)] | Human Resources management | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Preventive | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Preventive | |
| Establish, implement, and maintain a capacity management plan. CC ID 11751 [{capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the identification of capacity requirements of their ICT systems; Article 9 1(a) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: identify capacity requirements of their ICT assets and measures to maintain and improve the availability and efficiency of ICT systems and prevent ICT capacity shortages before they materialise; Article 34 ¶ 1(c)] | Operational management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [{governance, risk, and compliance framework} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk to achieve a high level of digital operational resilience. Article 28 1.] | Operational management | Preventive | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Preventive | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Preventive | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Preventive | |
| Include the scope in the compliance policy. CC ID 14812 | Operational management | Preventive | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Preventive | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Preventive | |
| Include management commitment in the compliance policy. CC ID 14808 | Operational management | Preventive | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Preventive | |
| Include governance threshold requirements in the governance policy. CC ID 16933 | Operational management | Preventive | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Preventive | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Preventive | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Preventive | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Preventive | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Preventive | |
| Include cloud services in the internal control framework. CC ID 17262 | Operational management | Preventive | |
| Include cloud security controls in the internal control framework. CC ID 17264 | Operational management | Preventive | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 [The financial entities referred to in paragraph 1 shall set out alert thresholds and criteria to trigger and initiate ICT- related incident response processes. Article 31 4.] | Operational management | Preventive | |
| Establish, implement, and maintain a cybersecurity framework. CC ID 17276 | Operational management | Preventive | |
| Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279 | Operational management | Preventive | |
| Include protection measures in the cybersecurity framework. CC ID 17278 | Operational management | Preventive | |
| Include the scope in the cybersecurity framework. CC ID 17277 | Operational management | Preventive | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: Article 2 1. The ICT security measures shall include all of the measures referred to in Articles 30 to 38. Article 29 2 ¶ 2] | Operational management | Preventive | |
| Include system development in the information security program. CC ID 12389 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: identify security practices and methodologies relating to the acquisition, development, and maintenance of ICT systems; Article 16 1(a)] | Operational management | Preventive | |
| Include system maintenance in the information security program. CC ID 12388 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: identify security practices and methodologies relating to the acquisition, development, and maintenance of ICT systems; Article 16 1(a) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii)] | Operational management | Preventive | |
| Include system acquisition in the information security program. CC ID 12387 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: identify security practices and methodologies relating to the acquisition, development, and maintenance of ICT systems; Article 16 1(a)] | Operational management | Preventive | |
| Include access control in the information security program. CC ID 12386 [{access rights} The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: a reference to the section of the policy on control of access management rights referred to in Article 21, first paragraph, point (g); Article 18 2 ¶ 1(a)] | Operational management | Preventive | |
| Include operations management in the information security program. CC ID 12385 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT operations security; Article 1 ¶ 1(b)] | Operational management | Preventive | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Preventive | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Preventive | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Preventive | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Preventive | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Preventive | |
| Include risk management in the information security program. CC ID 12378 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT operations security; Article 1 ¶ 1(b) When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity's activities. Article 1 ¶ 1(e) Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: Article 2 1. When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1] | Operational management | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: consider leading practices and, where applicable, standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012; Article 2 2(h) Financial entities shall ensure that the ICT security policies referred to in paragraph 1: take into account material changes concerning the financial entity, including material changes to the activities or processes of the financial entity, to the cyber threat landscape, or to applicable legal obligations. Article 2 2(k) Financial entities shall ensure that the ICT security policies referred to in paragraph 1: are reviewed in accordance with Article 6(5) of Regulation (EU) 2022/2554; Article 2 2(j) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide. Article 29 1.] | Operational management | Preventive | |
| Include data localization requirements in the information security policy. CC ID 16932 | Operational management | Preventive | |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: specify the responsibilities of staff at all levels to ensure the financial entity's ICT security; Article 2 2(d) {digital operational resilience} For the purposes of point (k), financial entities shall consider the following: a clear allocation of information security roles and responsibilities between the financial entity and the ICT third-party service provider, in accordance with the principle of full responsibility of the financial entity over its ICT third-party service provider referred to in Article 28(1), point (a), of Regulation (EU) 2022/2554, and for financial entities referred to in Article 28(2) of that Regulation, and in accordance with the financial entity's policy on the use of ICT services supporting critical or important functions; Article 11 2 ¶ 3 (b) Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements: the identification and assignment of any specific ICT security responsibilities; Article 19 ¶ 1(a)] | Operational management | Preventive | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: take into account material changes concerning the financial entity, including material changes to the activities or processes of the financial entity, to the cyber threat landscape, or to applicable legal obligations. Article 2 2(k)] | Operational management | Preventive | |
| Include information security objectives in the information security policy. CC ID 13493 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: are aligned to the financial entity's information security objectives included in the digital operational resilience strategy referred to in Article 6(8) of Regulation (EU) 2022/2554; Article 2 2(a) The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: sets out information security objectives and ICT requirements; Article 28 2(c)] | Operational management | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Preventive | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement policies and procedures to manage the ICT operations. Those policies and procedures shall specify how financial entities operate, monitor, control, and restore their ICT assets, including the documentation of ICT operations. Article 8 1.] | Operational management | Preventive | |
| Define the nomenclature requirements in the operating instructions. CC ID 17112 | Operational management | Preventive | |
| Define the situations that require time information in the operating instructions. CC ID 17111 | Operational management | Preventive | |
| Include congestion management actions in the operational control procedures. CC ID 17135 | Operational management | Preventive | |
| Update the congestion management actions in a timely manner. CC ID 17145 | Operational management | Preventive | |
| Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Operational management | Preventive | |
| Include continuous monitoring in the operational control procedures. CC ID 17137 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: Article 8 2 ¶ 1(b)] | Operational management | Preventive | |
| Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Operational management | Preventive | |
| Include coordination amongst entities in the operational control procedures. CC ID 17147 | Operational management | Preventive | |
| Include roles and responsibilities in the operational control procedures. CC ID 17159 | Operational management | Preventive | |
| Include alternative actions in the operational control procedures. CC ID 17096 | Operational management | Preventive | |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement policies and procedures to manage the ICT operations. Those policies and procedures shall specify how financial entities operate, monitor, control, and restore their ICT assets, including the documentation of ICT operations. Article 8 1.] | Operational management | Preventive | |
| Include system use information in the standard operating procedures manual. CC ID 17240 | Operational management | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
| Include logging procedures in the standard operating procedures manual. CC ID 17214 | Operational management | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
| Include resources in the standard operating procedures manual. CC ID 17212 | Operational management | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
| Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Operational management | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: scheduling requirements, taking into consideration interdependencies among the ICT systems; Article 8 2 ¶ 1(b)(ii)] | Operational management | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 [{personally owned device} The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the implementation of security measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the ICT security of the financial entity; Article 11 2 ¶ 1(j) {employee-owned device} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the financial entity's ability to carry out its critical activities in an adequate, timely, and secure manner. Article 35 ¶ 1(g)] | Operational management | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding the management of information assets used by ICT assets, including their processing and handling, both automated and manual; Article 8 2 ¶ 1(a)(ii)] | Operational management | Preventive | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the identification of security measures to ensure that only authorised data storage media, systems, and endpoint devices are used to transfer and store data of the financial entity; Article 11 2 ¶ 1(e)] | Operational management | Preventive | |
| Include usage restrictions in the Acceptable Use Policy. CC ID 15311 | Operational management | Preventive | |
| Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Operational management | Preventive | |
| Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Operational management | Preventive | |
| Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Operational management | Preventive | |
| Include roles and responsibilities in the e-mail policy. CC ID 17040 | Operational management | Preventive | |
| Include content requirements in the e-mail policy. CC ID 17041 | Operational management | Preventive | |
| Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Operational management | Preventive | |
| Include usage restrictions in the e-mail policy. CC ID 17039 | Operational management | Preventive | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Preventive | |
| Include message format requirements in the e-mail policy. CC ID 17038 | Operational management | Preventive | |
| Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Operational management | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [{nondisclosure agreement} As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: that requirements on confidentiality or non-disclosure arrangements reflecting the financial entity's needs for the protection of information for both the staff of the financial entity and of third parties are implemented, documented, and regularly reviewed. Article 14 1(c)] | Operational management | Preventive | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Preventive | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Preventive | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Preventive | |
| Establish, implement, and maintain system administration procedures. CC ID 16481 [For the purposes of point (e)(ii), financial entities shall, where possible, use dedicated accounts for the performance of administrative tasks on ICT systems. Where feasible and appropriate, financial entities shall deploy automated solutions for the privilege access management. Article 21 ¶ 3] | Operational management | Preventive | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a policy on management of ICT assets. Article 4 1.] | Operational management | Preventive | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 [Financial entities shall develop, document, and implement a procedure for the management of ICT assets. Article 5 1. The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding the management of information assets used by ICT assets, including their processing and handling, both automated and manual; Article 8 2 ¶ 1(a)(ii) {legacy system} The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding the identification and control of legacy ICT systems; Article 8 2 ¶ 1(a)(iii) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: monitor and manage the lifecycle of all ICT assets; Article 34 ¶ 1(a)] | Operational management | Preventive | |
| Include installation requirements in the asset management program. CC ID 17195 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system; Article 8 2 ¶ 1(a)(i)] | Operational management | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 [As part of the simplified ICT risk management framework referred to in Article 16(1), point (a), of Regulation (EU) 2022/2554, the financial entities referred to in paragraph 1 of that Article shall identify, classify, and document all critical or important functions, the information assets and ICT assets supporting them and their interdependencies. Financial entities shall review that identification and classification as needed. Article 30 1. The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the classification of information assets of the financial entity as referred to in Article 30(1) of this Regulation, the list of main risks identified, and the business impact analysis and related policies; Article 28 2(d)(i)] | Operational management | Preventive | |
| Define confidentiality controls. CC ID 01908 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques; Article 2 1(c) The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets, information assets, and physical access control devices of the financial entity through the appropriate maintenance; Article 18 2 ¶ 1(d) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1 The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures that ensure the availability, authenticity, integrity, and confidentiality of data during network transmissions; Article 35 ¶ 1(d)] | Operational management | Preventive | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 | Operational management | Preventive | |
| Define integrity controls. CC ID 01909 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques; Article 2 1(c) The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets, information assets, and physical access control devices of the financial entity through the appropriate maintenance; Article 18 2 ¶ 1(d) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: describe what actions are to be taken to ensure the availability, integrity, continuity, and recovery of at least ICT systems and services supporting critical or important functions of the financial entity; Article 26 1 ¶ 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1 The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1] | Operational management | Preventive | |
| Define availability controls. CC ID 01911 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques; Article 2 1(c) The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets, information assets, and physical access control devices of the financial entity through the appropriate maintenance; Article 18 2 ¶ 1(d) {capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the monitoring procedures for maintaining and improving: the availability of data and ICT systems; Article 9 1(c)(i) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: describe what actions are to be taken to ensure the availability, integrity, continuity, and recovery of at least ICT systems and services supporting critical or important functions of the financial entity; Article 26 1 ¶ 1(b)] | Operational management | Preventive | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: Article 8 2 ¶ 1(a)] | Operational management | Preventive | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Preventive | |
| Establish, implement, and maintain a storage media inventory. CC ID 00694 [{storage device} {critical function} {keep up to date} Financial entities shall create and maintain a register for all certificates and certificate-storing devices for at least ICT assets supporting critical or important functions. Financial entities shall keep that register up to date. Article 7 4.] | Operational management | Preventive | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Preventive | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Preventive | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Preventive | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Preventive | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Preventive | |
| Record the software version in the asset inventory. CC ID 12196 | Operational management | Preventive | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Preventive | |
| Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Preventive | |
| Tag unsupported assets in the asset inventory. CC ID 13723 [{legacy system} The policy on management of ICT assets referred to in paragraph 1 shall: for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ="background-color:#CBD0E5;" class="term_secondary-verb">imary-noun">ICT risk assessment on all legacy ICT systems referred to in Article 8(7) of Regulation (EU) 2022/2554. Article 4 2(c) {legacy system} The policy on management of ICT assets referred to in paragraph 1 shall: for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ="background-color:#CBD0E5;" class="term_secondary-verb">imary-noun">ICT risk assessment on all legacy ICT systems referred to in Article 8(7) of Regulation (EU) 2022/2554. Article 4 2(c)] | Operational management | Preventive | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Preventive | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Preventive | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Preventive | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Preventive | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Preventive | |
| Record the related business function for applicable assets in the asset inventory. CC ID 06636 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the business functions or services supported by the ICT asset; Article 4 2(b)(v)] | Operational management | Preventive | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the identity of ICT asset owners; Article 4 2(b)(iv)] | Operational management | Preventive | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Preventive | |
| Establish, implement, and maintain software asset management procedures. CC ID 00895 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of security measures regarding the use of software, data storage media, systems and endpoint devices that transfer and store data of the financial entity; Article 35 ¶ 1(b)] | Operational management | Preventive | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [The ICT project management policy referred to in paragraph 1 shall specify the elements that ensure the effective management of the ICT projects related to the acquisition, maintenance and, where applicable, development of the financial entity's ICT systems. Article 15 2.] | Operational management | Preventive | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: Article 16 1.] | Operational management | Preventive | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system; Article 8 2 ¶ 1(a)(i) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii)] | Operational management | Preventive | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Preventive | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Preventive | |
| Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Preventive | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Preventive | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Preventive | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: Article 37 ¶ 1] | Operational management | Preventive | |
| Establish, implement, and maintain a technology refresh schedule. CC ID 16940 | Operational management | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: Article 22 ¶ 1] | Operational management | Preventive | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 [The financial entities referred to in paragraph 1 shall set out alert thresholds and criteria to trigger and initiate ICT- related incident response processes. Article 31 4.] | Operational management | Preventive | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: identify and implement measures to monitor and analyse information on anomalous activities and behaviour for critical or important ICT operations; Article 34 ¶ 1(g)] | Operational management | Preventive | |
| Include incident management procedures in the Incident Management program. CC ID 12689 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: document the ICT-related incident management process referred to in Article 17 of Regulation (EU) 2022/2554; Article 22 ¶ 1(a) {cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish, implement, and operate technical, organisational, and operational mechanisms to support the ICT-related incident management process, including mechanisms to enable a prompt detection of anomalous activities and behaviours in accordance with Article 23 of this Regulation; Article 22 ¶ 1(c)] | Operational management | Preventive | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: record, analyse, and evaluate any relevant information on all anomalous activities and behaviours automatically or manually. Article 23 2 ¶ 1(d)] | Operational management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 [{response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d) {response plan} {success} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: lay down the objectives of ICT response and recovery plans and the conditions to declare a successful execution of those plans. Article 26 1 ¶ 1(f)] | Operational management | Preventive | |
| Include addressing external communications in the incident response plan. CC ID 13351 | Operational management | Preventive | |
| Include addressing internal communications in the incident response plan. CC ID 13350 | Operational management | Preventive | |
| Include change control procedures in the incident response plan. CC ID 15479 | Operational management | Preventive | |
| Include addressing information sharing in the incident response plan. CC ID 13349 | Operational management | Preventive | |
| Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Operational management | Preventive | |
| Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Operational management | Preventive | |
| Include the management support needed for incident response in the incident response plan. CC ID 14300 | Operational management | Preventive | |
| Include root cause analysis in the incident response plan. CC ID 16423 | Operational management | Preventive | |
| Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Operational management | Preventive | |
| Include the resources needed for incident response in the incident response plan. CC ID 14292 | Operational management | Preventive | |
| Establish, implement, and maintain a cyber incident response plan. CC ID 13286 | Operational management | Preventive | |
| Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 [{response measure} {recovery measure} The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the business continuity plans of the financial entity, and the response and recovery measures referred to in Article 16(1), point (f), of Regulation (EU) 2022/2554; Article 28 2(d)(ii)] | Operational management | Preventive | |
| Include personnel contact information in the event of an incident in the Incident Response program. CC ID 06385 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on: the detection and monitoring of cyber threats; Article 22 ¶ 1(b)(i)] | Operational management | Preventive | |
| Include log management procedures in the incident response program. CC ID 17081 [{internal factor} The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity; Article 23 2 ¶ 1(a)(i)] | Operational management | Preventive | |
| Prepare for incident response notifications. CC ID 00584 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: ICT-related incident notification from an ICT third-party service provider of the financial entity detected in the ICT systems and networks of the ICT third-party service provider and that may affect the financial entity; Article 23 2 ¶ 1(a)(iii)] | Operational management | Preventive | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Operational management | Preventive | |
| Include roles and responsibilities in the incident response policy. CC ID 14105 [{disseminate and communicate} {response plan} {recovery plan} For the purposes of point (d), financial entities shall clearly specify roles and responsibilities. Article 26 1 ¶ 2] | Operational management | Preventive | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Operational management | Preventive | |
| Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 [{capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the monitoring procedures for maintaining and improving: the prevention of ICT capacity shortages. Article 9 1(c)(iii)] | Operational management | Preventive | |
| Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: for network services agreements: the identification and specification of ICT and information security measures, service levels, and management requirements of all network services; Article 13 ¶ 1(m)(i)] | Operational management | Preventive | |
| Include the management requirements for network services in the Service Level Agreement. CC ID 12025 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: for network services agreements: the identification and specification of ICT and information security measures, service levels, and management requirements of all network services; Article 13 ¶ 1(m)(i)] | Operational management | Preventive | |
| Include the service levels for network services in the Service Level Agreement. CC ID 12024 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: for network services agreements: the identification and specification of ICT and information security measures, service levels, and management requirements of all network services; Article 13 ¶ 1(m)(i)] | Operational management | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 [{project management} When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT project and change management; Article 1 ¶ 1 (d) The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2. The ICT project management policy referred to in paragraph 1 shall contain all of the following: change management requirements; Article 15 3(f)] | Operational management | Preventive | |
| Include version control in the change control program. CC ID 13119 | Operational management | Preventive | |
| Include service design and transition in the change control program. CC ID 13920 | Operational management | Preventive | |
| Establish, implement, and maintain a back-out plan. CC ID 13623 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption. Article 8 2 ¶ 1(c)(iii)] | Operational management | Preventive | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the identification of fall-back procedures and responsibilities, including procedures and responsibilities for aborting changes or recovering from changes not successfully implemented; Article 17 1(e)] | Operational management | Preventive | |
| Include documentation of the impact level of proposed changes in the change request. CC ID 11942 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a verification of whether the ICT security requirements have been met; Article 17 1(a) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the identification of the potential impact of a change on existing ICT security measures and an assessment of whether such change requires the adoption of additional ICT security measures. Article 17 1(h) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the documentation and communication of change details, including: the expected outcomes; Article 17 1(d)(iii)] | Operational management | Preventive | |
| Document all change requests in change request forms. CC ID 06794 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: mechanisms to ensure the independence of the functions that approve changes and the functions responsible for requesting and implementing those changes; Article 17 1(b) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: changes are specified and planned; Article 17 1(c)(i) The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Operational management | Preventive | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 [The patch management procedures referred to in paragraph 3 shall: identify emergency procedures for the patching and updating of ICT assets; Article 10 4(b) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: procedures, protocols, and tools to manage emergency changes that provide adequate safeguards; Article 17 1(f)] | Operational management | Preventive | |
| Log emergency changes after they have been performed. CC ID 12733 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: procedures to document, re-evaluate, assess, and approve emergency changes after their implementation, including workarounds and patches; Article 17 1(g)] | Operational management | Preventive | |
| Establish, implement, and maintain a transition strategy. CC ID 17049 | Operational management | Preventive | |
| Include monitoring requirements in the transition strategy. CC ID 17290 | Operational management | Preventive | |
| Include resources in the transition strategy. CC ID 17289 | Operational management | Preventive | |
| Include time requirements in the transition strategy. CC ID 17288 | Operational management | Preventive | |
| Document the sources of all software updates. CC ID 13316 | Operational management | Preventive | |
| Establish, implement, and maintain a patch management policy. CC ID 16432 | Operational management | Preventive | |
| Establish, implement, and maintain patch management procedures. CC ID 15224 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document and implement patch management procedures. Article 10 3. The patch management procedures referred to in paragraph 3 shall: to the extent possible identify and evaluate available software and hardware patches and updates using automated tools; Article 10 4(a)] | Operational management | Preventive | |
| Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 [The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Operational management | Detective | |
| Establish, implement, and maintain a configuration management policy. CC ID 14023 | System hardening through configuration management | Preventive | |
| Include compliance requirements in the configuration management policy. CC ID 14072 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system; Article 8 2 ¶ 1(a)(i)] | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the identification of a secure configuration baseline for ICT assets that minimise exposure of those ICT assets to cyber threats and measures to verify regularly that those baselines are effectively deployed; Article 11 2 ¶ 1(b)] | System hardening through configuration management | Preventive | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | System hardening through configuration management | Preventive | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | System hardening through configuration management | Preventive | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | System hardening through configuration management | Preventive | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | System hardening through configuration management | Preventive | |
| Include installed custom software in the baseline configuration. CC ID 13274 | System hardening through configuration management | Preventive | |
| Include network ports in the baseline configuration. CC ID 13273 | System hardening through configuration management | Preventive | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | System hardening through configuration management | Preventive | |
| Define the relationships and dependencies between Configurable Items. CC ID 02134 [As part of the simplified ICT risk management framework referred to in Article 16(1), point (a), of Regulation (EU) 2022/2554, the financial entities referred to in paragraph 1 of that Article shall identify, classify, and document all critical or important functions, the information assets and ICT assets supporting them and their interdependencies. Financial entities shall review that identification and classification as needed. Article 30 1.] | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a system hardening standard. CC ID 00876 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the implementation of a secure configuration baseline of all network components, and the hardening of the network and of network devices in line with any vendor instructions, where applicable standards, as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and leading practices; Article 13 ¶ 1(k)] | System hardening through configuration management | Preventive | |
| Include common security parameter settings in the configuration standards for all systems. CC ID 12544 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a records authentication system. CC ID 11648 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: Article 18 2 ¶ 1(e)] | Records management | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
| Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: Article 16 1.] | Systems design, build, and implementation | Preventive | |
| Include continuous protection of systems or system components in the security design principles. CC ID 14748 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain system design requirements. CC ID 06618 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements, including information security requirements, are clearly specified and approved by the business function concerned; Article 37 ¶ 1(a)] | Systems design, build, and implementation | Preventive | |
| Identify and document system development constraints. CC ID 11698 | Systems design, build, and implementation | Preventive | |
| Review the degree of human intervention and control points in the system design requirements. CC ID 13536 | Systems design, build, and implementation | Detective | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 [The ICT project management policy referred to in paragraph 1 shall specify the elements that ensure the effective management of the ICT projects related to the acquisition, maintenance and, where applicable, development of the financial entity's ICT systems. Article 15 2.] | Systems design, build, and implementation | Preventive | |
| Include data governance and management practices in the system design project management framework. CC ID 15053 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain project management standards. CC ID 00992 [{project management} When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT project and change management; Article 1 ¶ 1 (d) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document, and implement an ICT project management policy. Article 15 1. The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project governance, including roles and responsibilities; Article 15 3(b)] | Systems design, build, and implementation | Preventive | |
| Include objectives in the project management standard. CC ID 17202 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project objectives; Article 15 3(a)] | Systems design, build, and implementation | Preventive | |
| Include time requirements in the project management standard. CC ID 17199 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project planning, timeframe, and steps; Article 15 3(c)] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain project management procedures. CC ID 17200 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project planning, timeframe, and steps; Article 15 3(c)] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain integrated project plans. CC ID 01056 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an ICT project management procedure and shall specify the roles and responsibilities for its implementation. That procedure shall cover all stages of the ICT projects from their initiation to their closure. Article 38 1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an ICT project management procedure and shall specify the roles and responsibilities for its implementation. That procedure shall cover all stages of the ICT projects from their initiation to their closure. Article 38 1.] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a project test plan. CC ID 01001 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: the testing of all requirements, including security requirements, and the respective approval process when deploying an ICT system in the production environment. Article 15 3(g)] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a project team plan. CC ID 06533 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project governance, including roles and responsibilities; Article 15 3(b)] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 [Financial entities shall develop, document, and implement an ICT systems' acquisition, development, and maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally. Article 16 2 ¶ 1] | Systems design, build, and implementation | Preventive | |
| Evaluate and document all known code anomalies and code deficiencies. CC ID 06611 [{address} {code anomalies} procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: monitor the implementation of that action plan. Article 16 3(c)] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a system testing program for all system development projects. CC ID 01101 [Financial entities shall develop, document, and implement an ICT systems' acquisition, development, and maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally. Article 16 2 ¶ 1 The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure the testing and approval of ICT systems prior to their first use and before introducing changes to the production environment; Article 37 ¶ 1(b)] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a vulnerability disclosure policy. CC ID 14934 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain vulnerability disclosure procedures. CC ID 16489 [The vulnerability management procedures referred to in paragraph 1 shall: establish procedures for the responsible disclosure of vulnerabilities to clients, counterparties, and to the public; Article 10 2 ¶ 1(e)] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain system acquisition contracts. CC ID 14758 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include security requirements in system acquisition contracts. CC ID 01124 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements, including information security requirements, are clearly specified and approved by the business function concerned; Article 37 ¶ 1(a)] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include operational requirements in system acquisition contracts. CC ID 00825 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements, including information security requirements, are clearly specified and approved by the business function concerned; Article 37 ¶ 1(a)] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Obtain system documentation before acquiring products and services. CC ID 01445 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: technical specifications and ICT technical specifications, as defined in Article 2, points (4) and (5), of Regulation (EU) No 1025/2012; Article 16 1(b)(i)] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include instructions on how to use the security functions in the user documentation. CC ID 14314 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include security functions in the user documentation. CC ID 14313 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include user responsibilities for maintaining system security in the user documentation. CC ID 14312 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include a description of user interactions in the user documentation. CC ID 14311 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Require the information system developer to create a continuous monitoring plan. CC ID 14307 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain a product and services acquisition policy. CC ID 14028 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: Article 16 1.] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include compliance requirements in the product and services acquisition policy. CC ID 14163 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii)] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include coordination amongst entities in the product and services acquisition policy. CC ID 14162 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include management commitment in the product and services acquisition policy. CC ID 14161 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include roles and responsibilities in the product and services acquisition policy. CC ID 14160 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include the scope in the product and services acquisition policy. CC ID 14159 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include the purpose in the product and services acquisition policy. CC ID 14158 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain product and services acquisition procedures. CC ID 14065 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: Article 37 ¶ 1 The ICT project management policy referred to in paragraph 1 shall specify the elements that ensure the effective management of the ICT projects related to the acquisition, maintenance and, where applicable, development of the financial entity's ICT systems. Article 15 2.] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: Article 18 2 ¶ 1(e) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide. Article 29 1.] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain a privacy impact assessment. CC ID 13712 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity's activities. Article 1 ¶ 1(e)] | Privacy protection for information and data | Preventive | |
| Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Privacy protection for information and data | Preventive | |
| Include how to grant consent in the privacy impact assessment. CC ID 15519 | Privacy protection for information and data | Preventive | |
| Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Privacy protection for information and data | Preventive | |
| Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Privacy protection for information and data | Preventive | |
| Include data handling procedures in the privacy impact assessment. CC ID 15516 | Privacy protection for information and data | Preventive | |
| Include the intended use of information in the privacy impact assessment. CC ID 15515 | Privacy protection for information and data | Preventive | |
| Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Include contingency plans in the third party management plan. CC ID 10030 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Preventive | |
| Include the purpose in the information flow agreement. CC ID 17016 | Third Party and supply chain oversight | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Preventive | |
| Include the costs in the information flow agreement. CC ID 17018 | Third Party and supply chain oversight | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Preventive | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Preventive | |
| Include on-site visits in third party contracts. CC ID 17306 | Third Party and supply chain oversight | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Preventive | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 | Third Party and supply chain oversight | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Third Party and supply chain oversight | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 [The financial entities referred to in paragraph 1 shall identify all critical or important functions supported by ICT third-party service providers. Article 30 2.] | Third Party and supply chain oversight | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 [For the purposes of point (c), financial entities shall request that ICT third-party service providers investigate the relevant vulnerabilities, determine the root causes, and implement appropriate mitigating action. Article 10 2 ¶ 3] | Third Party and supply chain oversight | Preventive | |
| Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187 [{assets} {digital operational resilience} For the purposes of point (k), financial entities shall consider the following: technical and organisational measures to minimise the risks related to the infrastructure used by the ICT third-party service provider for its ICT services, considering leading practices, and standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012. Article 11 2 ¶ 3(d)] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Third Party and supply chain oversight | Preventive | |
| Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130 [{be responsible} The financial entities referred to in paragraph 1 may, in accordance with Union and national sectoral law, outsource the tasks of verifying compliance with ICT risk management requirements to ICT intra-group or ICT third-party service providers. In case of such outsourcing, financial entities shall remain fully responsible for the verification of compliance with the ICT risk management requirements. Article 28 3.] | Third Party and supply chain oversight | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign senior management to approve business cases. CC ID 13068 | Leadership and high level objectives | Preventive | |
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Monitoring and measurement | Preventive | |
| Assign the Board of Directors to address audit findings. CC ID 12396 [{be critical} Based on the outcome of the audit referred to in paragraph 5, the financial entities referred to in paragraph 1 shall ensure the timely verification and remediation of critical ICT audit findings. Article 28 6.] | Audits and risk management | Corrective | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Preventive | |
| Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Detective | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Preventive | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Detective | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Preventive | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Preventive | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Preventive | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Preventive | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Preventive | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the governance and organisation to implement the ICT business continuity policy, including roles, responsibilities and escalation procedures ensuring that sufficient resources are available; Article 24 1(b)(i)] | Operational and Systems Continuity | Preventive | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 [{continuity arrangement} For the purposes of point (c)(i), arrangements referred to in that point shall address the availability of adequate human resources, the maximum downtime of critical functions, and fail over and recovery to a secondary site. Article 24 2 ¶ 3 {be unavailable} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: the non-availability of a critical number of staff or staff members in charge of guaranteeing the continuity of operations; Article 26 2(e)] | Operational and Systems Continuity | Preventive | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the classification of information assets of the financial entity as referred to in Article 30(1) of this Regulation, the list of main risks identified, and the business impact analysis and related policies; Article 28 2(d)(i)] | Human Resources management | Preventive | |
| Define and assign roles and responsibilities for network management. CC ID 13128 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the identification of the roles and responsibilities and steps for the specification, implementation, approval, change, and review of firewall rules and connections filters; Article 13 ¶ 1(h)] | Human Resources management | Preventive | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): the assignment of roles and responsibilities regarding: the acceptance of the residual ICT risks that exceed the financial entity's risk tolerance level referred to in point (a); Article 3 ¶ 1(d)(ii)(1) {residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): the assignment of roles and responsibilities regarding: for the review process referred to in point (iv) of this point (d); Article 3 ¶ 1(d)(ii)(2) The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: bears the overall responsibility for ensuring that the simplified ICT risk management framework allows for the achievement of the financial entity's business strategy in accordance with the risk appetite of that financial entity, and ensures that ICT risk is considered in that context; Article 28 2(a) The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: sets clear roles and responsibilities for all ICT-related tasks; Article 28 2(b)] | Human Resources management | Preventive | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources management | Preventive | |
| Assign the roles and responsibilities for the change control program. CC ID 13118 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: Article 17 1(c) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the identification of fall-back procedures and responsibilities, including procedures and responsibilities for aborting changes or recovering from changes not successfully implemented; Article 17 1(e)] | Human Resources management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Preventive | |
| Establish, implement, and maintain an insider threat program. CC ID 10687 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: insider attacks; Article 26 2(g)] | Human Resources management | Preventive | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: identify the roles and responsibilities for the development, implementation and maintenance of ICT security policies, procedures, protocols, and tools; Article 2 2(i)] | Operational management | Preventive | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Preventive | |
| Involve all stakeholders in the final acceptance test. CC ID 13168 [Central counterparties shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: clearing members and clients; Article 16 2 ¶ 2(a) {be interoperable} Central counterparties shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: interoperable central counterparties; Article 16 2 ¶ 2(b) Central counterparties shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: other interested parties. Article 16 2 ¶ 2(c) Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: users; Article 16 2 ¶ 3(a) Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: critical utilities and critical service providers; Article 16 2 ¶ 3(b) Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: other central securities depositories; Article 16 2 ¶ 3(c) Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: other market infrastructures; Article 16 2 ¶ 3(d) Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: any other institutions with which central securities depositories have identified interdependencies in their business continuity policy. Article 16 2 ¶ 3(e) {changes} Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph: any other institutions with which central securities depositories have identified interdependencies in their ICT business continuity policy. Article 17 2 ¶ 3(e) {changes} Central counterparties shall involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: clearing members and clients; Article 17 2 ¶ 2(a) {changes} {be interoperable} Central counterparties shall involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: interoperable central counterparties; Article 17 2 ¶ 2(b) {changes} Central counterparties shall involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: other interested parties, Article 17 2 ¶ 2(c) {changes} Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph: users; Article 17 2 ¶ 3(a) {changes} Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph: critical utilities and critical service providers; Article 17 2 ¶ 3(b) {changes} Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph: other central securities depositories; Article 17 2 ¶ 3(c) {changes} Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph: other market infrastructures; Article 17 2 ¶ 3(d)] | Systems design, build, and implementation | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Check the list of material topics for completeness. CC ID 15692 | Leadership and high level objectives | Preventive | |
| Monitor and evaluate the effectiveness of detection tools. CC ID 13505 | Monitoring and measurement | Detective | |
| Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 | Monitoring and measurement | Detective | |
| Review retail payment service reports, as necessary. CC ID 13545 | Monitoring and measurement | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 | Monitoring and measurement | Detective | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Detective | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Detective | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 [The vulnerability management procedures referred to in paragraph 1 shall: monitor and verify the remediation of vulnerabilities; Article 10 2 ¶ 1(g)] | Audits and risk management | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Detective | |
| Verify proof of identity records. CC ID 13761 | Technical security | Detective | |
| Document information flow anomalies that do not fit normal traffic patterns. CC ID 12163 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: log events related to logical and physical access control, ICT operations, including system and network traffic activities, and ICT change management; Article 34 ¶ 1(f)] | Technical security | Detective | |
| Scan for malicious code, as necessary. CC ID 11941 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates. Article 34 ¶ 1(i)] | Technical security | Detective | |
| Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Detective | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Detective | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Detective | |
| Perform social network analysis, as necessary. CC ID 14864 | Operational management | Detective | |
| Identify root causes of incidents that force system changes. CC ID 13482 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish and implement mechanisms to analyse significant or recurring ICT-related incidents and patterns in the number and the occurrence of ICT-related incidents. Article 22 ¶ 1(e)] | Operational management | Detective | |
| Protect devices containing digital forensic evidence during transport. CC ID 08687 [{data at rest} Financial entities shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use. Article 23 3.] | Operational management | Detective | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 [{data at rest} Financial entities shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use. Article 23 3.] | Operational management | Detective | |
| Secure devices containing digital forensic evidence. CC ID 08681 [{data at rest} Financial entities shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use. Article 23 3.] | Operational management | Detective | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Detective | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain monitoring and logging operations. CC ID 00637 [Financial entities shall, as part of the safeguards against intrusions and data misuse, develop, document, and implement logging procedures, protocols and tools. Article 12 1.] | Monitoring and measurement | Detective | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 [{audit trail information} The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: protocols for audit-trail and system log information; Article 8 2 ¶ 1(b)(iii) {audit trail information} The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: protocols for audit-trail and system log information; Article 8 2 ¶ 1(b)(iii) For the purposes of point (f), financial entities shall align the level of detail of the logs with their purpose and usage of the ICT asset producing those logs. Article 34 ¶ 2] | Monitoring and measurement | Detective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Detective | |
| Log account usage times. CC ID 07099 | Monitoring and measurement | Detective | |
| Protect logs from unauthorized activity. CC ID 01345 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: measures to protect logging systems and log information against tampering, deletion, and unauthorised access at rest, in transit, and, where relevant, in use; Article 12 2 ¶ 1(d) The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the identification of the events to be logged, the retention period of the logs, and the measures to secure and handle the log data, considering the purpose for which the logs are created; Article 12 2 ¶ 1(a)] | Monitoring and measurement | Preventive | |
| Maintain a log of the overrides of the biometric system. CC ID 17000 | Technical security | Preventive | |
| Log the individual's address in the facility access list. CC ID 16921 | Physical and environmental protection | Preventive | |
| Log the contact information for the person authorizing access in the facility access list. CC ID 16920 | Physical and environmental protection | Preventive | |
| Log the organization's name in the facility access list. CC ID 16919 | Physical and environmental protection | Preventive | |
| Log the individual's name in the facility access list. CC ID 16918 | Physical and environmental protection | Preventive | |
| Log the purpose in the facility access list. CC ID 16982 | Physical and environmental protection | Preventive | |
| Log the level of access in the facility access list. CC ID 16975 | Physical and environmental protection | Preventive | |
| Record the purpose of the visit in the visitor log. CC ID 16917 | Physical and environmental protection | Preventive | |
| Record the date and time of departure in the visitor log. CC ID 16897 | Physical and environmental protection | Preventive | |
| Record the type of identification used in the visitor log. CC ID 16916 | Physical and environmental protection | Preventive | |
| Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Detective | |
| Include the requestor's name in the physical access log. CC ID 16922 | Physical and environmental protection | Preventive | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Physical and environmental protection | Preventive | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Preventive | |
| Log the performance of all remote maintenance. CC ID 13202 | Operational management | Preventive | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Preventive | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Preventive | |
| Include time information in the chain of custody. CC ID 17068 | Operational management | Preventive | |
| Include actions performed on evidence in the chain of custody. CC ID 17067 | Operational management | Preventive | |
| Include individuals who had custody of evidence in the chain of custody. CC ID 17066 | Operational management | Preventive | |
| Configure the log to capture the amount of data uploaded and downloaded. CC ID 16494 | System hardening through configuration management | Preventive | |
| Configure the log to capture startups and shutdowns. CC ID 16491 | System hardening through configuration management | Preventive | |
| Configure the log to capture user queries and searches. CC ID 16479 | System hardening through configuration management | Preventive | |
| Configure the log to capture Internet Protocol addresses. CC ID 16495 | System hardening through configuration management | Preventive | |
| Configure the log to capture error messages. CC ID 16477 | System hardening through configuration management | Preventive | |
| Configure the log to capture system failures. CC ID 16475 | System hardening through configuration management | Preventive | |
| Configure the log to capture attempts to bypass or circumvent security controls. CC ID 17078 | System hardening through configuration management | Preventive | |
| Configure the log to capture user account additions, modifications, and deletions. CC ID 16482 | System hardening through configuration management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Preventive | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Preventive | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Detective | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Detective | |
Maintenance | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Operational management | Preventive | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Operational management | Preventive | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Operational management | Preventive | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Operational management | Preventive | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Preventive | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Preventive | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Preventive | |
| Restart systems on a periodic basis. CC ID 16498 | Operational management | Preventive | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Preventive | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
| Monitor the usage and capacity of critical assets. CC ID 14825 | Monitoring and measurement | Detective | |
| Monitor the usage and capacity of Information Technology assets. CC ID 00668 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe the monitoring and management of the lifecycle of ICT assets identified and classified in accordance with Article 8(1) of Regulation (EU) 2022/2554; Article 4 2(a) As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement policies and procedures to manage the ICT operations. Those policies and procedures shall specify how financial entities operate, monitor, control, and restore their ICT assets, including the documentation of ICT operations. Article 8 1. {critical function} For the purposes of point (d), financial entities shall, where appropriate in collaboration with the ICT third-party service provider, monitor the version and possible updates of the third-party libraries. In case of ready to use (off-the-shelf) ICT assets or components of ICT assets acquired and used in the operation of ICT services not supporting critical or important functions, financial entities shall track the usage to the extent possible of third-party libraries, including open-source libraries. Article 10 2 ¶ 4 The vulnerability management procedures referred to in paragraph 1 shall: track the usage of: ICT services developed by the financial entity itself or specifically customised or developed for the financial entity by an ICT third-party service provider; Article 10 2 ¶ 1(d)(ii) {capacity management procedure} The capacity and performance management procedures referred to in paragraph 1 shall ensure that financial entities take measures that are appropriate to cater for the specificities of ICT systems with long or complex procurement or approval processes or ICT systems that are resource-intensive. Article 9 2. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: monitor and manage the lifecycle of all ICT assets; Article 34 ¶ 1(a) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: monitor whether the ICT assets are supported by ICT third-party service providers of financial entities, where applicable; Article 34 ¶ 1(b)] | Monitoring and measurement | Detective | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: impact of climate change and environment degradation related events, natural disasters, pandemics, and physical attacks, including intrusions and terrorist attacks; Article 26 2(f)] | Monitoring and measurement | Preventive | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: identify anomalous activities and behaviour, and implement tools generating alerts for anomalous activities and behaviour, at least for ICT assets and information assets supporting critical or important functions; Article 23 2 ¶ 1(b)] | Monitoring and measurement | Detective | |
| Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: identify anomalous activities and behaviour, and implement tools generating alerts for anomalous activities and behaviour, at least for ICT assets and information assets supporting critical or important functions; Article 23 2 ¶ 1(b)] | Monitoring and measurement | Detective | |
| Monitor and evaluate system performance. CC ID 00651 [{capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the monitoring procedures for maintaining and improving: the efficiency of ICT systems; Article 9 1(c)(ii)] | Monitoring and measurement | Detective | |
| Monitor for and react to when suspicious activities are detected. CC ID 00586 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: record, analyse, and evaluate any relevant information on all anomalous activities and behaviours automatically or manually. Article 23 2 ¶ 1(d) {cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish, implement, and operate technical, organisational, and operational mechanisms to support the ICT-related incident management process, including mechanisms to enable a prompt detection of anomalous activities and behaviours in accordance with Article 23 of this Regulation; Article 22 ¶ 1(c) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: identify and implement measures to monitor and analyse information on anomalous activities and behaviour for critical or important ICT operations; Article 34 ¶ 1(g)] | Monitoring and measurement | Detective | |
| Establish, implement, and maintain network monitoring operations. CC ID 16444 | Monitoring and measurement | Preventive | |
| Monitor and review retail payment activities, as necessary. CC ID 13541 | Monitoring and measurement | Detective | |
| Monitor for and report when a software configuration is updated. CC ID 06746 [{critical function} For the purposes of point (d), financial entities shall, where appropriate in collaboration with the ICT third-party service provider, monitor the version and possible updates of the third-party libraries. In case of ready to use (off-the-shelf) ICT assets or components of ICT assets acquired and used in the operation of ICT services not supporting critical or important functions, financial entities shall track the usage to the extent possible of third-party libraries, including open-source libraries. Article 10 2 ¶ 4] | Monitoring and measurement | Detective | |
| Log account usage durations. CC ID 12117 | Monitoring and measurement | Detective | |
| Monitor the organization's exposure to threats, as necessary. CC ID 06494 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on the monitoring of: any changes to the ICT risk and cyber threat landscape; Article 3 ¶ 1(e)(i) Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on the monitoring of: internal and external vulnerabilities and threats: Article 3 ¶ 1(e)(ii) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to monitor relevant and up-to-date information about cyber threats; Article 34 ¶ 1(h) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates. Article 34 ¶ 1(i) The financial entities referred to in paragraph 1 shall continuously monitor threats and vulnerabilities that are relevant to their critical or important functions, and information assets and ICT assets, and shall regularly review the risk scenarios impacting those critical or important functions. Article 31 3.] | Monitoring and measurement | Preventive | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Detective | |
| Monitor for new vulnerabilities. CC ID 06843 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on the monitoring of: internal and external vulnerabilities and threats: Article 3 ¶ 1(e)(ii) The financial entities referred to in paragraph 1 shall continuously monitor threats and vulnerabilities that are relevant to their critical or important functions, and information assets and ICT assets, and shall regularly review the risk scenarios impacting those critical or important functions. Article 31 3.] | Monitoring and measurement | Preventive | |
| Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Audits and risk management | Preventive | |
| Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Audits and risk management | Preventive | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the monitoring of physical access to premises, data centres, and sensitive designated areas identified by the financial entity where ICT and information assets or both reside; Article 21 ¶ 1(g)(iii) {physical access} For the purposes of point (g)(iii), the monitoring shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the criticality of the area accessed. Article 21 ¶ 5] | Physical and environmental protection | Detective | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Preventive | |
| Monitor the location of distributed assets. CC ID 11684 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: information on the location, either physical or logical, of all ICT assets; Article 4 2(b)(ii) The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: information on the location, either physical or logical, of all ICT assets; Article 4 2(b)(ii)] | Physical and environmental protection | Detective | |
| Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: impact of climate change and environment degradation related events, natural disasters, pandemics, and physical attacks, including intrusions and terrorist attacks; Article 26 2(f)] | Operational and Systems Continuity | Detective | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 [{assess} The financial entities referred to in paragraph 1 shall review, asses and test ICT security measures, taking into consideration the overall risk profile of the ICT assets of the financial entity. Article 36 2.] | Operational management | Preventive | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 [{internal factor} The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity; Article 23 2 ¶ 1(a)(i)] | Operational management | Corrective | |
| Establish, implement, and maintain data accuracy controls. CC ID 00921 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques; Article 2 1(c)] | Records management | Detective | |
| Analyze business activities to ensure information is categorized for system design projects. CC ID 11794 | Systems design, build, and implementation | Detective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Corrective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Detective | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Detective | |
Physical and Environmental Protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Create security zones in facilities, as necessary. CC ID 16295 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to protect from attacks, accidents, and environmental threats and hazards, the premises, data centres of the financial entity, and sensitive designated areas identified by the financial entity, where ICT assets and information assets reside; Article 18 2 ¶ 1(b)] | Physical and environmental protection | Preventive | |
| Control physical access to (and within) the facility. CC ID 01329 [{critical asset} {ad hoc access} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the granting of physical access rights to critical ICT assets to authorised persons only, in accordance with the need-to-know and least privilege principles, and on an ad-hoc basis; Article 21 ¶ 1(g)(ii)] | Physical and environmental protection | Preventive | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Preventive | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Preventive | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Preventive | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Preventive | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Preventive | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Preventive | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Preventive | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Preventive | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to protect from attacks, accidents, and environmental threats and hazards, the premises, data centres of the financial entity, and sensitive designated areas identified by the financial entity, where ICT assets and information assets reside; Article 18 2 ¶ 1(b) {physical security measures} The measures referred to in paragraph 1 shall protect the premises of financial entities and, where applicable, data centres of financial entities where ICT assets and information assets reside from unauthorised access, attacks, and accidents, and from environmental threats and hazards. Article 32 2.] | Physical and environmental protection | Preventive | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Preventive | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Preventive | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Detective | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [{unattended equipment} For the purposes of point (c), the physical and environmental security policy referred to in paragraph 1 shall contain measures to provide appropriate protection to unattended ICT assets. Article 18 2 ¶ 3] | Physical and environmental protection | Preventive | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and environmental protection | Preventive | |
| Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 [{on-site physical control} {off-site physical control} {on-site logical control} {off-site logical control} The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to secure ICT assets, both within and outside the premises of the financial entity, taking into account the results of the ICT risk assessment related to the relevant ICT assets; Article 18 2 ¶ 1(c)] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 [{on-site physical control} {off-site physical control} {on-site logical control} {off-site logical control} The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to secure ICT assets, both within and outside the premises of the financial entity, taking into account the results of the ICT risk assessment related to the relevant ICT assets; Article 18 2 ¶ 1(c)] | Physical and environmental protection | Preventive | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Preventive | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and environmental protection | Preventive | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain pest control systems in organizational facilities. CC ID 16139 | Physical and environmental protection | Preventive | |
| Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 [{geographical risk factor} For the purposes of point (c)(ii), the secondary processing site referred to in that point shall have a geographical risk profile which is distinct from that of the primary site. Article 24 2 ¶ 4] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain physical access controls for alternate facilities. CC ID 13226 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain physical security controls at the alternate facility. CC ID 17125 | Operational and Systems Continuity | Preventive | |
| Include anti-counterfeit measures in the system requirements specification. CC ID 11547 | Systems design, build, and implementation | Preventive | |
| Include anti-counterfeit measures that make attempts to circumvent them evident during the anti-counterfeit authentication test in the system requirements specification. CC ID 11552 | Systems design, build, and implementation | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Preventive | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Preventive | |
| Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Preventive | |
| Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Preventive | |
| Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Preventive | |
| Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Preventive | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Preventive | |
| Review and approve the material topics, as necessary. CC ID 15670 | Leadership and high level objectives | Preventive | |
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Leadership and high level objectives | Preventive | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Monitoring and measurement | Preventive | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Monitoring and measurement | Detective | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Corrective | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Preventive | |
| Identify risk management measures when testing in scope systems. CC ID 14960 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall establish and implement an ICT security testing plan to validate the effectiveness of their ICT security measures developed in accordance with Articles 33, 34 and 35 and Articles 37 and 38 of this Regulation. Financial entities shall ensure that that plan considers threats and vulnerabilities identified as part of the simplified ICT risk management framework referred to in Article 31 of this Article 36 1.] | Monitoring and measurement | Detective | |
| Request an extension of the validity period of technical documentation assessment certificates, as necessary. CC ID 17228 | Monitoring and measurement | Preventive | |
| Define the validity period for technical documentation assessment certificates. CC ID 17227 | Monitoring and measurement | Preventive | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Preventive | |
| Approve the vulnerability management program. CC ID 15722 | Monitoring and measurement | Preventive | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Corrective | |
| Evaluate cyber threat intelligence. CC ID 12747 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: potential internal and external cyber threats, considering scenarios commonly used by threat actors and scenarios based on threat intelligence activity; Article 23 2 ¶ 1(a)(ii)] | Monitoring and measurement | Detective | |
| Mitigate the threats to an auditor's independence. CC ID 17282 | Audits and risk management | Preventive | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Preventive | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Preventive | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Preventive | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Corrective | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Detective | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Preventive | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Audits and risk management | Detective | |
| Approve the risk acceptance level, as necessary. CC ID 17168 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: an indication of the approval of the risk tolerance level for ICT risk established in accordance with Article 6(8), point (b), of Regulation (EU) 2022/2554; Article 3 ¶ 1(a)] | Audits and risk management | Preventive | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Detective | |
| Implement digital identification processes. CC ID 13731 | Technical security | Preventive | |
| Implement identity proofing processes. CC ID 13719 | Technical security | Preventive | |
| Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Technical security | Preventive | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Technical security | Preventive | |
| Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Technical security | Detective | |
| Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Technical security | Preventive | |
| Interact with the data subject when performing remote proofing. CC ID 13777 | Technical security | Detective | |
| Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Technical security | Preventive | |
| View all applicant actions when performing remote proofing. CC ID 13804 | Technical security | Detective | |
| Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Technical security | Preventive | |
| Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Technical security | Detective | |
| Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Technical security | Detective | |
| Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Technical security | Preventive | |
| Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Technical security | Preventive | |
| Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Technical security | Detective | |
| Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Technical security | Preventive | |
| Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Technical security | Preventive | |
| Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Technical security | Detective | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Technical security | Detective | |
| Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Technical security | Detective | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Technical security | Detective | |
| Allow records that relate to the data subject as proof of identity. CC ID 13772 | Technical security | Preventive | |
| Conduct in-person proofing with physical interactions. CC ID 13775 | Technical security | Detective | |
| Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Technical security | Preventive | |
| Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Technical security | Preventive | |
| Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Technical security | Preventive | |
| Refrain from approving attributes in the identity proofing process. CC ID 13716 | Technical security | Preventive | |
| Reperform the identity proofing process for each individual, as necessary. CC ID 13762 | Technical security | Detective | |
| Enforce the network segmentation requirements. CC ID 16381 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: the overall risk profile of ICT assets using those ICT systems and networks; Article 13 ¶ 1(a)(iii)] | Technical security | Preventive | |
| Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Technical security | Detective | |
| Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Technical security | Detective | |
| Assign virtual escorting to authorized personnel. CC ID 16440 | Technical security | Preventive | |
| Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Corrective | |
| Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Preventive | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Preventive | |
| Restrict physical access mechanisms to authorized parties. CC ID 16924 | Physical and environmental protection | Preventive | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the following requirements to secure the use of portable endpoint devices and private non-portable endpoint devices: the requirement to use a management solution to remotely manage the endpoint devices and remotely wipe the financial entity's data; Article 11 2 ¶ 1(f)(i)] | Physical and environmental protection | Corrective | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Physical and environmental protection | Preventive | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Physical and environmental protection | Corrective | |
| Employ environmental protections. CC ID 12570 [For the purposes of point (b), the measures to protect from environmental threats and hazards shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein. Article 18 2 ¶ 2 {physical security measures} The measures referred to in paragraph 1 shall protect the premises of financial entities and, where applicable, data centres of financial entities where ICT assets and information assets reside from unauthorised access, attacks, and accidents, and from environmental threats and hazards. Article 32 2.] | Physical and environmental protection | Preventive | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Preventive | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Preventive | |
| Conduct governance meetings, as necessary. CC ID 16946 | Operational management | Preventive | |
| Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Operational management | Preventive | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Preventive | |
| Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Operational management | Preventive | |
| Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Operational management | Preventive | |
| Establish, implement, and maintain an outage coordination process. CC ID 17161 | Operational management | Preventive | |
| Coordinate outages with affected parties. CC ID 17160 | Operational management | Preventive | |
| Coordinate energy resource management with affected parties. CC ID 17150 | Operational management | Preventive | |
| Coordinate the control of voltage with affected parties. CC ID 17149 | Operational management | Preventive | |
| Coordinate energy shortages with affected parties. CC ID 17148 | Operational management | Preventive | |
| Approve or deny requests in a timely manner. CC ID 17095 | Operational management | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: specify the consequences of non-compliance by staff of the financial entity with the ICT security policies, where provisions to that effect are not laid down in other policies of the financial entity; Article 2 2(e)] | Operational management | Corrective | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 [{continuity arrangement} For the purposes of point (c)(i), arrangements referred to in that point shall address the availability of adequate human resources, the maximum downtime of critical functions, and fail over and recovery to a secondary site. Article 24 2 ¶ 3] | Operational management | Preventive | |
| Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174 | Operational management | Preventive | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Preventive | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [{internal factor} The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity; Article 23 2 ¶ 1(a)(i) {internal factor} The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity; Article 23 2 ¶ 1(a)(i)] | Operational management | Corrective | |
| Perform emergency changes, as necessary. CC ID 12707 | Operational management | Preventive | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Preventive | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Detective | |
| Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Preventive | |
| Remove dormant data from systems, as necessary. CC ID 13726 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: a process to securely delete data on premises, or that are stored externally, that the financial entity no longer needs to collect or store; Article 35 ¶ 1(e)] | Records management | Preventive | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 [For the purposes of point (a), financial entities shall establish the retention period, taking into account the business and information security objectives, the reason for recording the event in the logs, and the results of the ICT risk assessment. Article 12 2 ¶ 2 The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the identification of the events to be logged, the retention period of the logs, and the measures to secure and handle the log data, considering the purpose for which the logs are created; Article 12 2 ¶ 1(a)] | Records management | Preventive | |
| Sanitize user input in accordance with organizational standards. CC ID 16856 | Records management | Preventive | |
| Resolve conflicting design and development inputs. CC ID 13703 | Systems design, build, and implementation | Corrective | |
| Document the results of the source code analysis. CC ID 14310 | Systems design, build, and implementation | Detective | |
| Document attempts to obtain system documentation. CC ID 14284 | Acquisition or sale of facilities, technology, and services | Corrective | |
| Search the Internet for evidence of data leakage. CC ID 10419 [As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: the prevention and detection of data leakages and the secure transfer of information between the financial entity and external parties; Article 14 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates. Article 34 ¶ 1(i)] | Privacy protection for information and data | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Preventive | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 [As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: the prevention and detection of data leakages and the secure transfer of information between the financial entity and external parties; Article 14 1(b)] | Privacy protection for information and data | Corrective | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: for network services agreements: whether those services are provided by an ICT intra-group service provider or by ICT third-party service providers. Article 13 ¶ 1(m)(ii)] | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Preventive | |
| Treat archive media as evidence. CC ID 00960 | Physical and environmental protection | Preventive | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Operational and Systems Continuity | Preventive | |
| Include source code in the asset inventory. CC ID 14858 | Operational management | Preventive | |
| Retain collected evidence for potential future legal actions. CC ID 01235 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: retain all evidence relating to ICT-related incidents for a period that shall be no longer than necessary for the purposes for which the data are collected, commensurate with the criticality of the affected business functions, supporting processes, and ICT and information assets, in accordance with Article 15 of Commission Delegated Regulation (EU) 2024/1772 (12) and with any applicable retention requirement pursuant to Union law; Article 22 ¶ 1(d)] | Operational management | Preventive | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 [{ICT-related incident} For the purposes of point (d), financial entities shall retain the evidence referred to in that point in a secure manner. Article 22 ¶ 2 {data at rest} Financial entities shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use. Article 23 3.] | Operational management | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [For the purposes of point (a), financial entities shall maintain records of all identity assignments. Those records shall be kept following a reorganisation of the financial entity or after the end of the contractual relationship without prejudice to the retention requirements laid down in applicable Union and national law. Article 20 2 ¶ 2 {access rights administration} For the purposes of point (e)(i), financial entities shall establish the retention period taking into account the business and information security objectives, the reasons for recording the event in the logs, and the results of the ICT risk assessment. Article 21 ¶ 2] | Records management | Preventive | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the process to securely delete data, present on premises of the financial entity or stored externally, that the financial entity no longer needs to collect or to store; Article 11 2 ¶ 1(g)] | Records management | Preventive | |
| Compare each record's data input to its final form. CC ID 11813 | Records management | Detective | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include escalation procedures in the business continuity policy. CC ID 17203 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the governance and organisation to implement the ICT business continuity policy, including roles, responsibilities and escalation procedures ensuring that sufficient resources are available; Article 24 1(b)(i)] | Operational and Systems Continuity | Preventive | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment between the ICT business continuity plans and the overall business continuity plans, concerning at least all of the following: Article 24 1(b)(ii)] | Operational and Systems Continuity | Preventive | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on a process to ensure that any changes to the business strategy and the digital operational resilience strategy of the financial entity are taken into account. Article 3 ¶ 1(f) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the objectives of the ICT business continuity policy, including the interrelation of ICT and overall business continuity, and considering the results of the business impact analysis (BIA) referred to in Article 11(5) of Regulation (EU) 2022/2554; Article 24 1(a)(i) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: Article 26 1 ¶ 1 The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: impact of climate change and environment degradation related events, natural disasters, pandemics, and physical attacks, including intrusions and terrorist attacks; Article 26 2(f) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop their ICT business continuity plans considering the results of the analysis of their exposures to and potential impact of severe business disruptions and scenarios to which their ICT assets supporting critical or important functions might be exposed, including a cyber-attack scenario. Article 39 1.] | Operational and Systems Continuity | Detective | |
| Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 [The financial entities referred to in paragraph 1 shall continuously monitor threats and vulnerabilities that are relevant to their critical or important functions, and information assets and ICT assets, and shall regularly review the risk scenarios impacting those critical or important functions. Article 31 3.] | Operational and Systems Continuity | Preventive | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the criteria to activate and deactivate ICT business continuity plans, ICT response and recovery plans, and crisis communications plans; Article 24 1(a)(iv) The ICT business continuity plans referred to in paragraph 1 shall: identify the conditions that may prompt the activation of the ICT business continuity plans and what actions are to be taken to ensure the availability, continuity, and recovery of the financial entities' ICT assets supporting critical or important functions; Article 39 2¶ 1(e)] | Operational and Systems Continuity | Corrective | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Preventive | |
| Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Preventive | |
| Restore systems and environments to be operational. CC ID 13476 | Operational and Systems Continuity | Corrective | |
| Include tolerance levels in the continuity plan. CC ID 17305 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the ICT business continuity requirements, including recovery time objectives and recovery point objectives; Article 4 2(b)(vi) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: describe what actions are to be taken to ensure the availability, integrity, continuity, and recovery of at least ICT systems and services supporting critical or important functions of the financial entity; Article 26 1 ¶ 1(b) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be designed to meet the recovery objectives of the operations of the financial entities; Article 26 1 ¶ 1(c) {recovery time objective} {recovery point objective} The ICT business continuity plans referred to in paragraph 1 shall: establish planned recovery levels and timeframes for the recovery and resumption of functions and key internal and external dependencies, including ICT third-party service providers; Article 39 2¶ 1(d)] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: backup and restore requirements of ICT systems; Article 8 2 ¶ 1(b)(i) The ICT business continuity plans referred to in paragraph 1 shall: identify backup procedures and measures that specify the scope of the data that are subject to the backup, and the minimum frequency of the backup, based on the criticality of the function using those data; Article 39 2¶ 1(g)] | Operational and Systems Continuity | Preventive | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Operational and Systems Continuity | Preventive | |
| Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 [{response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d) {response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d)] | Operational and Systems Continuity | Preventive | |
| Prepare the alternate facility for an emergency offsite relocation. CC ID 00744 [{backup site} In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: requires that arrangements are in place to: maintain or have immediate access to a secondary business site, to allow staff to ensure continuity of the service if the primary location of business is not available; Article 24 2 ¶ 1(c)(iii) {continuity arrangement} For the purposes of point (c)(i), arrangements referred to in that point shall address the availability of adequate human resources, the maximum downtime of critical functions, and fail over and recovery to a secondary site. Article 24 2 ¶ 3 The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: partial or total failure of premises, including office and business premises, and data centres; Article 26 2(c)] | Operational and Systems Continuity | Preventive | |
| Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Preventive | |
| Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 [{restoration measure} {recovery measure} For the purposes of point (f), the measures referred to in that point shall provide for the mitigation of failures of critical third-party providers. Article 39 2¶ 2] | Third Party and supply chain oversight | Preventive | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Preventive | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Detective | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Implement gateways between security domains. CC ID 16493 | Technical security | Preventive | |
| Establish, implement, and maintain workload forecasting tools. CC ID 00936 | Operational management | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Preventive | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 | Operational management | Preventive | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: Article 37 ¶ 1] | Systems design, build, and implementation | Preventive | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Preventive | |
| Implement manual override capability into automated systems. CC ID 14921 | Systems design, build, and implementation | Preventive | |
| Search for metadata during e-discovery. CC ID 01073 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain security design principles. CC ID 14718 | Systems design, build, and implementation | Preventive | |
| Include reduced complexity of systems or system components in the security design principles. CC ID 14753 | Systems design, build, and implementation | Preventive | |
| Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 | Systems design, build, and implementation | Preventive | |
| Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751 | Systems design, build, and implementation | Preventive | |
| Include modularity and layering of systems or system components in the security design principles. CC ID 14750 | Systems design, build, and implementation | Preventive | |
| Include secure evolvability of systems or system components in the security design principles. CC ID 14749 | Systems design, build, and implementation | Preventive | |
| Include least common mechanisms between systems or system components in the security design principles. CC ID 14747 | Systems design, build, and implementation | Preventive | |
| Include secure system modification of systems or system components in the security design principles. CC ID 14746 | Systems design, build, and implementation | Preventive | |
| Include clear abstractions of systems or system components in the security design principles. CC ID 14745 | Systems design, build, and implementation | Preventive | |
| Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 | Systems design, build, and implementation | Preventive | |
| Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743 | Systems design, build, and implementation | Preventive | |
| Include least privilege of systems or system components in the security design principles. CC ID 14742 | Systems design, build, and implementation | Preventive | |
| Include minimized sharing of systems or system components in the security design principles. CC ID 14741 | Systems design, build, and implementation | Preventive | |
| Include acceptable security of systems or system components in the security design principles. CC ID 14740 | Systems design, build, and implementation | Preventive | |
| Include minimized security elements in systems or system components in the security design principles. CC ID 14739 | Systems design, build, and implementation | Preventive | |
| Include hierarchical protection in systems or system components in the security design principles. CC ID 14738 | Systems design, build, and implementation | Preventive | |
| Include self-analysis of systems or system components in the security design principles. CC ID 14737 | Systems design, build, and implementation | Preventive | |
| Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736 | Systems design, build, and implementation | Preventive | |
| Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735 | Systems design, build, and implementation | Preventive | |
| Include secure distributed composition of systems or system components in the security design principles. CC ID 14734 | Systems design, build, and implementation | Preventive | |
| Include minimization of systems or system components in the security design principles. CC ID 14733 | Systems design, build, and implementation | Preventive | |
| Include secure defaults in systems or system components in the security design principles. CC ID 14732 | Systems design, build, and implementation | Preventive | |
| Include trusted communications channels for systems or system components in the security design principles. CC ID 14731 | Systems design, build, and implementation | Preventive | |
| Include economic security in systems or system components in the security design principles. CC ID 14730 | Systems design, build, and implementation | Preventive | |
| Include trusted components of systems or system components in the security design principles. CC ID 14729 | Systems design, build, and implementation | Preventive | |
| Include procedural rigor in systems or system components in the security design principles. CC ID 14728 | Systems design, build, and implementation | Preventive | |
| Include accountability and traceability of systems or system components in the security design principles. CC ID 14727 | Systems design, build, and implementation | Preventive | |
| Include hierarchical trust in systems or system components in the security design principles. CC ID 14726 | Systems design, build, and implementation | Preventive | |
| Include sufficient documentation for systems or system components in the security design principles. CC ID 14725 | Systems design, build, and implementation | Preventive | |
| Include performance security of systems or system components in the security design principles. CC ID 14724 | Systems design, build, and implementation | Preventive | |
| Include human factored security in systems or system components in the security design principles. CC ID 14723 | Systems design, build, and implementation | Preventive | |
| Include secure metadata management of systems or system components in the security design principles. CC ID 14722 | Systems design, build, and implementation | Preventive | |
| Include predicate permission of systems or system components in the security design principles. CC ID 14721 | Systems design, build, and implementation | Preventive | |
| Implement dual authorization in systems with critical business functions, as necessary. CC ID 14922 | Systems design, build, and implementation | Preventive | |
| Include system interoperability in the system requirements specification. CC ID 16256 | Systems design, build, and implementation | Preventive | |
| Separate the design and development environment from the production environment. CC ID 06088 [{production environment} {non-production environment} For the purposes of point (b)(v), the separation shall consider all of the components of the environment, including accounts, data or connections, as required by Article 13, first subparagraph, point (a). Article 8 2 ¶ 2 The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: requirements on the separation of ICT production environments from the development, testing, and other non-production environments; Article 8 2 ¶ 1(b)(v) The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: requirements to conduct the development and testing in environments which are separated from the production environment; Article 8 2 ¶ 1(b)(vi) The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: requirements to conduct the development and testing in production environments; Article 8 2 ¶ 1(b)(vii)] | Systems design, build, and implementation | Preventive | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Preventive | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems design, build, and implementation | Preventive | |
| Develop new products based on best practices. CC ID 01095 | Systems design, build, and implementation | Preventive | |
| Include security requirements in the system design specification. CC ID 06826 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements, including information security requirements, are clearly specified and approved by the business function concerned; Article 37 ¶ 1(a)] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain secure update mechanisms. CC ID 14923 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates. Article 34 ¶ 1(i)] | Systems design, build, and implementation | Preventive | |
| Implement cryptographic mechanisms to authenticate software updates before installation. CC ID 14925 | Systems design, build, and implementation | Preventive | |
| Automate secure update mechanisms, as necessary. CC ID 14933 | Systems design, build, and implementation | Preventive | |
| Follow security design requirements when developing systems. CC ID 06827 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii)] | Systems design, build, and implementation | Preventive | |
| Approve the design methodology before moving forward on the system design project. CC ID 01060 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: the testing of all requirements, including security requirements, and the respective approval process when deploying an ICT system in the production environment. Article 15 3(g)] | Systems design, build, and implementation | Preventive | |
| Perform source code analysis at each milestone or quality gate. CC ID 06832 [{open source code} The procedure referred to in paragraph 2 shall provide that proprietary software and, where feasible, the source code provided by ICT third-party service providers or coming from open-source projects, are to be analysed and tested in accordance with paragraph 3 prior to their deployment in the production environment. Article 16 8.] | Systems design, build, and implementation | Corrective | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Preventive | |
| Implement security controls during the system implementation integration process. CC ID 11556 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: specify measures to mitigate the risk of unintentional alteration or intentional manipulation of the ICT systems during the development, maintenance, and deployment of those ICT systems in the production environment. Article 16 1(c)] | Systems design, build, and implementation | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [The vulnerability management procedures referred to in paragraph 1 shall: identify and update relevant and trustworthy information resources to build and maintain awareness about vulnerabilities; Article 10 2 ¶ 1(a)] | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 | Monitoring and measurement | Preventive | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Detective | |
| Erase payment applications when suspicious activity is confirmed. CC ID 12193 | Monitoring and measurement | Corrective | |
| Conduct Red Team exercises, as necessary. CC ID 12131 | Monitoring and measurement | Detective | |
| Test security systems and associated security procedures, as necessary. CC ID 11901 [{assess} The financial entities referred to in paragraph 1 shall review, asses and test ICT security measures, taking into consideration the overall risk profile of the ICT assets of the financial entity. Article 36 2.] | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Monitoring and measurement | Detective | |
| Prevent adversaries from disabling or compromising security controls. CC ID 17057 | Monitoring and measurement | Preventive | |
| Perform vulnerability scans, as necessary. CC ID 11637 [{vulnerability assessment} {critical function} For the purposes of point (b), financial entities shall perform the automated vulnerability scanning and assessments on ICT assets for the ICT assets supporting critical or important functions on at least a weekly basis. Article 10 2 ¶ 2 {vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b) {vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b)] | Monitoring and measurement | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: vulnerabilities and threats that affect or may affect the supported business functions, the ICT systems and ICT assets supporting those functions; Article 3 ¶ 1(b)(i) The vulnerability management procedures referred to in paragraph 1 shall: require the recording of any detected vulnerabilities affecting ICT systems and the monitoring of their resolution. Article 10 2 ¶ 1(h) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates. Article 34 ¶ 1(i)] | Monitoring and measurement | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Monitoring and measurement | Detective | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Detective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Detective | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Detective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 [{vulnerability assessment} {critical function} For the purposes of point (b), financial entities shall perform the automated vulnerability scanning and assessments on ICT assets for the ICT assets supporting critical or important functions on at least a weekly basis. Article 10 2 ¶ 2 The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: identify and analyse vulnerabilities and anomalies in the source code; Article 16 3(a) {vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b) {vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b) {vulnerability assessment} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: perform automated vulnerability scanning and assessments of ICT assets commensurate to their classification as referred to in Article 30(1) and to the overall risk profile of the ICT asset, and deploy patches to address identified vulnerabilities; Article 34 ¶ 1(d)] | Monitoring and measurement | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain cyber threat intelligence tools. CC ID 12696 | Monitoring and measurement | Preventive | |
| Leverage cyber threat intelligence when employing Technical Surveillance Countermeasures. CC ID 12697 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: potential internal and external cyber threats, considering scenarios commonly used by threat actors and scenarios based on threat intelligence activity; Article 23 2 ¶ 1(a)(ii)] | Monitoring and measurement | Preventive | |
| Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Preventive | |
| Establish the criticality of the network and systems. CC ID 00006 [The procedure for management of ICT assets referred to in paragraph 1 shall specify the criteria to perform the criticality assessment of information assets and ICT assets supporting business functions. That assessment shall take into account: Article 5 2. The procedure for management of ICT assets referred to in paragraph 1 shall specify the criteria to perform the criticality assessment of information assets and ICT assets supporting business functions. That assessment shall take into account: the ICT risk related to those business functions and their dependencies on the information assets or ICT assets; Article 5 2(a) The procedure for management of ICT assets referred to in paragraph 1 shall specify the criteria to perform the criticality assessment of information assets and ICT assets supporting business functions. That assessment shall take into account: how the loss of confidentiality, integrity, and availability of such information assets and ICT assets would impact the business processes and activities of the financial entities. Article 5 2(b)] | Technical security | Preventive | |
| Establish the requirements for Identity Assurance Levels. CC ID 13857 | Technical security | Preventive | |
| Establish, implement, and maintain federated identity systems. CC ID 13837 | Technical security | Preventive | |
| Authenticate all systems in a federated identity system. CC ID 13835 | Technical security | Preventive | |
| Send and receive authentication assertions, as necessary. CC ID 13839 | Technical security | Preventive | |
| Make the assertion reference for authentication assertions single-use. CC ID 13843 | Technical security | Preventive | |
| Validate the issuer in the authentication assertion. CC ID 13878 | Technical security | Detective | |
| Limit the lifetime of the assertion reference. CC ID 13874 | Technical security | Preventive | |
| Refrain from using authentication assertions that have expired. CC ID 13872 | Technical security | Preventive | |
| Protect the authentication assertion from unauthorized access or unauthorized disclosure. CC ID 16836 | Technical security | Preventive | |
| Include the issuer identifier in the authentication assertion. CC ID 13865 | Technical security | Preventive | |
| Include attribute metadata in the authentication assertion. CC ID 13856 | Technical security | Preventive | |
| Include the authentication time in the authentication assertion. CC ID 13855 | Technical security | Preventive | |
| Validate each element within the authentication assertion. CC ID 13853 | Technical security | Preventive | |
| Validate the timestamp in the authentication assertion. CC ID 13875 | Technical security | Detective | |
| Validate the digital signature in the authentication assertion. CC ID 13869 | Technical security | Detective | |
| Validate the signature validation element in the authentication assertion. CC ID 13867 | Technical security | Detective | |
| Validate the audience restriction element in the authentication assertion. CC ID 13866 | Technical security | Detective | |
| Include the subject in the authentication assertion. CC ID 13852 | Technical security | Preventive | |
| Include the target audience in the authentication assertion. CC ID 13851 | Technical security | Preventive | |
| Include audience restrictions in the authentication assertion. CC ID 13870 | Technical security | Preventive | |
| Include the issue date in the authentication assertion. CC ID 13850 | Technical security | Preventive | |
| Revoke authentication assertions, as necessary. CC ID 16534 | Technical security | Preventive | |
| Include the expiration date in the authentication assertion. CC ID 13849 | Technical security | Preventive | |
| Include identifiers in the authentication assertion. CC ID 13848 | Technical security | Preventive | |
| Include digital signatures in the authentication assertion. CC ID 13847 | Technical security | Preventive | |
| Include key binding in the authentication assertion. CC ID 13846 | Technical security | Preventive | |
| Include attribute references in the authentication assertion. CC ID 13845 | Technical security | Preventive | |
| Include attribute values in the authentication assertion. CC ID 13844 | Technical security | Preventive | |
| Limit the use of the assertion reference to a single organization. CC ID 13841 | Technical security | Preventive | |
| Request attribute references instead of attribute values during the presentation of an authentication assertion. CC ID 13840 | Technical security | Preventive | |
| Define the assertion level for authentication assertions. CC ID 13873 | Technical security | Preventive | |
| Refrain from assigning assertion levels for authentication assertions when not defined. CC ID 13879 | Technical security | Preventive | |
| Authenticate systems referenced in the allowlist. CC ID 13838 | Technical security | Preventive | |
| Place nonmembers of allowlists and denylists into a gray area until a runtime decision is made during the authentication assertion. CC ID 13854 | Technical security | Preventive | |
| Require runtime decisions regarding authentication for organizations that are excluded from the allowlist. CC ID 13842 | Technical security | Preventive | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical security | Preventive | |
| Review user accounts. CC ID 00525 [The identity management policies and procedures referred to in paragraph 1 shall contain all of the following: a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts. Article 20 2 ¶ 1(b)] | Technical security | Detective | |
| Control access rights to organizational assets. CC ID 00004 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: a provision on restrictions of access to ICT assets, setting out controls and tools to prevent unauthorised access; Article 21 ¶ 1(d) {generic account} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: a provision on user accountability, by limiting to the extent possible the use of generic and shared user accounts and ensuring that users are identifiable for the actions performed in the ICT systems at all times; Article 21 ¶ 1(c)] | Technical security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: the assignment of access rights to ICT assets based on need-to-know, need-to-use and least privilege principles, including for remote and emergency access; Article 21 ¶ 1(a) {critical asset} {ad hoc access} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the granting of physical access rights to critical ICT assets to authorised persons only, in accordance with the need-to-know and least privilege principles, and on an ad-hoc basis; Article 21 ¶ 1(g)(ii) {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: access rights to information assets, ICT assets, and their supported functions, and to critical locations of operation of the financial entity, are managed on a need-to-know, need-to-use and least privileges basis, including for remote and emergency access; Article 33 ¶ 1(a) {privileged access} {emergency access} {need-to-use basis} For the purposes of point (c), the financial entity shall assign privileged, emergency, and administrator access on a need-to- use or an ad-hoc basis for all ICT systems, and shall be logged in accordance with Article 34, first paragraph, point (f). Article 33 ¶ 2] | Technical security | Preventive | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the access restrictions referred to in Article 21 of this Regulation, supporting the protection requirements for each level of classification; Article 11 2 ¶ 1(a) As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: the use of authentication methods commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and to the overall risk profile of ICT assets and considering leading practices; Article 21 ¶ 1(f)(i) {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: authentication methods that are commensurate to the classification referred to in Article 30(1) and to the overall risk profile of ICT assets, and which are based on leading practices; Article 33 ¶ 1(d) For the purposes of point (d), financial entities shall use strong authentication methods that are based on leading practices for remote access to the financial entities' network, for privileged access, and for access to ICT assets supporting critical or important functions that are publicly available. Article 33 ¶ 3] | Technical security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: mechanisms to ensure the independence of the functions that approve changes and the functions responsible for requesting and implementing those changes; Article 17 1(b)] | Technical security | Preventive | |
| Review each user's access capabilities when their role changes. CC ID 00524 [{logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: access rights are periodically reviewed and are withdrawn when no longer required. Article 33 ¶ 1(e)] | Technical security | Preventive | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 [The identity management policies and procedures referred to in paragraph 1 shall contain all of the following: a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts. Article 20 2 ¶ 1(b)] | Technical security | Preventive | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 [{logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: Article 33 ¶ 1 {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: Article 33 ¶ 1] | Technical security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: account management procedures to grant, change or revoke access rights for user and generic accounts, including generic administrator accounts, including provision on all of the following: Article 21 ¶ 1(e) The identity management policies and procedures referred to in paragraph 1 shall contain all of the following: a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts. Article 20 2 ¶ 1(b)] | Technical security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Preventive | |
| Enforce the password policy. CC ID 16347 | Technical security | Preventive | |
| Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 | Technical security | Preventive | |
| Identify and control all network access controls. CC ID 00529 | Technical security | Preventive | |
| Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective. CC ID 04589 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1] | Technical security | Detective | |
| Protect system or device management and control planes from unwanted user plane traffic. CC ID 17063 | Technical security | Preventive | |
| Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical security | Preventive | |
| Implement segregation of duties. CC ID 11843 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: specify the segregation of duties arrangements in the context of the three lines of defence model or other internal risk management and control model, as applicable, to avoid conflicts of interest; Article 2 2(g) As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: the segregation of duties designed to prevent unjustified access to critical data or to prevent the allocation of combinations of access rights that may be used to circumvent controls; Article 21 ¶ 1(b) The financial entities referred to in paragraph 1 shall ensure an appropriate segregation and the independence of control functions and internal audit functions. Article 28 4.] | Technical security | Preventive | |
| Segregate systems in accordance with organizational standards. CC ID 12546 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: the criticality or importance of the function those ICT systems and networks support; Article 13 ¶ 1(a)(i) Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: Article 13 ¶ 1(a) Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554; Article 13 ¶ 1(a)(ii) Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: the overall risk profile of ICT assets using those ICT systems and networks; Article 13 ¶ 1(a)(iii)] | Technical security | Preventive | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the measures to temporarily isolate, where necessary, subnetworks, and network components and devices; Article 13 ¶ 1(j)] | Technical security | Preventive | |
| Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical security | Preventive | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical security | Preventive | |
| Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical security | Preventive | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical security | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone to destination addresses within the Demilitarized Zone. CC ID 11998 | Technical security | Preventive | |
| Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical security | Preventive | |
| Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the securing of network traffic between the internal networks and the internet and other external connections; Article 13 ¶ 1(g) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to prevent and detect unauthorised connections to the financial entity's network, and to secure the network traffic between the financial entity's internal networks and the internet and other external connections; Article 35 ¶ 1(c)] | Technical security | Preventive | |
| Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903 [For the purposes of point (h), financial entities shall perform the review of firewall rules and connections filters on a regular basis in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of ICT systems involved. For ICT systems that support critical or important functions, financial entities shall verify the adequacy of the existing firewall rules and connection filters at least every 6 months. Article 13 ¶ 2 For the purposes of point (h), financial entities shall perform the review of firewall rules and connections filters on a regular basis in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of ICT systems involved. For ICT systems that support critical or important functions, financial entities shall verify the adequacy of the existing firewall rules and connection filters at least every 6 months. Article 13 ¶ 2] | Technical security | Corrective | |
| Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical security | Preventive | |
| Filter packets based on IPv6 header fields. CC ID 17048 | Technical security | Preventive | |
| Filter traffic at firewalls based on application layer attributes. CC ID 17054 | Technical security | Preventive | |
| Review and approve information exchange system connections. CC ID 07143 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the documentation of all of the financial entity's network connections and data flows; Article 13 ¶ 1(b)] | Technical security | Preventive | |
| Enforce privileged and non-privileged accounts for system access. CC ID 00558 [{privileged access} {emergency access} {need-to-use basis} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: account management procedures to grant, change or revoke access rights for user and generic accounts, including generic administrator accounts, including provision on all of the following: assignment of privileged, emergency, and administrator access on a need-to-use or an ad-hoc basis for all ICT systems; Article 21 ¶ 1(e)(ii) For the purposes of point (e)(ii), financial entities shall, where possible, use dedicated accounts for the performance of administrative tasks on ICT systems. Where feasible and appropriate, financial entities shall deploy automated solutions for the privilege access management. Article 21 ¶ 3] | Technical security | Preventive | |
| Control all methods of remote access and teleworking. CC ID 00559 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the following requirements to secure the use of portable endpoint devices and private non-portable endpoint devices: the requirement to use a management solution to remotely manage the endpoint devices and remotely wipe the financial entity's data; Article 11 2 ¶ 1(f)(i)] | Technical security | Preventive | |
| Employ multifactor authentication for remote access to the organization's network. CC ID 12505 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: the use of strong authentication methods in accordance with leading practices and techniques for remote access to the financial entity's network, for privileged access, for access to ICT assets supporting critical or important functions or ICT assets that are publicly accessible; Article 21 ¶ 1(f)(ii) For the purposes of point (d), financial entities shall use strong authentication methods that are based on leading practices for remote access to the financial entities' network, for privileged access, and for access to ICT assets supporting critical or important functions that are publicly available. Article 33 ¶ 3] | Technical security | Preventive | |
| Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173 | Technical security | Preventive | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical security | Preventive | |
| Limit the source addresses from which remote administration is performed. CC ID 16393 | Technical security | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 [{be resilient} {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 provisions for updating or changing, where necessary, the cryptographic technology on the basis of developments in cryptanalysis. Those updates or changes shall ensure that the cryptographic technology remains resilient against cyber threats, as required by Article 10(2), point (a). Financial entities that are not able to update or change the cryptographic technology shall adopt mitigation and monitoring measures that ensure resilience against cyber threats. Article 6 4.] | Technical security | Preventive | |
| Employ cryptographic controls that comply with applicable requirements. CC ID 12491 [{mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 criteria for the selection of cryptographic techniques and use practices, taking into account leading practices, and standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and the classification of relevant ICT assets established in accordance with Article 8(1) of Regulation (EU) 2022/2554. Financial entities that are not able to adhere to the leading practices or standards, or to use the most reliable techniques, shall adopt mitigation and monitoring measures that ensure resilience against cyber threats. Article 6 3. {be resilient} {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 provisions for updating or changing, where necessary, the cryptographic technology on the basis of developments in cryptanalysis. Those updates or changes shall ensure that the cryptographic technology remains resilient against cyber threats, as required by Article 10(2), point (a). Financial entities that are not able to update or change the cryptographic technology shall adopt mitigation and monitoring measures that ensure resilience against cyber threats. Article 6 4.] | Technical security | Preventive | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical security | Preventive | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [{encryption policy} {data in transit} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the encryption of data at rest and in transit; Article 6 2 ¶ 1(a) The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: measures to protect logging systems and log information against tampering, deletion, and unauthorised access at rest, in transit, and, where relevant, in use; Article 12 2 ¶ 1(d) As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: Article 14 1. As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: the availability, authenticity, integrity and confidentiality of data during network transmission, and the establishment of procedures to assess compliance with those requirements; Article 14 1(a) As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: the prevention and detection of data leakages and the secure transfer of information between the financial entity and external parties; Article 14 1(b) Financial entities shall design the policies, procedures, protocols, and tools to protect the information in transit referred to in paragraph 1 on the basis of the results of the approved data classification and of the ICT risk assessment. Article 14 2. {data in transit} {data at rest} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to protect data in use, in transit, and at rest; Article 35 ¶ 1(a) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures that ensure the availability, authenticity, integrity, and confidentiality of data during network transmissions; Article 35 ¶ 1(d) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures that ensure the availability, authenticity, integrity, and confidentiality of data during network transmissions; Article 35 ¶ 1(d)] | Technical security | Preventive | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 [{encryption policy} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the encryption of internal network connections and traffic with external parties; Article 6 2 ¶ 1(c)] | Technical security | Preventive | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Preventive | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 [{encryption policy} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the encryption of internal network connections and traffic with external parties; Article 6 2 ¶ 1(c)] | Technical security | Preventive | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Preventive | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 [{on-site physical control} {off-site physical control} {on-site logical control} {off-site logical control} The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to secure ICT assets, both within and outside the premises of the financial entity, taking into account the results of the ICT risk assessment related to the relevant ICT assets; Article 18 2 ¶ 1(c)] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 [{on-site physical control} {off-site physical control} {on-site logical control} {off-site logical control} The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to secure ICT assets, both within and outside the premises of the financial entity, taking into account the results of the ICT risk assessment related to the relevant ICT assets; Article 18 2 ¶ 1(c)] | Physical and environmental protection | Preventive | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Corrective | |
| Establish, implement, and maintain a clear screen policy. CC ID 12436 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: a clear screen policy for information processing facilities. Article 18 2 ¶ 1(e)(ii)] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain logical access controls at alternate facilities. CC ID 13227 | Operational and Systems Continuity | Preventive | |
| Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Preventive | |
| Prevent users from disabling required software. CC ID 16417 | Operational management | Preventive | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption. Article 8 2 ¶ 1(c)(iii)] | Operational management | Corrective | |
| Review the patch log for missing patches. CC ID 13186 | Operational management | Detective | |
| Patch the operating system, as necessary. CC ID 11824 | Operational management | Corrective | |
| Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the identification of security measures to ensure that only authorised software is installed in ICT systems and endpoint devices; Article 11 2 ¶ 1(c)] | Operational management | Detective | |
| Configure security parameter settings on all system components appropriately. CC ID 12041 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the implementation of a secure configuration baseline of all network components, and the hardening of the network and of network devices in line with any vendor instructions, where applicable standards, as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and leading practices; Article 13 ¶ 1(k)] | System hardening through configuration management | Preventive | |
| Configure each system's security alerts to organizational standards. CC ID 12113 [For the purposes of point (b), the tools referred to in that point shall contain the tools that provide automated alerts based on pre-defined rules to identify anomalies affecting the completeness and integrity of the data sources or log collection. Article 23 2 ¶ 2] | System hardening through configuration management | Preventive | |
| Restrict the exporting of files and directories, as necessary. CC ID 16315 | System hardening through configuration management | Preventive | |
| Employ multifactor authentication for accounts with administrative privilege. CC ID 12496 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: the use of strong authentication methods in accordance with leading practices and techniques for remote access to the financial entity's network, for privileged access, for access to ICT assets supporting critical or important functions or ICT assets that are publicly accessible; Article 21 ¶ 1(f)(ii) For the purposes of point (d), financial entities shall use strong authentication methods that are based on leading practices for remote access to the financial entities' network, for privileged access, and for access to ICT assets supporting critical or important functions that are publicly available. Article 33 ¶ 3] | System hardening through configuration management | Preventive | |
| Provide encryption for different types of electronic storage media. CC ID 00945 [{encryption policy} {data in transit} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the encryption of data at rest and in transit; Article 6 2 ¶ 1(a)] | Records management | Preventive | |
| Establish, implement, and maintain electronic storage media security controls. CC ID 13204 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: measures to protect logging systems and log information against tampering, deletion, and unauthorised access at rest, in transit, and, where relevant, in use; Article 12 2 ¶ 1(d) {data in transit} {data at rest} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to protect data in use, in transit, and at rest; Article 35 ¶ 1(a) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of security measures regarding the use of software, data storage media, systems and endpoint devices that transfer and store data of the financial entity; Article 35 ¶ 1(b)] | Records management | Preventive | |
| Protect source code in accordance with organizational requirements. CC ID 16855 [The procedure referred to in paragraph 2 shall contain the implementation of controls to protect the integrity of the source code of ICT systems that are developed in-house or by an ICT third-party service provider and delivered to the financial entity by an ICT third-parties service provider. Article 16 7.] | Systems design, build, and implementation | Preventive | |
| Protect test data in the development environment. CC ID 12014 [{pseudonymized data} The procedure referred to in paragraph 2 shall provide that: non-production environments only store anonymised, pseudonymised, or randomised production data; Article 16 5(a) The procedure referred to in paragraph 2 shall provide that: financial entities are to protect the integrity and confidentiality of data in non-production environments. Article 16 5(b)] | Systems design, build, and implementation | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a system security plan. CC ID 01922 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1] | Monitoring and measurement | Preventive | |
| Enable security controls which were disabled to conduct testing. CC ID 17031 | Monitoring and measurement | Preventive | |
| Disable dedicated accounts after testing is complete. CC ID 17033 | Monitoring and measurement | Preventive | |
| Protect systems and data during testing in the production environment. CC ID 17198 [{ICT security} For the purposes of point (b)(vii), the policies and procedures referred to in paragraph 1 shall provide that the instances in which testing is performed in a production environment are clearly identified, reasoned, are for limited periods of time, and are approved by the relevant function in accordance with Article 16(6). Financial entities shall ensure the availability, confidentiality, integrity, and authenticity of ICT systems and production data during development and test activities in the production environment. Article 8 2 ¶ 3] | Monitoring and measurement | Preventive | |
| Define the criteria to conduct testing in the production environment. CC ID 17197 [{ICT security} For the purposes of point (b)(vii), the policies and procedures referred to in paragraph 1 shall provide that the instances in which testing is performed in a production environment are clearly identified, reasoned, are for limited periods of time, and are approved by the relevant function in accordance with Article 16(6). Financial entities shall ensure the availability, confidentiality, integrity, and authenticity of ICT systems and production data during development and test activities in the production environment. Article 8 2 ¶ 3] | Monitoring and measurement | Preventive | |
| Suspend testing in a production environment, as necessary. CC ID 17231 | Monitoring and measurement | Preventive | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Monitoring and measurement | Detective | |
| Include test requirements for the use of production data in the testing program. CC ID 17201 [By way of derogation from paragraph 5, the procedure referred to in paragraph 2 may provide that production data are stored only for specific testing occasions, for limited periods of time, and following the approval by the relevant function and the reporting of such occasions to the ICT risk management function. Article 16 6.] | Monitoring and measurement | Preventive | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Monitoring and measurement | Preventive | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Monitoring and measurement | Preventive | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Monitoring and measurement | Preventive | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Monitoring and measurement | Preventive | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Monitoring and measurement | Preventive | |
| Perform conformity assessments, as necessary. CC ID 15095 | Monitoring and measurement | Detective | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Monitoring and measurement | Detective | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Monitoring and measurement | Corrective | |
| Conduct scanning activities in a test environment. CC ID 17036 | Monitoring and measurement | Preventive | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Monitoring and measurement | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 [{vulnerability assessment} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: perform automated vulnerability scanning and assessments of ICT assets commensurate to their classification as referred to in Article 30(1) and to the overall risk profile of the ICT asset, and deploy patches to address identified vulnerabilities; Article 34 ¶ 1(d)] | Monitoring and measurement | Detective | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Preventive | |
| Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Detective | |
| Test the system for proper error handling. CC ID 01324 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: Article 8 2 ¶ 1(c)] | Monitoring and measurement | Detective | |
| Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Detective | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Detective | |
| Document and maintain test results. CC ID 17028 [The financial entities referred to in paragraph 1 shall monitor and evaluate the results of the security tests and update their security measures accordingly without undue delay in the case of ICT systems supporting critical or important functions. Article 36 3.] | Monitoring and measurement | Preventive | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Preventive | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: specifies and implements the policies and measures included in Chapters I, II and III of this Title to identify, assess and manage the ICT risk the financial entity is exposed to; Article 28 2(f) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the identification and assessment of the ICT risks to which the financial entity is exposed; Article 31 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the identification and assessment of any ICT and information security risks resulting from any major change in ICT system or ICT services, processes, or procedures, and from ICT security testing results and after any major ICT-related incident. Article 31 1(e)] | Audits and risk management | Preventive | |
| Determine the effectiveness of risk control measures. CC ID 06601 [{residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): provisions on the review of the accepted residual ICT risks at least once a year, including: the assessment of available mitigation measures; Article 3 ¶ 1(d)(iv) (2)] | Audits and risk management | Detective | |
| Employ unique identifiers. CC ID 01273 [As part of their control of access management rights, financial entities shall develop, document, and implement identity management policies and procedures that ensure the unique identification and authentication of natural persons and systems accessing the financial entities' information to enable assignment of user access rights in accordance with Article 21. Article 20 1. The identity management policies and procedures referred to in paragraph 1 shall contain all of the following: without prejudice to Article 21, first paragraph, point (c), a unique identity corresponding to a unique user account shall be assigned to each staff member of the financial entity or staff of the ICT third-party service providers accessing the information assets and ICT assets of the financial entity; Article 20 2 ¶ 1(a)] | Technical security | Detective | |
| Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to prevent and detect unauthorised connections to the financial entity's network, and to secure the network traffic between the financial entity's internal networks and the internet and other external connections; Article 35 ¶ 1(c)] | Technical security | Preventive | |
| Establish, implement, and maintain the organization's call tree. CC ID 01167 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on: Article 22 ¶ 1(b) {cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on: vulnerability management; Article 22 ¶ 1(b)(iii) {cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on: the detection of anomalous activities; Article 22 ¶ 1(b)(ii)] | Operational and Systems Continuity | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 [{response plan} Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development, testing and review of ICT response and recovery plans, in accordance with Articles 25 and 26 of this Regulation; Article 24 1(b)(iv)] | Operational and Systems Continuity | Detective | |
| Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Detective | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Preventive | |
| Test the continuity plan, as necessary. CC ID 00755 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the review of the effectiveness of the implemented ICT business continuity arrangements, plans, procedures and mechanisms, in accordance with Article 26 of this Regulation; Article 24 1(b)(v) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall test their business continuity plans referred to in Article 39 of this Regulation, including the scenarios referred to in that Article, at least once every year for the back-up and restore procedures, or upon every major change of the business continuity plan. Article 40 1. The testing of business continuity plans referred to in paragraph 1 shall demonstrate that the financial entities referred to in that paragraph are able to sustain the viability of their businesses until critical operations are re-established and identify any deficiencies in those plans. Article 40 2.] | Operational and Systems Continuity | Detective | |
| Validate the emergency communications procedures during continuity plan tests. CC ID 12777 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: be designed to challenge the assumptions on which the business continuity plans are based, including governance arrangements and crisis communication plans; Article 25 2 ¶ 1(d)] | Operational and Systems Continuity | Preventive | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: contain the testing of ICT services provided by ICT third-party service providers, where applicable; Article 25 2 ¶ 1(b)] | Operational and Systems Continuity | Preventive | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: be designed to challenge the assumptions on which the business continuity plans are based, including governance arrangements and crisis communication plans; Article 25 2 ¶ 1(d)] | Operational and Systems Continuity | Detective | |
| Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: be performed on the basis of test scenarios that simulate potential disruptions, including an adequate set of severe but plausible scenarios; Article 25 2 ¶ 1(a) Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: contain procedures to verify the ability of the financial entities' staff, of ICT third-party service providers, of ICT systems, and ICT services to respond adequately to the scenarios duly taken into account in accordance with Article 26(2). Article 25 2 ¶ 1(e)] | Operational and Systems Continuity | Detective | |
| Analyze system interdependence during continuity plan tests. CC ID 13082 [In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: takes into account external links and interdependencies within the financial infrastructures, including trading venues cleared by the central counterparty, securities settlement and payment systems, and credit institutions used by the central counterparty or a linked central counterparty; Article 24 2 ¶ 1(b)] | Operational and Systems Continuity | Detective | |
| Test the continuity plan at the alternate facility. CC ID 01174 | Operational and Systems Continuity | Detective | |
| Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: critical utilities and critical service providers; Article 25 4(b) In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: critical utilities and critical service providers; Article 25 4(b) In addition to the requirements referred to in paragraph 2, central counterparties shall involve in the testing of their ICT business continuity plans referred to in paragraph 1: clearing members; Article 25 3(a) In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: users of the central securities depositories; Article 25 4(a) In addition to the requirements referred to in paragraph 2, central counterparties shall involve in the testing of their ICT business continuity plans referred to in paragraph 1: external providers; Article 25 3(b) In addition to the requirements referred to in paragraph 2, central counterparties shall involve in the testing of their ICT business continuity plans referred to in paragraph 1: relevant institutions in the financial infrastructure with which central counterparties have identified interdependencies in their business continuity policies. Article 25 3(c) In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: other central securities depositories; Article 25 4(c) In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: other market infrastructures; Article 25 4(d) In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: any other institutions with which central securities depositories have identified interdependencies in their business continuity policy. Article 25 4(e)] | Operational and Systems Continuity | Preventive | |
| Address identified deficiencies in the continuity plan test results. CC ID 17209 [The financial entities referred to in paragraph 1 shall document the results of the testing of business continuity plans and any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 40 3. {continuity plan test} Financial entities shall document the results of the testing referred to in paragraph 1. Any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 25 5.] | Operational and Systems Continuity | Preventive | |
| Utilize resource capacity management controls. CC ID 00939 [{capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the application of resource optimisation; Article 9 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: identify capacity requirements of their ICT assets and measures to maintain and improve the availability and efficiency of ICT systems and prevent ICT capacity shortages before they materialise; Article 34 ¶ 1(c)] | Operational management | Detective | |
| Test the incident response procedures. CC ID 01216 [{response plan} Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development, testing and review of ICT response and recovery plans, in accordance with Articles 25 and 26 of this Regulation; Article 24 1(b)(iv)] | Operational management | Detective | |
| Test proposed changes prior to their approval. CC ID 00548 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: the changes are tested and finalised in a controlled manner; Article 17 1(c)(iii) The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Operational management | Detective | |
| Perform risk assessments prior to approving change requests. CC ID 00888 [{project management} When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT project and change management; Article 1 ¶ 1 (d)] | Operational management | Preventive | |
| Perform a patch test prior to deploying a patch. CC ID 00898 [The patch management procedures referred to in paragraph 3 shall: test and deploy the software and hardware patches and the updates referred to in Article 8(2), points (b)(v), (vi) and (vii); Article 10 4(c)] | Operational management | Detective | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 | Operational management | Detective | |
| Review changes to computer firmware. CC ID 12226 | Operational management | Detective | |
| Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Operational management | Detective | |
| Test the system's operational functionality after implementing approved changes. CC ID 06294 [After having made significant changes to their ICT systems, central counterparties and central securities depositories shall submit their ICT systems to stringent testing by simulating stressed conditions. Article 17 2 ¶ 1 The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Operational management | Detective | |
| Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: there is an effective quality assurance; Article 17 1(c)(iv) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: procedures to document, re-evaluate, assess, and approve emergency changes after their implementation, including workarounds and patches; Article 17 1(g)] | Operational management | Detective | |
| Analyze existing systems during preliminary investigations for system design projects. CC ID 01043 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project risk assessment; Article 15 3(d)] | Systems design, build, and implementation | Detective | |
| Analyze current technology investment factors that could affect implementing the system design project. CC ID 01050 | Systems design, build, and implementation | Preventive | |
| Implement security controls in development endpoints. CC ID 16389 | Systems design, build, and implementation | Preventive | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 [Financial entities shall develop, document, and implement an ICT systems' acquisition, development, and maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally. Article 16 2 ¶ 1] | Systems design, build, and implementation | Detective | |
| Test all software changes before promoting the system to a production environment. CC ID 01106 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure the testing and approval of ICT systems prior to their first use and before introducing changes to the production environment; Article 37 ¶ 1(b)] | Systems design, build, and implementation | Detective | |
| Test security functionality during the development process. CC ID 12015 [{system testing procedure} {static analysis} {dynamic analysis} The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: Article 16 3.] | Systems design, build, and implementation | Preventive | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 [The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: identify and analyse vulnerabilities and anomalies in the source code; Article 16 3(a)] | Systems design, build, and implementation | Detective | |
| Review and test source code. CC ID 01086 [{system testing procedure} {static analysis} {dynamic analysis} The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: Article 16 3.] | Systems design, build, and implementation | Detective | |
| Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292 [The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: adopt an action plan to address those vulnerabilities and anomalies; Article 16 3(b)] | Systems design, build, and implementation | Corrective | |
| Perform Quality Management on all newly developed or modified software. CC ID 11798 [Financial entities shall develop, document, and implement an ICT systems' acquisition, development, and maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally. Article 16 2 ¶ 1 The procedure referred to in paragraph 2 shall contain security testing of software packages no later than at the integration phase, in accordance with Article 8(2), points (b)(v), (vi) and(vii). Article 16 4. {open source code} The procedure referred to in paragraph 2 shall provide that proprietary software and, where feasible, the source code provided by ICT third-party service providers or coming from open-source projects, are to be analysed and tested in accordance with paragraph 3 prior to their deployment in the production environment. Article 16 8.] | Systems design, build, and implementation | Detective | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Detective | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Detective | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 | Third Party and supply chain oversight | Detective | |
Training | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include coordination and interfaces among third parties in continuity plan training. CC ID 17102 | Operational and Systems Continuity | Preventive | |
| Include cross-team coordination in continuity plan training. CC ID 16235 | Operational and Systems Continuity | Preventive | |
| Include stay at home order training in the continuity plan training. CC ID 14382 | Operational and Systems Continuity | Preventive | |
| Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Operational and Systems Continuity | Preventive | |
| Include personal protection in continuity plan training. CC ID 14394 | Operational and Systems Continuity | Preventive | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Human Resources management | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Preventive | |
| Include identity and access management in the security awareness program. CC ID 17013 | Human Resources management | Preventive | |
| Include the encryption process in the security awareness program. CC ID 17014 | Human Resources management | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Preventive | |
| Include data management in the security awareness program. CC ID 17010 | Human Resources management | Preventive | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Human Resources management | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Preventive | |
| Include social networking in the security awareness program. CC ID 17011 | Human Resources management | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Correct errors and deficiencies in a timely manner. CC ID 13501 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: procedures and protocols for handling errors; Article 8 2 ¶ 1(c)(i)] | Leadership and high level objectives | Business Processes | |
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 | Monitoring and measurement | Communicate | |
| Erase payment applications when suspicious activity is confirmed. CC ID 12193 | Monitoring and measurement | Technical Security | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Process or Activity | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Monitoring and measurement | Testing | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Configuration | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Behavior | |
| Perform vulnerability assessments, as necessary. CC ID 11828 [{vulnerability assessment} {critical function} For the purposes of point (b), financial entities shall perform the automated vulnerability scanning and assessments on ICT assets for the ICT assets supporting critical or important functions on at least a weekly basis. Article 10 2 ¶ 2 The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: identify and analyse vulnerabilities and anomalies in the source code; Article 16 3(a) {vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b) {vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b) {vulnerability assessment} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: perform automated vulnerability scanning and assessments of ICT assets commensurate to their classification as referred to in Article 30(1) and to the overall risk profile of the ICT asset, and deploy patches to address identified vulnerabilities; Article 34 ¶ 1(d)] | Monitoring and measurement | Technical Security | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Monitoring and measurement | Configuration | |
| Recommend mitigation techniques based on penetration test results. CC ID 04881 [The financial entities referred to in paragraph 1 shall monitor and evaluate the results of the security tests and update their security measures accordingly without undue delay in the case of ICT systems supporting critical or important functions. Article 36 3.] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Monitoring and measurement | Technical Security | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Process or Activity | |
| Assign the Board of Directors to address audit findings. CC ID 12396 [{be critical} Based on the outcome of the audit referred to in paragraph 5, the financial entities referred to in paragraph 1 shall ensure the timely verification and remediation of critical ICT audit findings. Article 28 6.] | Audits and risk management | Human Resources Management | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Process or Activity | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a summary of the findings of the review and detailed analysis and assessment of the severity of the weaknesses, deficiencies, and gaps in the ICT risk management framework during the review period; Article 27 2 ¶ 1(g)] | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Establish/Maintain Documentation | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Business Processes | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Establish/Maintain Documentation | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [{be critical} Based on the outcome of the audit referred to in paragraph 5, the financial entities referred to in paragraph 1 shall ensure the timely verification and remediation of critical ICT audit findings. Article 28 6. {review} Financial entities shall include all of the following information in the report referred to in paragraph 1: information on planned further developments of the ICT risk management framework; Article 27 2 ¶ 1(i) {ICT risk management framework} {review} {remedial measure} The report referred to in paragraph 1 shall contain all of the following information: remedying measures identified to address weaknesses, deficiencies, and gaps in the simplified ICT risk management framework, and the expected date for implementing those measures, including the follow-up on weaknesses, deficiencies, and gaps identified in previous reports, where those weaknesses, deficiencies, and gaps have not yet been remedied; Article 41 2(g)] | Audits and risk management | Establish/Maintain Documentation | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 [The vulnerability management procedures referred to in paragraph 1 shall: require the recording of any detected vulnerabilities affecting ICT systems and the monitoring of their resolution. Article 10 2 ¶ 1(h) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: an expected date for implementing the measures and dates related to the internal control of the implementation, including information on the state of progress of the implementation of those measures as at the date of drafting of the report, explaining, where applicable, if there is a risk that deadlines may not be respected; Article 27 2 ¶ 1(h)(ii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: information on past reviews, including: where applicable, a state of implementation of the corrective measures identified by the last report; Article 27 2 ¶ 1(k)(ii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: information on past reviews, including: where the proposed corrective measures in past reviews have proven ineffective or have created unexpected challenges, a description of how those corrective measures could be improved or of those unexpected challenges; Article 27 2 ¶ 1(k)(iii) {ICT risk management framework} {review} {remedial measure} The report referred to in paragraph 1 shall contain all of the following information: remedying measures identified to address weaknesses, deficiencies, and gaps in the simplified ICT risk management framework, and the expected date for implementing those measures, including the follow-up on weaknesses, deficiencies, and gaps identified in previous reports, where those weaknesses, deficiencies, and gaps have not yet been remedied; Article 41 2(g)] | Audits and risk management | Actionable Reports or Measurements | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Acquisition/Sale of Assets or Services | |
| Document residual risk in a residual risk report. CC ID 13664 [{residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): provisions on the identification of those residual ICT risks; Article 3 ¶ 1(d)(i) {residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): the development of an inventory of the accepted residual ICT risks, including a justification for their acceptance; Article 3 ¶ 1(d)(iii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: where the weaknesses, deficiencies, or gaps identified are not subject to corrective measures, a detailed explanation of the criteria used to analyse the impact of those weaknesses, deficiencies, or gaps, to evaluate the related residual ICT risk, and of the criteria used to accept the related residual risk; Article 27 2 ¶ 1(h)(vi)] | Audits and risk management | Establish/Maintain Documentation | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Communicate | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: account management procedures to grant, change or revoke access rights for user and generic accounts, including generic administrator accounts, including provision on all of the following: withdrawal of access rights without undue delay upon termination of the employment or when the access is no longer necessary; Article 21 ¶ 1(e)(iii) The identity management policies and procedures referred to in paragraph 1 shall contain all of the following: a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts. Article 20 2 ¶ 1(b) {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: access rights are periodically reviewed and are withdrawn when no longer required. Article 33 ¶ 1(e)] | Technical security | Behavior | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: account management procedures to grant, change or revoke access rights for user and generic accounts, including generic administrator accounts, including provision on all of the following: update of access rights where changes are necessary and at least once a year for all ICT systems, other than ICT systems supporting critical or important functions and at least every 6 months for ICT systems supporting critical or important functions; Article 21 ¶ 1(e)(iv)] | Technical security | Behavior | |
| Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903 [For the purposes of point (h), financial entities shall perform the review of firewall rules and connections filters on a regular basis in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of ICT systems involved. For ICT systems that support critical or important functions, financial entities shall verify the adequacy of the existing firewall rules and connection filters at least every 6 months. Article 13 ¶ 2 For the purposes of point (h), financial entities shall perform the review of firewall rules and connections filters on a regular basis in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of ICT systems involved. For ICT systems that support critical or important functions, financial entities shall verify the adequacy of the existing firewall rules and connection filters at least every 6 months. Article 13 ¶ 2] | Technical security | Technical Security | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1. Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Data and Information Management | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 [Financial entities shall develop and implement methods to replace the cryptographic keys in the case of loss, or where those keys are compromised or damaged. Article 7 3.] | Technical security | Data and Information Management | |
| Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Process or Activity | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Communicate | |
| Report damaged property to interested personnel and affected parties. CC ID 13702 | Physical and environmental protection | Communicate | |
| Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Establish/Maintain Documentation | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Technical Security | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the following requirements to secure the use of portable endpoint devices and private non-portable endpoint devices: the requirement to use a management solution to remotely manage the endpoint devices and remotely wipe the financial entity's data; Article 11 2 ¶ 1(f)(i)] | Physical and environmental protection | Process or Activity | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Physical and environmental protection | Process or Activity | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the criteria to activate and deactivate ICT business continuity plans, ICT response and recovery plans, and crisis communications plans; Article 24 1(a)(iv) The ICT business continuity plans referred to in paragraph 1 shall: identify the conditions that may prompt the activation of the ICT business continuity plans and what actions are to be taken to ensure the availability, continuity, and recovery of the financial entities' ICT assets supporting critical or important functions; Article 39 2¶ 1(e)] | Operational and Systems Continuity | Systems Continuity | |
| Restore systems and environments to be operational. CC ID 13476 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Operational and Systems Continuity | Configuration | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: specify the consequences of non-compliance by staff of the financial entity with the ICT security policies, where provisions to that effect are not laid down in other policies of the financial entity; Article 2 2(e)] | Operational management | Process or Activity | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [{internal factor} The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity; Article 23 2 ¶ 1(a)(i) {internal factor} The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity; Article 23 2 ¶ 1(a)(i)] | Operational management | Process or Activity | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 [{internal factor} The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity; Article 23 2 ¶ 1(a)(i)] | Operational management | Monitor and Evaluate Occurrences | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption. Article 8 2 ¶ 1(c)(iii)] | Operational management | Technical Security | |
| Patch the operating system, as necessary. CC ID 11824 | Operational management | Technical Security | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Configuration | |
| Remove outdated software after software has been updated. CC ID 11792 | Operational management | Configuration | |
| Mitigate the adverse effects of unauthorized changes. CC ID 12244 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: identify measures to mitigate the risk of unintentional alteration or intentional manipulation of the ICT systems during development and implementation in the production environment. Article 37 ¶ 1(c)] | Operational management | Business Processes | |
| Resolve conflicting design and development inputs. CC ID 13703 | Systems design, build, and implementation | Process or Activity | |
| Perform source code analysis at each milestone or quality gate. CC ID 06832 [{open source code} The procedure referred to in paragraph 2 shall provide that proprietary software and, where feasible, the source code provided by ICT third-party service providers or coming from open-source projects, are to be analysed and tested in accordance with paragraph 3 prior to their deployment in the production environment. Article 16 8.] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292 [The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: adopt an action plan to address those vulnerabilities and anomalies; Article 16 3(b)] | Systems design, build, and implementation | Testing | |
| Document attempts to obtain system documentation. CC ID 14284 | Acquisition or sale of facilities, technology, and services | Process or Activity | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 [As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: the prevention and detection of data leakages and the secure transfer of information between the financial entity and external parties; Article 14 1(b)] | Privacy protection for information and data | Process or Activity | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Process or Activity | |
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [The vulnerability management procedures referred to in paragraph 1 shall: identify and update relevant and trustworthy information resources to build and maintain awareness about vulnerabilities; Article 10 2 ¶ 1(a)] | Leadership and high level objectives | Technical Security | |
| Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 [{critical function} In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: Article 15 5.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Monitor the usage and capacity of critical assets. CC ID 14825 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor the usage and capacity of Information Technology assets. CC ID 00668 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe the monitoring and management of the lifecycle of ICT assets identified and classified in accordance with Article 8(1) of Regulation (EU) 2022/2554; Article 4 2(a) As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement policies and procedures to manage the ICT operations. Those policies and procedures shall specify how financial entities operate, monitor, control, and restore their ICT assets, including the documentation of ICT operations. Article 8 1. {critical function} For the purposes of point (d), financial entities shall, where appropriate in collaboration with the ICT third-party service provider, monitor the version and possible updates of the third-party libraries. In case of ready to use (off-the-shelf) ICT assets or components of ICT assets acquired and used in the operation of ICT services not supporting critical or important functions, financial entities shall track the usage to the extent possible of third-party libraries, including open-source libraries. Article 10 2 ¶ 4 The vulnerability management procedures referred to in paragraph 1 shall: track the usage of: ICT services developed by the financial entity itself or specifically customised or developed for the financial entity by an ICT third-party service provider; Article 10 2 ¶ 1(d)(ii) {capacity management procedure} The capacity and performance management procedures referred to in paragraph 1 shall ensure that financial entities take measures that are appropriate to cater for the specificities of ICT systems with long or complex procurement or approval processes or ICT systems that are resource-intensive. Article 9 2. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: monitor and manage the lifecycle of all ICT assets; Article 34 ¶ 1(a) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: monitor whether the ICT assets are supported by ICT third-party service providers of financial entities, where applicable; Article 34 ¶ 1(b)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain monitoring and logging operations. CC ID 00637 [Financial entities shall, as part of the safeguards against intrusions and data misuse, develop, document, and implement logging procedures, protocols and tools. Article 12 1.] | Monitoring and measurement | Log Management | |
| Monitor and evaluate system telemetry data. CC ID 14929 | Monitoring and measurement | Actionable Reports or Measurements | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: identify anomalous activities and behaviour, and implement tools generating alerts for anomalous activities and behaviour, at least for ICT assets and information assets supporting critical or important functions; Article 23 2 ¶ 1(b)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: identify anomalous activities and behaviour, and implement tools generating alerts for anomalous activities and behaviour, at least for ICT assets and information assets supporting critical or important functions; Article 23 2 ¶ 1(b)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 [{audit trail information} The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: protocols for audit-trail and system log information; Article 8 2 ¶ 1(b)(iii) {audit trail information} The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: protocols for audit-trail and system log information; Article 8 2 ¶ 1(b)(iii) For the purposes of point (f), financial entities shall align the level of detail of the logs with their purpose and usage of the ICT asset producing those logs. Article 34 ¶ 2] | Monitoring and measurement | Log Management | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Log Management | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Technical Security | |
| Monitor and evaluate system performance. CC ID 00651 [{capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the monitoring procedures for maintaining and improving: the efficiency of ICT systems; Article 9 1(c)(ii)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for and react to when suspicious activities are detected. CC ID 00586 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: record, analyse, and evaluate any relevant information on all anomalous activities and behaviours automatically or manually. Article 23 2 ¶ 1(d) {cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish, implement, and operate technical, organisational, and operational mechanisms to support the ICT-related incident management process, including mechanisms to enable a prompt detection of anomalous activities and behaviours in accordance with Article 23 of this Regulation; Article 22 ¶ 1(c) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: identify and implement measures to monitor and analyse information on anomalous activities and behaviour for critical or important ICT operations; Article 34 ¶ 1(g)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor and evaluate the effectiveness of detection tools. CC ID 13505 | Monitoring and measurement | Investigate | |
| Monitor and review retail payment activities, as necessary. CC ID 13541 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 | Monitoring and measurement | Investigate | |
| Review retail payment service reports, as necessary. CC ID 13545 | Monitoring and measurement | Investigate | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Monitoring and measurement | Process or Activity | |
| Monitor for and report when a software configuration is updated. CC ID 06746 [{critical function} For the purposes of point (d), financial entities shall, where appropriate in collaboration with the ICT third-party service provider, monitor the version and possible updates of the third-party libraries. In case of ready to use (off-the-shelf) ICT assets or components of ICT assets acquired and used in the operation of ICT services not supporting critical or important functions, financial entities shall track the usage to the extent possible of third-party libraries, including open-source libraries. Article 10 2 ¶ 4] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Log account usage times. CC ID 07099 | Monitoring and measurement | Log Management | |
| Log account usage durations. CC ID 12117 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Monitoring and measurement | Communicate | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Conduct Red Team exercises, as necessary. CC ID 12131 | Monitoring and measurement | Technical Security | |
| Test security systems and associated security procedures, as necessary. CC ID 11901 [{assess} The financial entities referred to in paragraph 1 shall review, asses and test ICT security measures, taking into consideration the overall risk profile of the ICT assets of the financial entity. Article 36 2.] | Monitoring and measurement | Technical Security | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Monitoring and measurement | Testing | |
| Identify risk management measures when testing in scope systems. CC ID 14960 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall establish and implement an ICT security testing plan to validate the effectiveness of their ICT security measures developed in accordance with Articles 33, 34 and 35 and Articles 37 and 38 of this Regulation. Financial entities shall ensure that that plan considers threats and vulnerabilities identified as part of the simplified ICT risk management framework referred to in Article 31 of this Article 36 1.] | Monitoring and measurement | Process or Activity | |
| Perform conformity assessments, as necessary. CC ID 15095 | Monitoring and measurement | Testing | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Monitoring and measurement | Technical Security | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Monitoring and measurement | Testing | |
| Perform vulnerability scans, as necessary. CC ID 11637 [{vulnerability assessment} {critical function} For the purposes of point (b), financial entities shall perform the automated vulnerability scanning and assessments on ICT assets for the ICT assets supporting critical or important functions on at least a weekly basis. Article 10 2 ¶ 2 {vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b) {vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b)] | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Monitoring and measurement | Testing | |
| Identify and document security vulnerabilities. CC ID 11857 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: vulnerabilities and threats that affect or may affect the supported business functions, the ICT systems and ICT assets supporting those functions; Article 3 ¶ 1(b)(i) The vulnerability management procedures referred to in paragraph 1 shall: require the recording of any detected vulnerabilities affecting ICT systems and the monitoring of their resolution. Article 10 2 ¶ 1(h) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates. Article 34 ¶ 1(i)] | Monitoring and measurement | Technical Security | |
| Rank discovered vulnerabilities. CC ID 11940 | Monitoring and measurement | Investigate | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Monitoring and measurement | Technical Security | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Technical Security | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 [{vulnerability assessment} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: perform automated vulnerability scanning and assessments of ICT assets commensurate to their classification as referred to in Article 30(1) and to the overall risk profile of the ICT asset, and deploy patches to address identified vulnerabilities; Article 34 ¶ 1(d)] | Monitoring and measurement | Testing | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Technical Security | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Technical Security | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Technical Security | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Technical Security | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Technical Security | |
| Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Testing | |
| Test the system for proper error handling. CC ID 01324 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: Article 8 2 ¶ 1(c)] | Monitoring and measurement | Testing | |
| Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Testing | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Testing | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Actionable Reports or Measurements | |
| Evaluate cyber threat intelligence. CC ID 12747 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: potential internal and external cyber threats, considering scenarios commonly used by threat actors and scenarios based on threat intelligence activity; Article 23 2 ¶ 1(a)(ii)] | Monitoring and measurement | Process or Activity | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Audits and Risk Management | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Audits and Risk Management | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Audits and Risk Management | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Investigate | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Investigate | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Audits and Risk Management | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Process or Activity | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Process or Activity | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Audits and Risk Management | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Audits and Risk Management | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Audits and Risk Management | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Audits and Risk Management | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Audits and Risk Management | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Behavior | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Process or Activity | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Process or Activity | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Process or Activity | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Establish/Maintain Documentation | |
| Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Human Resources Management | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Audits and Risk Management | |
| Review past audit reports. CC ID 01155 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: information on past reviews, including: a list of past reviews to date; Article 27 2 ¶ 1(k)(i)] | Audits and risk management | Establish/Maintain Documentation | |
| Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: information on past reviews, including: Article 27 2 ¶ 1(k)] | Audits and risk management | Establish/Maintain Documentation | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Investigate | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Process or Activity | |
| Review management's response to issues raised in past audit reports. CC ID 01149 [{ICT risk management framework} {review} {remedial measure} The report referred to in paragraph 1 shall contain all of the following information: remedying measures identified to address weaknesses, deficiencies, and gaps in the simplified ICT risk management framework, and the expected date for implementing those measures, including the follow-up on weaknesses, deficiencies, and gaps identified in previous reports, where those weaknesses, deficiencies, and gaps have not yet been remedied; Article 41 2(g)] | Audits and risk management | Audits and Risk Management | |
| Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Business Processes | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Human Resources Management | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Audits and Risk Management | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Audits and Risk Management | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 [The vulnerability management procedures referred to in paragraph 1 shall: monitor and verify the remediation of vulnerabilities; Article 10 2 ¶ 1(g)] | Audits and risk management | Investigate | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: the quantitative or qualitative indicators to measure the impact and likelihood of the vulnerabilities and threats referred to in point (i); Article 3 ¶ 1(b)(ii)] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Audits and risk management | Process or Activity | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Investigate | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Audits and risk management | Process or Activity | |
| Determine the effectiveness of risk control measures. CC ID 06601 [{residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): provisions on the review of the accepted residual ICT risks at least once a year, including: the assessment of available mitigation measures; Article 3 ¶ 1(d)(iv) (2)] | Audits and risk management | Testing | |
| Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Audits and Risk Management | |
| Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Audits and Risk Management | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Process or Activity | |
| Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Technical security | Process or Activity | |
| Interact with the data subject when performing remote proofing. CC ID 13777 | Technical security | Process or Activity | |
| View all applicant actions when performing remote proofing. CC ID 13804 | Technical security | Process or Activity | |
| Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Technical security | Process or Activity | |
| Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Technical security | Process or Activity | |
| Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Technical security | Process or Activity | |
| Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Technical security | Process or Activity | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Technical security | Process or Activity | |
| Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Technical security | Business Processes | |
| Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Technical security | Process or Activity | |
| Verify proof of identity records. CC ID 13761 | Technical security | Investigate | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Technical security | Process or Activity | |
| Conduct in-person proofing with physical interactions. CC ID 13775 | Technical security | Process or Activity | |
| Reperform the identity proofing process for each individual, as necessary. CC ID 13762 | Technical security | Process or Activity | |
| Validate the issuer in the authentication assertion. CC ID 13878 | Technical security | Technical Security | |
| Validate the timestamp in the authentication assertion. CC ID 13875 | Technical security | Technical Security | |
| Validate the digital signature in the authentication assertion. CC ID 13869 | Technical security | Technical Security | |
| Validate the signature validation element in the authentication assertion. CC ID 13867 | Technical security | Technical Security | |
| Validate the audience restriction element in the authentication assertion. CC ID 13866 | Technical security | Technical Security | |
| Review user accounts. CC ID 00525 [The identity management policies and procedures referred to in paragraph 1 shall contain all of the following: a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts. Article 20 2 ¶ 1(b)] | Technical security | Technical Security | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Communicate | |
| Employ unique identifiers. CC ID 01273 [As part of their control of access management rights, financial entities shall develop, document, and implement identity management policies and procedures that ensure the unique identification and authentication of natural persons and systems accessing the financial entities' information to enable assignment of user access rights in accordance with Article 21. Article 20 1. The identity management policies and procedures referred to in paragraph 1 shall contain all of the following: without prejudice to Article 21, first paragraph, point (c), a unique identity corresponding to a unique user account shall be assigned to each staff member of the financial entity or staff of the ICT third-party service providers accessing the information assets and ICT assets of the financial entity; Article 20 2 ¶ 1(a)] | Technical security | Testing | |
| Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective. CC ID 04589 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1] | Technical security | Technical Security | |
| Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Technical security | Process or Activity | |
| Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Technical security | Process or Activity | |
| Establish, implement, and maintain a sensitive information inventory. CC ID 13736 | Technical security | Establish/Maintain Documentation | |
| Document information flow anomalies that do not fit normal traffic patterns. CC ID 12163 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: log events related to logical and physical access control, ICT operations, including system and network traffic activities, and ICT change management; Article 34 ¶ 1(f)] | Technical security | Investigate | |
| Scan for malicious code, as necessary. CC ID 11941 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates. Article 34 ¶ 1(i)] | Technical security | Investigate | |
| Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Investigate | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Physical and Environmental Protection | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the monitoring of physical access to premises, data centres, and sensitive designated areas identified by the financial entity where ICT and information assets or both reside; Article 21 ¶ 1(g)(iii) {physical access} For the purposes of point (g)(iii), the monitoring shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the criticality of the area accessed. Article 21 ¶ 5] | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Investigate | |
| Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Log Management | |
| Monitor the location of distributed assets. CC ID 11684 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: information on the location, either physical or logical, of all ICT assets; Article 4 2(b)(ii) The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: information on the location, either physical or logical, of all ICT assets; Article 4 2(b)(ii)] | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: impact of climate change and environment degradation related events, natural disasters, pandemics, and physical attacks, including intrusions and terrorist attacks; Article 26 2(f)] | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on a process to ensure that any changes to the business strategy and the digital operational resilience strategy of the financial entity are taken into account. Article 3 ¶ 1(f) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the objectives of the ICT business continuity policy, including the interrelation of ICT and overall business continuity, and considering the results of the business impact analysis (BIA) referred to in Article 11(5) of Regulation (EU) 2022/2554; Article 24 1(a)(i) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: Article 26 1 ¶ 1 The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: impact of climate change and environment degradation related events, natural disasters, pandemics, and physical attacks, including intrusions and terrorist attacks; Article 26 2(f) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop their ICT business continuity plans considering the results of the analysis of their exposures to and potential impact of severe business disruptions and scenarios to which their ICT assets supporting critical or important functions might be exposed, including a cyber-attack scenario. Article 39 1.] | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain the organization's call tree. CC ID 01167 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on: Article 22 ¶ 1(b) {cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on: vulnerability management; Article 22 ¶ 1(b)(iii) {cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on: the detection of anomalous activities; Article 22 ¶ 1(b)(ii)] | Operational and Systems Continuity | Testing | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Investigate | |
| Test the recovery plan, as necessary. CC ID 13290 [{response plan} Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development, testing and review of ICT response and recovery plans, in accordance with Articles 25 and 26 of this Regulation; Article 24 1(b)(iv)] | Operational and Systems Continuity | Testing | |
| Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Testing | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Define and prioritize critical business functions. CC ID 00736 [As part of the simplified ICT risk management framework referred to in Article 16(1), point (a), of Regulation (EU) 2022/2554, the financial entities referred to in paragraph 1 of that Article shall identify, classify, and document all critical or important functions, the information assets and ICT assets supporting them and their interdependencies. Financial entities shall review that identification and classification as needed. Article 30 1.] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: scenarios in which the quality of the provision of a critical or important function deteriorates to an unacceptable level or fails, and duly consider the potential impact of the insolvency, or other failures, of any relevant ICT third-party service provider; Article 26 2(b) As part of the ICT response and recovery plans referred to in paragraph 1, financial entities shall consider and implement continuity measures to mitigate failures of ICT third-party service providers of ICT services supporting critical or important functions of the financial entity. Article 26 4.] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Designate an alternate facility in the continuity plan. CC ID 00742 [In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: requires that arrangements are in place to: consider the need for additional processing sites, in particular where the diversity of the risk profiles of the primary and secondary sites does not provide sufficient confidence that the central counterparty's business continuity objectives will be met in all scenarios. Article 24 2 ¶ 1(c)(iv)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Operational and Systems Continuity | Business Processes | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Test the continuity plan, as necessary. CC ID 00755 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the review of the effectiveness of the implemented ICT business continuity arrangements, plans, procedures and mechanisms, in accordance with Article 26 of this Regulation; Article 24 1(b)(v) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall test their business continuity plans referred to in Article 39 of this Regulation, including the scenarios referred to in that Article, at least once every year for the back-up and restore procedures, or upon every major change of the business continuity plan. Article 40 1. The testing of business continuity plans referred to in paragraph 1 shall demonstrate that the financial entities referred to in that paragraph are able to sustain the viability of their businesses until critical operations are re-established and identify any deficiencies in those plans. Article 40 2.] | Operational and Systems Continuity | Testing | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: be designed to challenge the assumptions on which the business continuity plans are based, including governance arrangements and crisis communication plans; Article 25 2 ¶ 1(d)] | Operational and Systems Continuity | Testing | |
| Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: be performed on the basis of test scenarios that simulate potential disruptions, including an adequate set of severe but plausible scenarios; Article 25 2 ¶ 1(a) Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: contain procedures to verify the ability of the financial entities' staff, of ICT third-party service providers, of ICT systems, and ICT services to respond adequately to the scenarios duly taken into account in accordance with Article 26(2). Article 25 2 ¶ 1(e)] | Operational and Systems Continuity | Testing | |
| Analyze system interdependence during continuity plan tests. CC ID 13082 [In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: takes into account external links and interdependencies within the financial infrastructures, including trading venues cleared by the central counterparty, securities settlement and payment systems, and credit institutions used by the central counterparty or a linked central counterparty; Article 24 2 ¶ 1(b)] | Operational and Systems Continuity | Testing | |
| Test the continuity plan at the alternate facility. CC ID 01174 | Operational and Systems Continuity | Testing | |
| Utilize resource capacity management controls. CC ID 00939 [{capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the application of resource optimisation; Article 9 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: identify capacity requirements of their ICT assets and measures to maintain and improve the availability and efficiency of ICT systems and prevent ICT capacity shortages before they materialise; Article 34 ¶ 1(c)] | Operational management | Testing | |
| Follow the resource workload schedule. CC ID 00941 | Operational management | Business Processes | |
| Perform social network analysis, as necessary. CC ID 14864 | Operational management | Investigate | |
| Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Operational management | Communicate | |
| Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Operational management | Behavior | |
| Identify root causes of incidents that force system changes. CC ID 13482 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish and implement mechanisms to analyse significant or recurring ICT-related incidents and patterns in the number and the occurrence of ICT-related incidents. Article 22 ¶ 1(e)] | Operational management | Investigate | |
| Analyze and respond to security alerts. CC ID 12504 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: prioritise the alerts referred to in point (b) to allow for the management of the detected ICT-related incidents within the expected resolution time, as specified by financial entities, both during and outside working hours; Article 23 2 ¶ 1(c)] | Operational management | Business Processes | |
| Protect devices containing digital forensic evidence during transport. CC ID 08687 [{data at rest} Financial entities shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use. Article 23 3.] | Operational management | Investigate | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 [{data at rest} Financial entities shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use. Article 23 3.] | Operational management | Investigate | |
| Secure devices containing digital forensic evidence. CC ID 08681 [{data at rest} Financial entities shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use. Article 23 3.] | Operational management | Investigate | |
| Test the incident response procedures. CC ID 01216 [{response plan} Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development, testing and review of ICT response and recovery plans, in accordance with Articles 25 and 26 of this Regulation; Article 24 1(b)(iv)] | Operational management | Testing | |
| Test proposed changes prior to their approval. CC ID 00548 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: the changes are tested and finalised in a controlled manner; Article 17 1(c)(iii) The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Operational management | Testing | |
| Examine all changes to ensure they correspond with the change request. CC ID 12345 [The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Operational management | Business Processes | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Process or Activity | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Investigate | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Investigate | |
| Review the patch log for missing patches. CC ID 13186 | Operational management | Technical Security | |
| Perform a patch test prior to deploying a patch. CC ID 00898 [The patch management procedures referred to in paragraph 3 shall: test and deploy the software and hardware patches and the updates referred to in Article 8(2), points (b)(v), (vi) and (vii); Article 10 4(c)] | Operational management | Testing | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 | Operational management | Testing | |
| Review changes to computer firmware. CC ID 12226 | Operational management | Testing | |
| Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Operational management | Testing | |
| Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the identification of security measures to ensure that only authorised software is installed in ICT systems and endpoint devices; Article 11 2 ¶ 1(c)] | Operational management | Technical Security | |
| Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 [The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Operational management | Establish/Maintain Documentation | |
| Test the system's operational functionality after implementing approved changes. CC ID 06294 [After having made significant changes to their ICT systems, central counterparties and central securities depositories shall submit their ICT systems to stringent testing by simulating stressed conditions. Article 17 2 ¶ 1 The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Operational management | Testing | |
| Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: there is an effective quality assurance; Article 17 1(c)(iv) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: procedures to document, re-evaluate, assess, and approve emergency changes after their implementation, including workarounds and patches; Article 17 1(g)] | Operational management | Testing | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: log events related to logical and physical access control, ICT operations, including system and network traffic activities, and ICT change management; Article 34 ¶ 1(f)] | Operational management | Configuration | |
| Configure the "logging level" to organizational standards. CC ID 14456 | System hardening through configuration management | Configuration | |
| Audit assets after maintenance was performed. CC ID 13657 [Financial entities shall develop, document, and implement an ICT systems' acquisition, development, and maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally. Article 16 2 ¶ 1] | System hardening through configuration management | Audits and Risk Management | |
| Establish, implement, and maintain data accuracy controls. CC ID 00921 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques; Article 2 1(c)] | Records management | Monitor and Evaluate Occurrences | |
| Compare each record's data input to its final form. CC ID 11813 | Records management | Records Management | |
| Review the degree of human intervention and control points in the system design requirements. CC ID 13536 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Analyze business activities to ensure information is categorized for system design projects. CC ID 11794 | Systems design, build, and implementation | Monitor and Evaluate Occurrences | |
| Analyze existing systems during preliminary investigations for system design projects. CC ID 01043 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project risk assessment; Article 15 3(d)] | Systems design, build, and implementation | Testing | |
| Document the results of the source code analysis. CC ID 14310 | Systems design, build, and implementation | Process or Activity | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 [Financial entities shall develop, document, and implement an ICT systems' acquisition, development, and maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally. Article 16 2 ¶ 1] | Systems design, build, and implementation | Testing | |
| Test all software changes before promoting the system to a production environment. CC ID 01106 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure the testing and approval of ICT systems prior to their first use and before introducing changes to the production environment; Article 37 ¶ 1(b)] | Systems design, build, and implementation | Testing | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 [The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: identify and analyse vulnerabilities and anomalies in the source code; Article 16 3(a)] | Systems design, build, and implementation | Testing | |
| Review and test source code. CC ID 01086 [{system testing procedure} {static analysis} {dynamic analysis} The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: Article 16 3.] | Systems design, build, and implementation | Testing | |
| Perform Quality Management on all newly developed or modified software. CC ID 11798 [Financial entities shall develop, document, and implement an ICT systems' acquisition, development, and maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally. Article 16 2 ¶ 1 The procedure referred to in paragraph 2 shall contain security testing of software packages no later than at the integration phase, in accordance with Article 8(2), points (b)(v), (vi) and(vii). Article 16 4. {open source code} The procedure referred to in paragraph 2 shall provide that proprietary software and, where feasible, the source code provided by ICT third-party service providers or coming from open-source projects, are to be analysed and tested in accordance with paragraph 3 prior to their deployment in the production environment. Article 16 8.] | Systems design, build, and implementation | Testing | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Testing | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Testing | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Data and Information Management | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Investigate | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Behavior | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Data and Information Management | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Log Management | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Log Management | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Data and Information Management | |
| Search the Internet for evidence of data leakage. CC ID 10419 [As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: the prevention and detection of data leakages and the secure transfer of information between the financial entity and external parties; Article 14 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates. Article 34 ¶ 1(i)] | Privacy protection for information and data | Process or Activity | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: for network services agreements: whether those services are provided by an ICT intra-group service provider or by ICT third-party service providers. Article 13 ¶ 1(m)(ii)] | Third Party and supply chain oversight | Process or Activity | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Systems Continuity | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 | Third Party and supply chain oversight | Testing | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: for ICT assets or services operated by an ICT third-party service provider, the identification and implementation of requirements to maintain digital operational resilience, in accordance with the results of the data classification and ICT risk assessment. Article 11 2 ¶ 1(k)] | Third Party and supply chain oversight | Business Processes | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 [{reporting requirements} The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: establishes reporting arrangements, including the frequency, form, and content of reporting to the management body on the information security and digital operational resilience. Article 28 2(i)] | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain communication protocols. CC ID 12245 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Leadership and high level objectives | Communicate | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Business Processes | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Communicate | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Process or Activity | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Process or Activity | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Communicate | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Communicate | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Process or Activity | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Communicate | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Communicate | |
| Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Process or Activity | |
| Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Process or Activity | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Business Processes | |
| Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Process or Activity | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Communicate | |
| Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Process or Activity | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Process or Activity | |
| Establish, implement, and maintain warning procedures. CC ID 12407 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain alert procedures. CC ID 12406 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 [{reporting requirements} The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: establishes reporting arrangements, including the frequency, form, and content of reporting to the management body on the information security and digital operational resilience. Article 28 2(i)] | Leadership and high level objectives | Business Processes | |
| Include transactions and events as a part of internal reporting. CC ID 12413 | Leadership and high level objectives | Business Processes | |
| Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Leadership and high level objectives | Communicate | |
| Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Communicate | |
| Provide identifying information about the organization to the responsible party. CC ID 16715 | Leadership and high level objectives | Communicate | |
| Identify the material topics required to be reported on. CC ID 15654 | Leadership and high level objectives | Business Processes | |
| Check the list of material topics for completeness. CC ID 15692 | Leadership and high level objectives | Investigate | |
| Prioritize material topics used in reporting. CC ID 15678 | Leadership and high level objectives | Communicate | |
| Review and approve the material topics, as necessary. CC ID 15670 | Leadership and high level objectives | Process or Activity | |
| Define the thresholds for reporting in the external reporting program. CC ID 15679 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include time requirements in the external reporting program. CC ID 16566 | Leadership and high level objectives | Communicate | |
| Include information about the organizational culture in the external reporting program. CC ID 15610 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Submit certification letters to interested personnel and affected parties. CC ID 16969 | Leadership and high level objectives | Communicate | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Leadership and high level objectives | Communicate | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Communicate | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Leadership and high level objectives | Process or Activity | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Identify threats that could affect achieving organizational objectives. CC ID 12827 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: vulnerabilities and threats that affect or may affect the supported business functions, the ICT systems and ICT assets supporting those functions; Article 3 ¶ 1(b)(i)] | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain data governance and management practices. CC ID 14998 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: measures to protect logging systems and log information against tampering, deletion, and unauthorised access at rest, in transit, and, where relevant, in use; Article 12 2 ¶ 1(d) {data in transit} {data at rest} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to protect data in use, in transit, and at rest; Article 35 ¶ 1(a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include bias for data sets in the data governance and management practices. CC ID 15085 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the data source in the data governance and management practices. CC ID 17211 | Leadership and high level objectives | Data and Information Management | |
| Include a data strategy in the data governance and management practices. CC ID 15304 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include data monitoring in the data governance and management practices. CC ID 15303 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include data collection for data sets in the data governance and management practices. CC ID 15082 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include design choices for data sets in the data governance and management practices. CC ID 15080 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the scope of the security policy. CC ID 07145 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1] | Leadership and high level objectives | Data and Information Management | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include contact information in the organization's policies, standards, and procedures. CC ID 17167 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: support and escalation contacts, including external support contacts in case of unexpected operational or technical issues; Article 8 2 ¶ 1(c)(ii)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the effective date on all organizational policies. CC ID 06820 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: indicate the date of the formal approval of the ICT security policies by the management body; Article 2 2(b) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: the date of the approval of the report by the management body of the financial entity; Article 27 2 ¶ 1(b) {review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: where applicable, the date of the approval of the report by the management body of the financial entity; Article 41 2(b)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain an Authority Document list. CC ID 07113 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: list the documentation to be maintained; Article 2 2(f)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: sets out information security objectives and ICT requirements; Article 28 2(c)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: contain indicators and measures to: record exceptions from that implementation; Article 2 2(c)(ii)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the objectives of the ICT business continuity policy, including the interrelation of ICT and overall business continuity, and considering the results of the business impact analysis (BIA) referred to in Article 11(5) of Regulation (EU) 2022/2554; Article 24 1(a)(i)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Align business continuity objectives with the business continuity policy. CC ID 12408 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the objectives of the ICT business continuity policy, including the interrelation of ICT and overall business continuity, and considering the results of the business impact analysis (BIA) referred to in Article 11(5) of Regulation (EU) 2022/2554; Article 24 1(a)(i)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain Information Technology project plans. CC ID 16944 [{project management} When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT project and change management; Article 1 ¶ 1 (d) The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project planning, timeframe, and steps; Article 15 3(c)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Submit closure reports at the conclusion of each information technology project. CC ID 16948 [{individual} In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: individually or in aggregation, depending on the importance and size of the ICT projects; Article 15 5(a)] | Leadership and high level objectives | Actionable Reports or Measurements | |
| Review and approve the closure report. CC ID 16947 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the business case and return on investment in each Information Technology project plan. CC ID 06846 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Leadership and high level objectives | Business Processes | |
| Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assign senior management to approve business cases. CC ID 13068 | Leadership and high level objectives | Human Resources Management | |
| Include milestones for each project phase in the Information Technology project plan. CC ID 12621 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: relevant milestones; Article 15 3(e)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 [In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: periodically and, where necessary, on an event-driven basis. Article 15 5(b)] | Leadership and high level objectives | Actionable Reports or Measurements | |
| Include significant security risks in the Information Technology Plan status reports. CC ID 06939 [{individual} In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: individually or in aggregation, depending on the importance and size of the ICT projects; Article 15 5(a) In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: periodically and, where necessary, on an event-driven basis. Article 15 5(b) {critical function} In accordance with the ICT project risk assessment referred to in paragraph 3, point (d), the ICT project management policy referred to in paragraph 1 shall provide that the establishment and progress of ICT projects impacting critical or important functions of the financial entity and their associated risks are reported to the management body as follows: Article 15 5.] | Leadership and high level objectives | Actionable Reports or Measurements | |
| Establish, implement, and maintain Security Control System monitoring and reporting procedures. CC ID 12506 [{mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 criteria for the selection of cryptographic techniques and use practices, taking into account leading practices, and standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and the classification of relevant ICT assets established in accordance with Article 8(1) of Regulation (EU) 2022/2554. Financial entities that are not able to adhere to the leading practices or standards, or to use the most reliable techniques, shall " class="term_primary-verb">adopt mitigation and monitoring measures that ensure resilience against cyber threats. Article 6 3. {be resilient} {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 provisions for updating or changing, where necessary, the cryptographic technology on the basis of developments in cryptanalysis. Those updates or changes shall ensure that the cryptographic technology remains resilient against cyber threats, as required by Article 10(2), point (a). Financial entities that are not able to update or change the cryptographic technology shall adopt mitigation and monitoring measures that ensure olor:#F0BBBC;" class="termolor:#CBD0E5;" class="term_secondary-verb">_primary-noun">resilience against cyber threats. Article 6 4.] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include detecting and reporting the failure of a security testing tool in the Security Control System monitoring and reporting procedures. CC ID 15488 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an audit and accountability policy. CC ID 14035 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include compliance requirements in the audit and accountability policy. CC ID 14103 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include coordination amongst entities in the audit and accountability policy. CC ID 14102 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the purpose in the audit and accountability policy. CC ID 14100 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the audit and accountability policy. CC ID 14098 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include management commitment in the audit and accountability policy. CC ID 14097 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the audit and accountability policy. CC ID 14096 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain audit and accountability procedures. CC ID 14057 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 | Monitoring and measurement | Communicate | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Monitoring and measurement | Process or Activity | |
| Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: contain safeguards against intrusions and data misuse; Article 2 1(b)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: impact of climate change and environment degradation related events, natural disasters, pandemics, and physical attacks, including intrusions and terrorist attacks; Article 26 2(f)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 | Monitoring and measurement | Establish/Maintain Documentation | |
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain an event logging policy. CC ID 15217 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Monitoring and measurement | Data and Information Management | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Data and Information Management | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 | Monitoring and measurement | Technical Security | |
| Document the event information to be logged in the event information log specification. CC ID 00639 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the identification of the events to be logged, the retention period of the logs, and the measures to secure and handle the log data, considering the purpose for which the logs are created; Article 12 2 ¶ 1(a)] | Monitoring and measurement | Configuration | |
| Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 | Monitoring and measurement | Configuration | |
| Enable and configure logging on network access controls in accordance with organizational standards. CC ID 01963 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the requirement to log events related to all of the following: network traffic activities, including ICT network performance; Article 12 2 ¶ 1(c)(v)] | Monitoring and measurement | Configuration | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: without prejudice to any applicable regulatory requirements under Union or national law, the synchronisation of the clocks of each of the financial entity's ICT systems upon a documented reliable reference time source. Article 12 2 ¶ 1(f)] | Monitoring and measurement | Configuration | |
| Review and update the list of auditable events in the event logging procedures. CC ID 10097 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the alignment of the level of detail of the logs with their purpose and usage to enable the effective detection of anomalous activities as referred to in Article 24; Article 12 2 ¶ 1(b)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain network monitoring operations. CC ID 16444 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on the monitoring of: any changes to the ICT risk and cyber threat landscape; Article 3 ¶ 1(e)(i) Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on the monitoring of: ICT risk of the financial entity that enables prompt detection of changes that could affect its ICT risk profile; Article 3 ¶ 1(e)(iii) {ICT risk management procedure} For the purposes of the first paragraph, point (c), the procedure referred to in that point shall ensure: the monitoring of the effectiveness of the ICT risk treatment measures implemented; Article 3 ¶ 2(a)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Monitor the organization's exposure to threats, as necessary. CC ID 06494 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on the monitoring of: any changes to the ICT risk and cyber threat landscape; Article 3 ¶ 1(e)(i) Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on the monitoring of: internal and external vulnerabilities and threats: Article 3 ¶ 1(e)(ii) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to monitor relevant and up-to-date information about cyber threats; Article 34 ¶ 1(h) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates. Article 34 ¶ 1(i) The financial entities referred to in paragraph 1 shall continuously monitor threats and vulnerabilities that are relevant to their critical or important functions, and information assets and ICT assets, and shall regularly review the risk scenarios impacting those critical or important functions. Article 31 3.] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for new vulnerabilities. CC ID 06843 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on the monitoring of: internal and external vulnerabilities and threats: Article 3 ¶ 1(e)(ii) The financial entities referred to in paragraph 1 shall continuously monitor threats and vulnerabilities that are relevant to their critical or important functions, and information assets and ICT assets, and shall regularly review the risk scenarios impacting those critical or important functions. Article 31 3.] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a system security plan. CC ID 01922 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1] | Monitoring and measurement | Testing | |
| Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include threats in the system security plan. CC ID 14693 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: take into account material changes concerning the financial entity, including material changes to the activities or processes of the financial entity, to the cyber threat landscape, or to applicable legal obligations. Article 2 2(k)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include network diagrams in the system security plan. CC ID 14273 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the design of networks in line with the ICT security requirements established by the financial entity, taking into account leading practices to ensure the confidentiality, integrity, and availability of the network; Article 13 ¶ 1(f)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption. Article 8 2 ¶ 1(c)(iii)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Communicate | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Process or Activity | |
| Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Establish/Maintain Documentation | |
| Approve the system security plan. CC ID 14241 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a testing program. CC ID 00654 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall establish and implement an ICT security testing plan to validate the effectiveness of their ICT security measures developed in accordance with Articles 33, 34 and 35 and Articles 37 and 38 of this Regulation. Financial entities shall ensure that that plan considers threats and vulnerabilities identified as part of the simplified ICT risk management framework referred to in Article 31 of this Article 36 1.] | Monitoring and measurement | Behavior | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Monitoring and measurement | Communicate | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Monitoring and measurement | Communicate | |
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Monitoring and measurement | Human Resources Management | |
| Enable security controls which were disabled to conduct testing. CC ID 17031 | Monitoring and measurement | Testing | |
| Document improvement actions based on test results and exercises. CC ID 16840 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disable dedicated accounts after testing is complete. CC ID 17033 | Monitoring and measurement | Testing | |
| Protect systems and data during testing in the production environment. CC ID 17198 [{ICT security} For the purposes of point (b)(vii), the policies and procedures referred to in paragraph 1 shall provide that the instances in which testing is performed in a production environment are clearly identified, reasoned, are for limited periods of time, and are approved by the relevant function in accordance with Article 16(6). Financial entities shall ensure the availability, confidentiality, integrity, and authenticity of ICT systems and production data during development and test activities in the production environment. Article 8 2 ¶ 3] | Monitoring and measurement | Testing | |
| Delete personal data upon data subject's withdrawal from testing. CC ID 17238 | Monitoring and measurement | Data and Information Management | |
| Define the criteria to conduct testing in the production environment. CC ID 17197 [{ICT security} For the purposes of point (b)(vii), the policies and procedures referred to in paragraph 1 shall provide that the instances in which testing is performed in a production environment are clearly identified, reasoned, are for limited periods of time, and are approved by the relevant function in accordance with Article 16(6). Financial entities shall ensure the availability, confidentiality, integrity, and authenticity of ICT systems and production data during development and test activities in the production environment. Article 8 2 ¶ 3] | Monitoring and measurement | Testing | |
| Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232 | Monitoring and measurement | Behavior | |
| Suspend testing in a production environment, as necessary. CC ID 17231 | Monitoring and measurement | Testing | |
| Define the test requirements for each testing program. CC ID 13177 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include test requirements for the use of production data in the testing program. CC ID 17201 [By way of derogation from paragraph 5, the procedure referred to in paragraph 2 may provide that production data are stored only for specific testing occasions, for limited periods of time, and following the approval by the relevant function and the reporting of such occasions to the ICT risk management function. Article 16 6.] | Monitoring and measurement | Testing | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Monitoring and measurement | Testing | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Monitoring and measurement | Testing | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Monitoring and measurement | Testing | |
| Notify interested personnel and affected parties prior to performing testing. CC ID 17034 | Monitoring and measurement | Communicate | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Monitoring and measurement | Testing | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Monitoring and measurement | Establish/Maintain Documentation | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the identification and implementation of network access controls to prevent and detect connections to the financial entity's network by any unauthorised device or system, or any endpoint not meeting the financial entity's security requirements; Article 13 ¶ 1(d)] | Monitoring and measurement | Configuration | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Monitoring and measurement | Establish/Maintain Documentation | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Monitoring and measurement | Communicate | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Monitoring and measurement | Communicate | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Monitoring and measurement | Communicate | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Monitoring and measurement | Establish/Maintain Documentation | |
| Request an extension of the validity period of technical documentation assessment certificates, as necessary. CC ID 17228 | Monitoring and measurement | Process or Activity | |
| Define the validity period for technical documentation assessment certificates. CC ID 17227 | Monitoring and measurement | Process or Activity | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Monitoring and measurement | Testing | |
| Define the test frequency for each testing program. CC ID 13176 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Monitoring and measurement | Establish/Maintain Documentation | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Process or Activity | |
| Prevent adversaries from disabling or compromising security controls. CC ID 17057 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include facilities in the business line testing strategy. CC ID 13253 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include electrical systems in the business line testing strategy. CC ID 13251 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include environmental controls in the business line testing strategy. CC ID 13246 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement vulnerability management procedures. Article 10 1. {critical function} The vulnerability management procedures referred to in paragraph 1 shall: track the usage of: third-party libraries, including open-source libraries, used by ICT services supporting critical or important functions; Article 10 2 ¶ 1(d)(i) The vulnerability management procedures referred to in paragraph 1 shall: verify whether: ICT third-party service providers handle vulnerabilities related to the ICT services provided to the financial entity; Article 10 2 ¶ 1(c)(i)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 [{vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b) {vulnerability assessment} The vulnerability management procedures referred to in paragraph 1 shall: ensure the performance of automated vulnerability scanning and assessments on ICT assets, whereby the frequency and scope of those activities shall be commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of the ICT asset; Article 10 2 ¶ 1(b)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Conduct scanning activities in a test environment. CC ID 17036 | Monitoring and measurement | Testing | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Technical Security | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Communicate | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Records Management | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Business Processes | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Testing | |
| Approve the vulnerability management program. CC ID 15722 | Monitoring and measurement | Process or Activity | |
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Monitoring and measurement | Establish Roles | |
| Document and maintain test results. CC ID 17028 [The financial entities referred to in paragraph 1 shall monitor and evaluate the results of the security tests and update their security measures accordingly without undue delay in the case of ICT systems supporting critical or important functions. Article 36 3.] | Monitoring and measurement | Testing | |
| Include the pass or fail test status in the test results. CC ID 17106 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include time information in the test results. CC ID 17105 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the system tested in the test results. CC ID 17104 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: the availability, authenticity, integrity and confidentiality of data during network transmission, and the establishment of procedures to assess compliance with those requirements; Article 14 1(a)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Communicate | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: contain indicators and measures to: ensure that the digital operational resilience of the financial entity is ensured in case of exceptions as referred to in point (ii); Article 2 2(c)(iii)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: contain indicators and measures to: monitor the implementation of the ICT security policies, procedures, protocols, and tools; Article 2 2(c)(i)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a log management program. CC ID 00673 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the identification of the events to be logged, the retention period of the logs, and the measures to secure and handle the log data, considering the purpose for which the logs are created; Article 12 2 ¶ 1(a)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include transfer procedures in the log management program. CC ID 17077 | Monitoring and measurement | Establish/Maintain Documentation | |
| Protect logs from unauthorized activity. CC ID 01345 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: measures to protect logging systems and log information against tampering, deletion, and unauthorised access at rest, in transit, and, where relevant, in use; Article 12 2 ¶ 1(d) The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the identification of the events to be logged, the retention period of the logs, and the measures to secure and handle the log data, considering the purpose for which the logs are created; Article 12 2 ¶ 1(a)] | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain security reports. CC ID 16882 [{review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: an executive level summary of the current and near-term ICT risk identified, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 41 2(a)(ii)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include data handling procedures in the security report. CC ID 16889 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of changes that have occurred in the security report. CC ID 16976 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the implemented controls in the security report. CC ID 16974 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the computing environment in the security report. CC ID 16972 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include corrective actions taken in the security report. CC ID 16967 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the inspection schedule in the security report. CC ID 16966 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include audit reports in the security report. CC ID 16964 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include third party certifications in the security report. CC ID 16960 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include disclosures of restricted data in the security report. CC ID 16892 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include re-disclosure agreements in the security report. CC ID 16895 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the security report to interested personnel and affected parties. CC ID 16888 | Monitoring and measurement | Communicate | |
| Include a list of authorized personnel in the security report. CC ID 16887 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the uses of restricted data in the security report. CC ID 16886 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the completion date in the corrective action plan. CC ID 13272 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: an expected date for implementing the measures and dates related to the internal control of the implementation, including information on the state of progress of the implementation of those measures as at the date of drafting of the report, explaining, where applicable, if there is a risk that deadlines may not be respected; Article 27 2 ¶ 1(h)(ii)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain cyber threat intelligence tools. CC ID 12696 | Monitoring and measurement | Technical Security | |
| Leverage cyber threat intelligence when employing Technical Surveillance Countermeasures. CC ID 12697 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: potential internal and external cyber threats, considering scenarios commonly used by threat actors and scenarios based on threat intelligence activity; Article 23 2 ¶ 1(a)(ii)] | Monitoring and measurement | Technical Security | |
| Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 [The financial entities referred to in paragraph 1 shall ensure an appropriate segregation and the independence of control functions and internal audit functions. Article 28 4.] | Audits and risk management | Establish Roles | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities' audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity. Article 28 5.] | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Establish/Maintain Documentation | |
| Assign the audit to impartial auditors. CC ID 07118 [The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities' audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity. Article 28 5.] | Audits and risk management | Establish Roles | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Audits and Risk Management | |
| Mitigate the threats to an auditor's independence. CC ID 17282 | Audits and risk management | Process or Activity | |
| Establish and maintain audit terms. CC ID 13880 [Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the reason for the review of the ICT risk management framework in accordance with Article 6(5) of Regulation (EU) 2022/2554.; Article 27 2 ¶ 1(c)] | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Process or Activity | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Establish/Maintain Documentation | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 [{ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a summary of findings, and a self-assessment of the severity of the weaknesses, deficiencies, and gaps identified in ICT risk management framework for the review period, including a detailed analysis thereof; Article 41 2(f)] | Audits and risk management | Audits and Risk Management | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 [For the purposes of point (f), the description shall contain an analysis of the impact of the changes on the financial entity's digital operational resilience strategy, on the financial entity's ICT internal control framework, and on the financial entity's ICT risk management governance. Article 27 2 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 [{ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a description of the reasons for the review, including: where the review has been initiated following the occurrence of ICT-related incidents, the list of all those ICT-related incidents with related incident root-cause analysis; Article 41 2(c)(ii) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a description of the reasons for the review, including: where the review has been initiated following the occurrence of ICT-related incidents, the list of all those ICT-related incidents with related incident root-cause analysis; Article 41 2(c)(ii) {review} {ICT risk management framework} For the purposes of point (c), where the review was initiated following supervisory instructions, or conclusions derived from relevant digital operational resilience testing or audit processes, the report shall contain explicit references to such instructions or conclusions, allowing for the identification of the reason for initiating the review. Where the review was initiated following ICT-related incidents, the report shall contain the list of all ICT-related incidents with incident root-cause analysis. Article 27 2 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Establish/Maintain Documentation | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Establish/Maintain Documentation | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Establish/Maintain Documentation | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities' audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity. Article 28 5.] | Audits and risk management | Establish/Maintain Documentation | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Audits and Risk Management | |
| Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: information on the process for informing the competent authority, where appropriate; Article 27 2 ¶ 1(h)(v)] | Audits and risk management | Establish/Maintain Documentation | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: summarises the major changes in the ICT risk management framework since the previous report submitted; Article 27 2 ¶ 1(a)(iii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the major changes and improvements to the ICT risk management framework since the previous review; Article 27 2 ¶ 1(f) {review} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: a summary of the major changes in the ICT risk management framework since the previous report; Article 41 2(a)(iv) {review} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: a summary and a description of the impact of major changes to the simplified ICT risk management framework since the previous report; Article 41 2(a)(v)] | Audits and risk management | Establish/Maintain Documentation | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
| Audit in scope audit items and compliance documents. CC ID 06730 [The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities' audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity. Article 28 5.] | Audits and risk management | Audits and Risk Management | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Testing | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Process or Activity | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 | Audits and risk management | Audits and Risk Management | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Communicate | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Human Resources Management | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Process or Activity | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Process or Activity | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Process or Activity | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Process or Activity | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Establish/Maintain Documentation | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 [{ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: overall conclusions on the review of the simplified ICT risk management framework, including any further planned developments. Article 41 2(h)] | Audits and risk management | Establish/Maintain Documentation | |
| Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Establish/Maintain Documentation | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Establish/Maintain Documentation | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Establish/Maintain Documentation | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Establish/Maintain Documentation | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Audits and Risk Management | |
| Establish and maintain organizational audit reports. CC ID 06731 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: sources of information used in the preparation of the report, including all of the following: for financial entities other than microenterprises as referred to in Article 6(6) of Regulation (EU) 2022/2554, the results of internal audits; Article 27 2 ¶ 1(l)(i) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: sources of information used in the preparation of the report, including all of the following: the results of compliance assessments; Article 27 2 ¶ 1(l)(ii)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the audit report. CC ID 17263 | Audits and risk management | Establish/Maintain Documentation | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Audits and Risk Management | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Audits and Risk Management | |
| Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Establish/Maintain Documentation | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Establish/Maintain Documentation | |
| Include written agreements in the audit report. CC ID 17266 | Audits and risk management | Establish/Maintain Documentation | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Establish/Maintain Documentation | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Establish/Maintain Documentation | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date of the audit in the audit report. CC ID 07024 [{review} {ICT risk management framework} {start date} Financial entities shall include all of the following information in the report referred to in paragraph 1: the start and end dates of the review period; Article 27 2 ¶ 1(d)] | Audits and risk management | Actionable Reports or Measurements | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Establish/Maintain Documentation | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: clearly identifies the financial entity that is the subject of the report, and describes its group structure, where relevant; Article 27 2 ¶ 1(a)(i) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: describes the context of the report in terms of the nature, scale, and complexity of the financial entity's services, activities, and operations, its organisation, identified critical functions, strategy, major ongoing projects or activities, relationships and its dependence on in-house and contracted ICT services and systems or the implications that a total loss or severe degradation of such systems would have in terms of critical or important functions and market efficiency; Article 27 2 ¶ 1(a)(ii) {review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: a description of the context of the report in terms of the nature, scale, and complexity of the financial entity's services, activities, and operations, the financial entity's organisation, identified critical functions, strategy, major ongoing projects or activities, and relationships, and the financial entity's dependence on in-house and outsourced ICT services and systems, or the implications that a total loss or severe degradation of such systems would have on critical or important functions and market efficiency; Article 41 2(a)(i) {review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: an executive level summary of the current and near-term ICT risk identified, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 41 2(a)(ii) {review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: information about the reported area; Article 41 2(a)(iii) {review} {ICT risk management framework} {be internal} {be external} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: tools to be used, and the identification of the function responsible for carrying out the measures, detailing whether the tools and functions are internal or external; Article 27 2 ¶ 1(h)(iii) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: the person responsible for the review; Article 41 2(e) {review} {ICT risk management framework} {be responsible} Financial entities shall include all of the following information in the report referred to in paragraph 1: an indication of the function responsible for the review; Article 27 2 ¶ 1(e)] | Audits and risk management | Actionable Reports or Measurements | |
| Include any discussions of significant findings in the audit report. CC ID 13955 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a summary of the findings of the review and detailed analysis and assessment of the severity of the weaknesses, deficiencies, and gaps in the ICT risk management framework during the review period; Article 27 2 ¶ 1(g) {review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: an executive level summary of the current and near-term ICT risk identified, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 41 2(a)(ii) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a summary of findings, and a self-assessment of the severity of the weaknesses, deficiencies, and gaps identified in ICT risk management framework for the review period, including a detailed analysis thereof; Article 41 2(f) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a summary of findings, and a self-assessment of the severity of the weaknesses, deficiencies, and gaps identified in ICT risk management framework for the review period, including a detailed analysis thereof; Article 41 2(f) {review} {ICT risk management framework} For the purposes of point (c), where the review was initiated following supervisory instructions, or conclusions derived from relevant digital operational resilience testing or audit processes, the report shall contain explicit references to such instructions or conclusions, allowing for the identification of the reason for initiating the review. Where the review was initiated following ICT-related incidents, the report shall contain the list of all ICT-related incidents with incident root-cause analysis. Article 27 2 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Establish/Maintain Documentation | |
| Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Establish/Maintain Documentation | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Establish/Maintain Documentation | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Establish/Maintain Documentation | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Establish/Maintain Documentation | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Audits and Risk Management | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Establish/Maintain Documentation | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Establish/Maintain Documentation | |
| Include recommended corrective actions in the audit report. CC ID 16197 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: Article 27 2 ¶ 1(h) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: overall conclusions on the review of the simplified ICT risk management framework, including any further planned developments. Article 41 2(h) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: a summary of measures taken to remediate to identified weaknesses, deficiencies and gaps; Article 27 2 ¶ 1(h)(i)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the cost of corrective action in the audit report. CC ID 17015 | Audits and risk management | Audits and Risk Management | |
| Include risks and opportunities in the audit report. CC ID 16196 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: provides an executive level summary of the current and near-term ICT risk profile, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 27 2 ¶ 1(a)(iv) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: provides an executive level summary of the current and near-term ICT risk profile, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 27 2 ¶ 1(a)(iv)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 [{review} {ICT risk management framework} {be internal} {be external} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: tools to be used, and the identification of the function responsible for carrying out the measures, detailing whether the tools and functions are internal or external; Article 27 2 ¶ 1(h)(iii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: provides an executive level summary of the current and near-term ICT risk profile, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 27 2 ¶ 1(a)(iv)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Establish/Maintain Documentation | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Establish/Maintain Documentation | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Audits and Risk Management | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: sources of information used in the preparation of the report, including all of the following: results of digital operational resilience testing, and where applicable the results of advanced testing, based on threat-led penetration testing (TLPT), of ICT tools, systems, and processes; Article 27 2 ¶ 1(l)(iii)] | Audits and risk management | Establish/Maintain Documentation | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Establish/Maintain Documentation | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's in scope system description in the audit report. CC ID 11626 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: describes the context of the report in terms of the nature, scale, and complexity of the financial entity's services, activities, and operations, its organisation, identified critical functions, strategy, major ongoing projects or activities, relationships and its dependence on in-house and contracted ICT services and systems or the implications that a total loss or severe degradation of such systems would have in terms of critical or important functions and market efficiency; Article 27 2 ¶ 1(a)(ii) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: sources of information used in the preparation of the report, including all of the following: Article 27 2 ¶ 1(l)] | Audits and risk management | Audits and Risk Management | |
| Include the scope and work performed in the audit report. CC ID 11621 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: sources of information used in the preparation of the report, including all of the following: external sources. Article 27 2 ¶ 1 (l)(iv) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a description of the reasons for the review, including: Article 41 2(c) {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: a description of the reasons for the review, including: where the review has been initiated following supervisory instructions, evidence of such instructions; Article 41 2(c)(i)] | Audits and risk management | Audits and Risk Management | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Establish/Maintain Documentation | |
| Include the results of the business impact analysis in the audit report. CC ID 17208 [{review} {ICT risk management framework} {financial resource} {human resource} Financial entities shall include all of the following information in the report referred to in paragraph 1: a description of the measures to address identified weaknesses, deficiencies, and gaps, including all of the following: a description of the impact of the changes envisaged in the measures on the financial entity's budgetary, human, and material resources, including resources dedicated to the implementation of any corrective measures; Article 27 2 ¶ 1(h)(iv) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: describes the context of the report in terms of the nature, scale, and complexity of the financial entity's services, activities, and operations, its organisation, identified critical functions, strategy, major ongoing projects or activities, relationships and its dependence on in-house and contracted ICT services and systems or the implications that a total loss or severe degradation of such systems would have in terms of critical or important functions and market efficiency; Article 27 2 ¶ 1(a)(ii)] | Audits and risk management | Establish/Maintain Documentation | |
| Include an audit opinion in the audit report. CC ID 07017 [Financial entities shall include all of the following information in the report referred to in paragraph 1: conclusions resulting from the review of the ICT risk management framework; Article 27 2 ¶ 1(j) {review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: provides an executive level summary of the current and near-term ICT risk profile, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 27 2 ¶ 1(a)(iv)] | Audits and risk management | Establish/Maintain Documentation | |
| Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Establish/Maintain Documentation | |
| Include items that pertain to third parties in the audit report. CC ID 07008 [{review} {ICT risk management framework} Financial entities shall include all of the following information in the report referred to in paragraph 1: an introductory section that: describes the context of the report in terms of the nature, scale, and complexity of the financial entity's services, activities, and operations, its organisation, identified critical functions, strategy, major ongoing projects or activities, relationships and its dependence on in-house and contracted ICT services and systems or the implications that a total loss or severe degradation of such systems would have in terms of critical or important functions and market efficiency; Article 27 2 ¶ 1(a)(ii)] | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Establish/Maintain Documentation | |
| Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 [{review} {ICT risk management framework} The report referred to in paragraph 1 shall contain all of the following information: an introductory section providing: an executive level summary of the current and near-term ICT risk identified, threat landscape, the assessed effectiveness of its controls, and the security posture of the financial entity; Article 41 2(a)(ii)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [{be searchable} Financial entities shall submit the report on the review of the ICT risk management framework referred to in Article 6(5) of Regulation (EU) 2022/2554 in a searchable electronic format. Article 27 1. {be searchable} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall submit the report on the review of the ICT risk management framework referred to in paragraph 2 of that Article in a searchable electronic format. Article 41 1.] | Audits and risk management | Establish/Maintain Documentation | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Human Resources Management | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Communicate | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Communicate | |
| Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [The financial entities referred to in paragraph 1 shall ensure that their simplified ICT risk management framework is subject to an internal audit by auditors, in line with the financial entities' audit plan. The auditors shall have sufficient knowledge, skills, and expertise in ICT risk, and shall be independent. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity. Article 28 5. {ICT risk management framework} {start date} The report referred to in paragraph 1 shall contain all of the following information: the start and end date of the review period; Article 41 2(d)] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk management program. CC ID 12051 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1 Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: Article 3 ¶ 1 The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: specifies and implements the policies and measures included in Chapters I, II and III of this Title to identify, assess and manage the ICT risk the financial entity is exposed to; Article 28 2(f) {governance, risk, and compliance framework} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk to achieve a high level of digital operational resilience. Article 28 1.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of risk management activities in the risk management program. CC ID 13658 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
| Integrate the risk management program with the organization's business activities. CC ID 13661 | Audits and risk management | Business Processes | |
| Integrate the risk management program into daily business decision-making. CC ID 13659 | Audits and risk management | Business Processes | |
| Include managing mobile risks in the risk management program. CC ID 13535 | Audits and risk management | Establish/Maintain Documentation | |
| Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Audits and Risk Management | |
| Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a risk management policy. CC ID 17192 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1 Based on their information security policy referred to in paragraph 1, the financial entities referred to in paragraph 1 shall establish and implement ICT security measures to mitigate their exposure to ICT risk, including mitigating measures implemented by ICT third-party service providers. Article 29 2 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Establish/Maintain Documentation | |
| Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Data and Information Management | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: requirements to ensure that the performance of internal audit and other testing minimises disruptions to business operations; Article 8 2 ¶ 1(b)(iv)] | Audits and risk management | Establish/Maintain Documentation | |
| Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Communicate | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Communicate | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and risk management | Audits and Risk Management | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Audits and risk management | Establish/Maintain Documentation | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Audits and risk management | Establish/Maintain Documentation | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Audits and risk management | Establish/Maintain Documentation | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Audits and risk management | Establish/Maintain Documentation | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Audits and risk management | Establish/Maintain Documentation | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Audits and risk management | Establish/Maintain Documentation | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Audits and risk management | Establish/Maintain Documentation | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Audits and risk management | Establish/Maintain Documentation | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Process or Activity | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Communicate | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Establish/Maintain Documentation | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Communicate | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: Article 3 ¶ 1(b)] | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 [The financial entities referred to in paragraph 1 shall carry out and document the ICT risk assessment periodically commensurate to the financial entities' ICT risk profile. Article 31 2.] | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Technical Security | |
| Employ risk assessment procedures that align with strategic objectives. CC ID 06474 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: provisions on a process to ensure that any changes to the business strategy and the digital operational resilience strategy of the financial entity are taken into account. Article 3 ¶ 1(f)] | Audits and risk management | Establish/Maintain Documentation | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Human Resources Management | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Audits and Risk Management | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: the quantitative or qualitative indicators to measure the impact and likelihood of the vulnerabilities and threats referred to in point (i); Article 3 ¶ 1(b)(ii)] | Audits and risk management | Audits and Risk Management | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Business Processes | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Communicate | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: specifies and implements the policies and measures included in Chapters I, II and III of this Title to identify, assess and manage the ICT risk the financial entity is exposed to; Article 28 2(f) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the identification and assessment of the ICT risks to which the financial entity is exposed; Article 31 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the identification and assessment of any ICT and information security risks resulting from any major change in ICT system or ICT services, processes, or procedures, and from ICT security testing results and after any major ICT-related incident. Article 31 1(e)] | Audits and risk management | Testing | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Establish/Maintain Documentation | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 [The financial entities referred to in paragraph 1 shall carry out and document the ICT risk assessment periodically commensurate to the financial entities' ICT risk profile. Article 31 2.] | Audits and risk management | Establish/Maintain Documentation | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Establish/Maintain Documentation | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Establish/Maintain Documentation | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: ensures that the staff of the financial entity is kept up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, commensurate to the ICT risk being managed; Article 28 2(h)] | Audits and risk management | Business Processes | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Audits and Risk Management | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Establish/Maintain Documentation | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Establish/Maintain Documentation | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Establish/Maintain Documentation | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Establish/Maintain Documentation | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Establish/Maintain Documentation | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity's activities. Article 1 ¶ 1(e) When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity's activities. Article 1 ¶ 1(e)] | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Establish/Maintain Documentation | |
| Document organizational risk tolerance in a risk register. CC ID 09961 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: a determination of the risk tolerance levels for ICT risk, in accordance with the risk appetite of the financial entity; Article 31 1(a)] | Audits and risk management | Establish/Maintain Documentation | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the classification of information assets of the financial entity as referred to in Article 30(1) of this Regulation, the list of main risks identified, and the business impact analysis and related >policies; Article 28 2(d)(i)] | Audits and risk management | Business Processes | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: specifies and implements the policies and measures included in Chapters I, II and III of this Title to identify, assess and manage the ICT risk the financial entity is exposed to; Article 28 2(f) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the identification and assessment of the ICT risks to which the financial entity is exposed; Article 31 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the identification and assessment of any ICT and information security risks resulting from any major change in ICT system or ICT services, processes, or procedures, and from ICT security testing results and after any major ICT-related incident. Article 31 1(e)] | Audits and risk management | Audits and Risk Management | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [{ICT risk management procedure} For the purposes of the first paragraph, point (c), the procedure referred to in that point shall ensure: the assessment of whether the established risk tolerance levels of the financial entity have been attained; Article 3 ¶ 2(b) The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: bears the overall responsibility for ensuring that the simplified ICT risk management framework allows for the achievement of the financial entity's business strategy in accordance with the risk appetite of that financial entity, and ensures that ICT risk is considered in that context; Article 28 2(a)] | Audits and risk management | Establish/Maintain Documentation | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [{exceed} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the specification of mitigation strategies at least for the ICT risks that are not within the risk tolerance levels of the financial entity; Article 31 1(c)] | Audits and risk management | Establish/Maintain Documentation | |
| Approve the risk acceptance level, as necessary. CC ID 17168 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: an indication of the approval of the risk tolerance level for ICT risk established in accordance with Article 6(8), point (b), of Regulation (EU) 2022/2554; Article 3 ¶ 1(a)] | Audits and risk management | Process or Activity | |
| Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Establish/Maintain Documentation | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Financial entities shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorised access, disclosure, and modification. Financial entities shall design those controls on the basis of the results of the approved data classification and the ICT risk assessment. Article 7 2. {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 criteria for the selection of cryptographic techniques and use practices, taking into account leading practices, and standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and the classification of relevant ICT assets established in accordance with Article 8(1) of Regulation (EU) 2022/2554. Financial entities that are not able to adhere to the leading practices or standards, or to use the most reliable techniques, shall kground-color:#B7D8ED;" class="term_primary-verb">adopt mitigation and monitoring measures that ensure resilience against cyber threats. Article 6 3.] | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: the procedure to identify, implement, and document ICT risk treatment measures for the ICT risks identified and assessed, including the determination of ICT risk treatment measures necessary to bring ICT risk within the risk tolerance level referred to in point (a); Article 3 ¶ 1(c)] | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Audits and risk management | Establish/Maintain Documentation | |
| Include time information in the risk treatment plan. CC ID 16993 | Audits and risk management | Establish/Maintain Documentation | |
| Include allocation of resources in the risk treatment plan. CC ID 16989 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Establish/Maintain Documentation | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Audits and Risk Management | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 [{ICT risk management procedure} {risk treatment measure} For the purposes of the first paragraph, point (c), the procedure referred to in that point shall ensure: the assessment of whether the financial entity has taken actions to correct or improve those measures where necessary. Article 3 ¶ 2(c) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following: the monitoring of the effectiveness of the mitigation strategies referred to in point (c); Article 31 1(d)] | Audits and risk management | Establish/Maintain Documentation | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Audits and risk management | Communicate | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: a procedure and a methodology to conduct the ICT risk assessment, identifying: the procedure to identify, implement, and document ICT risk treatment measures for the ICT risks identified and assessed, including the determination of ICT risk treatment measures necessary to bring ICT risk within the risk tolerance level referred to in point (a); Article 3 ¶ 1(c)] | Audits and risk management | Establish/Maintain Documentation | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 [{residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): provisions on the review of the accepted residual ICT risks at least once a year, including: Article 3 ¶ 1(d)(iv) {residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): the development of an inventory of the accepted residual ICT risks, including a justification for their acceptance; Article 3 ¶ 1(d)(iii) {residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): provisions on the review of the accepted residual ICT risks at least once a year, including: the identification of any changes to the residual ICT risks; Article 3 ¶ 1(d)(iv)(1) {residual risk} {be valid} {be applicable} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): provisions on the review of the accepted residual ICT risks at least once a year, including: the assessment of whether the reasons justifying the acceptance of residual ICT risks are still valid and applicable at the date of the review; Article 3 ¶ 1(d)(iv) (3)] | Audits and risk management | Business Processes | |
| Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Establish/Maintain Documentation | |
| Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: network security; Article 1 ¶ 1(c)] | Audits and risk management | Audits and Risk Management | |
| Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Audits and risk management | Establish/Maintain Documentation | |
| Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Audits and risk management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Audits and risk management | Communicate | |
| Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Audits and risk management | Communicate | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Establish/Maintain Documentation | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Communicate | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Audits and risk management | Establish/Maintain Documentation | |
| Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Audits and risk management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Establish/Maintain Documentation | |
| Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Audits and risk management | Establish/Maintain Documentation | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Establish/Maintain Documentation | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Establish/Maintain Documentation | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Establish/Maintain Documentation | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 [Based on their information security policy referred to in paragraph 1, the financial entities referred to in paragraph 1 shall establish and implement ICT security measures to mitigate their exposure to ICT risk, including mitigating measures implemented by ICT third-party service providers. Article 29 2 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Communicate | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Human Resources Management | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Audits and risk management | Communicate | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of security measures regarding the use of software, data storage media, systems and endpoint devices that transfer and store data of the financial entity; Article 35 ¶ 1(b)] | Technical security | Establish/Maintain Documentation | |
| Establish the criticality of the network and systems. CC ID 00006 [The procedure for management of ICT assets referred to in paragraph 1 shall specify the criteria to perform the criticality assessment of information assets and ICT assets supporting business functions. That assessment shall take into account: Article 5 2. The procedure for management of ICT assets referred to in paragraph 1 shall specify the criteria to perform the criticality assessment of information assets and ICT assets supporting business functions. That assessment shall take into account: the ICT risk related to those business functions and their dependencies on the information assets or ICT assets; Article 5 2(a) The procedure for management of ICT assets referred to in paragraph 1 shall specify the criteria to perform the criticality assessment of information assets and ICT assets supporting business functions. That assessment shall take into account: how the loss of confidentiality, integrity, and availability of such information assets and ICT assets would impact the business processes and activities of the financial entities. Article 5 2(b)] | Technical security | Technical Security | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 [As part of their control of access management rights, financial entities shall develop, document, and implement identity management policies and procedures that ensure the unique identification and authentication of natural persons and systems accessing the financial entities' information to enable assignment of user access rights in accordance with Article 21. Article 20 1. For the purposes of point (b), financial entities shall, where feasible and appropriate, deploy automated solutions for the lifecycle identity management process. Article 20 2 ¶ 3] | Technical security | Establish/Maintain Documentation | |
| Establish the requirements for Identity Assurance Levels. CC ID 13857 | Technical security | Technical Security | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 | Technical security | Establish/Maintain Documentation | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Technical security | Establish/Maintain Documentation | |
| Include termination procedures in the authorized representatives policy. CC ID 17226 | Technical security | Establish/Maintain Documentation | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Technical security | Establish/Maintain Documentation | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Technical security | Establish/Maintain Documentation | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Technical security | Establish/Maintain Documentation | |
| Implement digital identification processes. CC ID 13731 | Technical security | Process or Activity | |
| Implement identity proofing processes. CC ID 13719 | Technical security | Process or Activity | |
| Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Technical security | Process or Activity | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Technical security | Process or Activity | |
| Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Technical security | Process or Activity | |
| Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Technical security | Establish/Maintain Documentation | |
| Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Technical security | Configuration | |
| Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Technical security | Process or Activity | |
| Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Technical security | Process or Activity | |
| Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Technical security | Process or Activity | |
| Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Technical security | Process or Activity | |
| Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Technical security | Process or Activity | |
| Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Technical security | Configuration | |
| Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Technical security | Configuration | |
| Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Technical security | Configuration | |
| Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Technical security | Process or Activity | |
| Allow records that relate to the data subject as proof of identity. CC ID 13772 | Technical security | Process or Activity | |
| Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Technical security | Process or Activity | |
| Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Technical security | Process or Activity | |
| Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Technical security | Process or Activity | |
| Refrain from approving attributes in the identity proofing process. CC ID 13716 | Technical security | Process or Activity | |
| Establish, implement, and maintain federated identity systems. CC ID 13837 | Technical security | Technical Security | |
| Authenticate all systems in a federated identity system. CC ID 13835 | Technical security | Technical Security | |
| Send and receive authentication assertions, as necessary. CC ID 13839 | Technical security | Technical Security | |
| Make the assertion reference for authentication assertions single-use. CC ID 13843 | Technical security | Technical Security | |
| Limit the lifetime of the assertion reference. CC ID 13874 | Technical security | Technical Security | |
| Refrain from using authentication assertions that have expired. CC ID 13872 | Technical security | Technical Security | |
| Protect the authentication assertion from unauthorized access or unauthorized disclosure. CC ID 16836 | Technical security | Technical Security | |
| Include the issuer identifier in the authentication assertion. CC ID 13865 | Technical security | Technical Security | |
| Include attribute metadata in the authentication assertion. CC ID 13856 | Technical security | Technical Security | |
| Include the authentication time in the authentication assertion. CC ID 13855 | Technical security | Technical Security | |
| Validate each element within the authentication assertion. CC ID 13853 | Technical security | Technical Security | |
| Include the subject in the authentication assertion. CC ID 13852 | Technical security | Technical Security | |
| Include the target audience in the authentication assertion. CC ID 13851 | Technical security | Technical Security | |
| Include audience restrictions in the authentication assertion. CC ID 13870 | Technical security | Technical Security | |
| Include the issue date in the authentication assertion. CC ID 13850 | Technical security | Technical Security | |
| Revoke authentication assertions, as necessary. CC ID 16534 | Technical security | Technical Security | |
| Include the expiration date in the authentication assertion. CC ID 13849 | Technical security | Technical Security | |
| Include identifiers in the authentication assertion. CC ID 13848 | Technical security | Technical Security | |
| Include digital signatures in the authentication assertion. CC ID 13847 | Technical security | Technical Security | |
| Include key binding in the authentication assertion. CC ID 13846 | Technical security | Technical Security | |
| Include attribute references in the authentication assertion. CC ID 13845 | Technical security | Technical Security | |
| Include attribute values in the authentication assertion. CC ID 13844 | Technical security | Technical Security | |
| Limit the use of the assertion reference to a single organization. CC ID 13841 | Technical security | Technical Security | |
| Request attribute references instead of attribute values during the presentation of an authentication assertion. CC ID 13840 | Technical security | Technical Security | |
| Define the assertion level for authentication assertions. CC ID 13873 | Technical security | Technical Security | |
| Refrain from assigning assertion levels for authentication assertions when not defined. CC ID 13879 | Technical security | Technical Security | |
| Authenticate systems referenced in the allowlist. CC ID 13838 | Technical security | Technical Security | |
| Place nonmembers of allowlists and denylists into a gray area until a runtime decision is made during the authentication assertion. CC ID 13854 | Technical security | Technical Security | |
| Require runtime decisions regarding authentication for organizations that are excluded from the allowlist. CC ID 13842 | Technical security | Technical Security | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain access control policies. CC ID 00512 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the access control policy. CC ID 14003 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: account management procedures to grant, change or revoke access rights for user and generic accounts, including generic administrator accounts, including provision on all of the following: assignment of roles and responsibilities for granting, reviewing, and revoking access rights; Article 21 ¶ 1(e)(i)] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [{logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: account management procedures to grant, change, or revoke access rights for user and generic accounts, including generic administrator accounts; Article 33 ¶ 1(c)] | Technical security | Establish/Maintain Documentation | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical security | Technical Security | |
| Inventory all user accounts. CC ID 13732 | Technical security | Establish/Maintain Documentation | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Technical security | Data and Information Management | |
| Control access rights to organizational assets. CC ID 00004 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: a provision on restrictions of access to ICT assets, setting out controls and tools to prevent unauthorised access; Article 21 ¶ 1(d) {generic account} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: a provision on user accountability, by limiting to the extent possible the use of generic and shared user accounts and ensuring that users are identifiable for the actions performed in the ICT systems at all times; Article 21 ¶ 1(c)] | Technical security | Technical Security | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Configuration | |
| Establish access rights based on least privilege. CC ID 01411 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: the assignment of access rights to ICT assets based on need-to-know, need-to-use and least privilege principles, including for remote and emergency access; Article 21 ¶ 1(a) {critical asset} {ad hoc access} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the granting of physical access rights to critical ICT assets to authorised persons only, in accordance with the need-to-know and least privilege principles, and on an ad-hoc basis; Article 21 ¶ 1(g)(ii) {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: access rights to information assets, ICT assets, and their supported functions, and to critical locations of operation of the financial entity, are managed on a need-to-know, need-to-use and least privileges basis, including for remote and emergency access; Article 33 ¶ 1(a) {privileged access} {emergency access} {need-to-use basis} For the purposes of point (c), the financial entity shall assign privileged, emergency, and administrator access on a need-to- use or an ad-hoc basis for all ICT systems, and shall be logged in accordance with Article 34, first paragraph, point (f). Article 33 ¶ 2] | Technical security | Technical Security | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 [For the purposes of point (b), where encryption of data in use is not possible, financial entities shall process data in use in a separated and tyle="background-color:#F0BBBC;" class="term_primary-noun">protected environment, or take equivalent measures to ensure the confidentiality, integrity, authenticity, and availability of data. For the purposes of point (b), where encryption of data in use is not possible, financial entities shall process data in use in a separated and protected environment, or take equivalent measures to ensure the confidentiality, integrity, authenticity, and availability of data. Article 6 2 ¶ 2] | Technical security | Configuration | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Configuration | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Technical security | Communicate | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the procedures to limit, lock, and terminate system and remote sessions after a specified period of inactivity; Article 13 ¶ 1(l)] | Technical security | Configuration | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Configuration | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Configuration | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Configuration | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Configuration | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the access restrictions referred to in Article 21 of this Regulation, supporting the protection requirements for each level of classification; Article 11 2 ¶ 1(a) As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: the use of authentication methods commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and to the overall risk profile of ICT assets and considering leading practices; Article 21 ¶ 1(f)(i) {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: authentication methods that are commensurate to the classification referred to in Article 30(1) and to the overall risk profile of ICT assets, and which are based on leading practices; Article 33 ¶ 1(d) For the purposes of point (d), financial entities shall use strong authentication methods that are based on leading practices for remote access to the financial entities' network, for privileged access, and for access to ICT assets supporting critical or important functions that are publicly available. Article 33 ¶ 3] | Technical security | Technical Security | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Technical Security | |
| Enforce access restrictions for change control. CC ID 01428 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: mechanisms to ensure the independence of the functions that approve changes and the functions responsible for requesting and implementing those changes; Article 17 1(b)] | Technical security | Technical Security | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Technical security | Establish/Maintain Documentation | |
| Review each user's access capabilities when their role changes. CC ID 00524 [{logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: access rights are periodically reviewed and are withdrawn when no longer required. Article 33 ¶ 1(e)] | Technical security | Technical Security | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 [The identity management policies and procedures referred to in paragraph 1 shall contain all of the following: a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts. Article 20 2 ¶ 1(b)] | Technical security | Technical Security | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 [{logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: Article 33 ¶ 1 {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: Article 33 ¶ 1] | Technical security | Technical Security | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: account management procedures to grant, change or revoke access rights for user and generic accounts, including generic administrator accounts, including provision on all of the following: Article 21 ¶ 1(e) The identity management policies and procedures referred to in paragraph 1 shall contain all of the following: a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts. Article 20 2 ¶ 1(b)] | Technical security | Technical Security | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Technical Security | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Technical security | Establish/Maintain Documentation | |
| Enforce the password policy. CC ID 16347 | Technical security | Technical Security | |
| Maintain a log of the overrides of the biometric system. CC ID 17000 | Technical security | Log Management | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain access control procedures. CC ID 11663 | Technical security | Establish/Maintain Documentation | |
| Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Configuration | |
| Document approving and granting access in the access control log. CC ID 06786 [{privileged access} {emergency access} {need-to-use basis} For the purposes of point (c), the financial entity shall assign privileged, emergency, and administrator access on a need-to- use or an ad-hoc basis for all ICT systems, and shall be logged in accordance with Article 34, first paragraph, point (f). Article 33 ¶ 2 The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: log events related to logical and physical access control, ICT operations, including system and network traffic activities, and ICT change management; Article 34 ¶ 1(f)] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Communicate | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 [For the purposes of point (a), financial entities shall maintain records of all identity assignments. Those records shall be kept following a reorganisation of the financial entity or after the end of the contractual relationship without prejudice to the retention requirements laid down in applicable Union and national law. Article 20 2 ¶ 2] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: Article 21 ¶ 1(f) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide. Article 29 1.] | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Technical security | Establish/Maintain Documentation | |
| Establish the requirements for Authentication Assurance Levels. CC ID 16958 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Technical security | Communicate | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets, information assets, and physical access control devices of the financial entity through the appropriate maintenance; Article 18 2 ¶ 1(d) As part of their control of access management rights, financial entities shall develop, document, and implement identity management policies and procedures that ensure the unique identification and authentication of natural persons and systems accessing the financial entities' information to enable assignment of user access rights in accordance with Article 21. Article 20 1.] | Technical security | Establish/Maintain Documentation | |
| Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 | Technical security | Technical Security | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Technical security | Communicate | |
| Establish, implement, and maintain a system and information integrity policy. CC ID 14034 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide. Article 29 1.] | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the system and information integrity policy. CC ID 14151 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the system and information integrity policy. CC ID 14150 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the system and information integrity policy. CC ID 14149 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the system and information integrity policy. CC ID 14148 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the system and information integrity policy. CC ID 14147 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the system and information integrity policy. CC ID 14146 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the system and information integrity policy to interested personnel and affected parties. CC ID 14145 | Technical security | Communicate | |
| Establish, implement, and maintain system and information integrity procedures. CC ID 14051 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142 | Technical security | Communicate | |
| Identify and control all network access controls. CC ID 00529 | Technical security | Technical Security | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain network segmentation requirements. CC ID 16380 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: the criticality or importance of the function those ICT systems and networks support; Article 13 ¶ 1(a)(i) Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: Article 13 ¶ 1(a)] | Technical security | Establish/Maintain Documentation | |
| Enforce the network segmentation requirements. CC ID 16381 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: the overall risk profile of ICT assets using those ICT systems and networks; Article 13 ¶ 1(a)(iii)] | Technical security | Process or Activity | |
| Protect system or device management and control planes from unwanted user plane traffic. CC ID 17063 | Technical security | Technical Security | |
| Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical security | Technical Security | |
| Establish, implement, and maintain a network security policy. CC ID 06440 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: network security; Article 1 ¶ 1(c) Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: ensure the security of networks; Article 2 1(a) Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: Article 13 ¶ 1 Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the design of networks in line with the ICT security requirements established by the financial entity, taking into account leading practices to ensure the confidentiality, integrity, and availability of the network; Article 13 ¶ 1(f)] | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the network security policy. CC ID 14205 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the network security policy. CC ID 14203 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the network security policy. CC ID 14201 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the network security policy. CC ID 14200 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Technical security | Communicate | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Technical security | Communicate | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Technical security | Establish/Maintain Documentation | |
| Maintain up-to-date network diagrams. CC ID 00531 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the performance of reviews of the network architecture and of the network security design once a year, and periodically for microenterprises, to identify potential vulnerabilities; Article 13 ¶ 1(i)] | Technical security | Establish/Maintain Documentation | |
| Include the date of the most recent update on the network diagram. CC ID 14319 | Technical security | Establish/Maintain Documentation | |
| Include virtual systems in the network diagram. CC ID 16324 | Technical security | Data and Information Management | |
| Include the organization's name in the network diagram. CC ID 14318 | Technical security | Establish/Maintain Documentation | |
| Include Internet Protocol addresses in the network diagram. CC ID 16244 | Technical security | Establish/Maintain Documentation | |
| Include Domain Name System names in the network diagram. CC ID 16240 | Technical security | Establish/Maintain Documentation | |
| Accept, by formal signature, the security implications of the network topology. CC ID 12323 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the performance of reviews of the network architecture and of the network security design once a year, and periodically for microenterprises, to identify potential vulnerabilities; Article 13 ¶ 1(i)] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Technical security | Communicate | |
| Maintain up-to-date data flow diagrams. CC ID 10059 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the documentation of all of the financial entity's network connections and data flows; Article 13 ¶ 1(b)] | Technical security | Establish/Maintain Documentation | |
| Include information flows to third parties in the data flow diagram. CC ID 13185 | Technical security | Establish/Maintain Documentation | |
| Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Technical security | Communicate | |
| Implement segregation of duties. CC ID 11843 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: specify the segregation of duties arrangements in the context of the three lines of defence model or other internal risk management and control model, as applicable, to avoid conflicts of interest; Article 2 2(g) As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: the segregation of duties designed to prevent unjustified access to critical data or to prevent the allocation of combinations of access rights that may be used to circumvent controls; Article 21 ¶ 1(b) The financial entities referred to in paragraph 1 shall ensure an appropriate segregation and the independence of control functions and internal audit functions. Article 28 4.] | Technical security | Technical Security | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Technical security | Establish/Maintain Documentation | |
| Segregate systems in accordance with organizational standards. CC ID 12546 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: the criticality or importance of the function those ICT systems and networks support; Article 13 ¶ 1(a)(i) Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: Article 13 ¶ 1(a) Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554; Article 13 ¶ 1(a)(ii) Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the segregation and segmentation of ICT systems and networks taking into account: the overall risk profile of ICT assets using those ICT systems and networks; Article 13 ¶ 1(a)(iii)] | Technical security | Technical Security | |
| Implement gateways between security domains. CC ID 16493 | Technical security | Systems Design, Build, and Implementation | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the measures to temporarily isolate, where necessary, subnetworks, and network components and devices; Article 13 ¶ 1(j)] | Technical security | Technical Security | |
| Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical security | Technical Security | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical security | Technical Security | |
| Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical security | Technical Security | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical security | Technical Security | |
| Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Technical security | Data and Information Management | |
| Restrict inbound network traffic into the Demilitarized Zone to destination addresses within the Demilitarized Zone. CC ID 11998 | Technical security | Technical Security | |
| Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical security | Technical Security | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 | Technical security | Data and Information Management | |
| Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the securing of network traffic between the internal networks and the internet and other external connections; Article 13 ¶ 1(g) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to prevent and detect unauthorised connections to the financial entity's network, and to secure the network traffic between the financial entity's internal networks and the internet and other external connections; Article 35 ¶ 1(c)] | Technical security | Technical Security | |
| Configure network access and control points to protect restricted information and restricted functions. CC ID 01284 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the encryption of network connections passing over corporate networks, public networks, domestic networks, third-party networks, and wireless networks, for communication protocols used, taking into account the results of the approved data classification, the results of the ICT risk assessment and the encryption of network connections referred to in Article 6(2); Article 13 ¶ 1(e)] | Technical security | Configuration | |
| Protect data stored at external locations. CC ID 16333 | Technical security | Data and Information Management | |
| Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical security | Technical Security | |
| Filter packets based on IPv6 header fields. CC ID 17048 | Technical security | Technical Security | |
| Filter traffic at firewalls based on application layer attributes. CC ID 17054 | Technical security | Technical Security | |
| Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to prevent and detect unauthorised connections to the financial entity's network, and to secure the network traffic between the financial entity's internal networks and the internet and other external connections; Article 35 ¶ 1(c)] | Technical security | Testing | |
| Establish, implement, and maintain information flow procedures. CC ID 04542 [{refrain from disrupting} {without undue delay} Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: guarantee an accurate and prompt data transmission without major disruptions and undue delays. Article 2 1(d)] | Technical security | Establish/Maintain Documentation | |
| Review and approve information exchange system connections. CC ID 07143 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the documentation of all of the financial entity's network connections and data flows; Article 13 ¶ 1(b)] | Technical security | Technical Security | |
| Establish, implement, and maintain a data loss prevention program. CC ID 13050 | Technical security | Establish/Maintain Documentation | |
| Include the data loss prevention strategy as part of the data loss prevention program. CC ID 13051 [In addition to the requirements referred to in paragraph 1, trading venues shall ensure that their ICT business continuity policy ensures that: the maximum amount of data that may be lost from any IT service of the trading venue after a disruptive incident is close to zero. Article 24 4(b)] | Technical security | Establish/Maintain Documentation | |
| Enforce privileged and non-privileged accounts for system access. CC ID 00558 [{privileged access} {emergency access} {need-to-use basis} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: account management procedures to grant, change or revoke access rights for user and generic accounts, including generic administrator accounts, including provision on all of the following: assignment of privileged, emergency, and administrator access on a need-to-use or an ad-hoc basis for all ICT systems; Article 21 ¶ 1(e)(ii) For the purposes of point (e)(ii), financial entities shall, where possible, use dedicated accounts for the performance of administrative tasks on ICT systems. Where feasible and appropriate, financial entities shall deploy automated solutions for the privilege access management. Article 21 ¶ 3] | Technical security | Technical Security | |
| Control all methods of remote access and teleworking. CC ID 00559 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the following requirements to secure the use of portable endpoint devices and private non-portable endpoint devices: the requirement to use a management solution to remotely manage the endpoint devices and remotely wipe the financial entity's data; Article 11 2 ¶ 1(f)(i)] | Technical security | Technical Security | |
| Assign virtual escorting to authorized personnel. CC ID 16440 | Technical security | Process or Activity | |
| Establish, implement, and maintain a remote access and teleworking program. CC ID 04545 | Technical security | Establish/Maintain Documentation | |
| Include information security requirements in the remote access and teleworking program. CC ID 15704 [{personally owned device} The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the implementation of security measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the ICT security of the financial entity; Article 11 2 ¶ 1(j) {employee-owned device} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the financial entity's ability to carry out its critical activities in an adequate, timely, and secure manner. Article 35 ¶ 1(g)] | Technical security | Establish/Maintain Documentation | |
| Employ multifactor authentication for remote access to the organization's network. CC ID 12505 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: the use of strong authentication methods in accordance with leading practices and techniques for remote access to the financial entity's network, for privileged access, for access to ICT assets supporting critical or important functions or ICT assets that are publicly accessible; Article 21 ¶ 1(f)(ii) For the purposes of point (d), financial entities shall use strong authentication methods that are based on leading practices for remote access to the financial entities' network, for privileged access, and for access to ICT assets supporting critical or important functions that are publicly available. Article 33 ¶ 3] | Technical security | Technical Security | |
| Implement multifactor authentication techniques. CC ID 00561 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: the use of strong authentication methods in accordance with leading practices and techniques for remote access to the financial entity's network, for privileged access, for access to ICT assets supporting critical or important functions or ICT assets that are publicly accessible; Article 21 ¶ 1(f)(ii) As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: the use of strong authentication methods in accordance with leading practices and techniques for remote access to the financial entity's network, for privileged access, for access to ICT assets supporting critical or important functions or ICT assets that are publicly accessible; Article 21 ¶ 1(f)(ii)] | Technical security | Configuration | |
| Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173 | Technical security | Technical Security | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical security | Technical Security | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Technical security | Establish/Maintain Documentation | |
| Limit the source addresses from which remote administration is performed. CC ID 16393 | Technical security | Technical Security | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 [{be resilient} {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 provisions for updating or changing, where necessary, the cryptographic technology on the basis of developments in cryptanalysis. Those updates or changes shall ensure that the cryptographic technology remains resilient against cyber threats, as required by Article 10(2), point (a). Financial entities that are not able to update or change the cryptographic technology shall adopt mitigation and monitoring measures that ensure resilience against cyber threats. Article 6 4.] | Technical security | Technical Security | |
| Comply with the encryption laws of the local country. CC ID 16377 | Technical security | Business Processes | |
| Employ cryptographic controls that comply with applicable requirements. CC ID 12491 [{mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 criteria for the selection of cryptographic techniques and use practices, taking into account leading practices, and standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and the classification of relevant ICT assets established in accordance with Article 8(1) of Regulation (EU) 2022/2554. Financial entities that are not able to adhere to the leading practices or standards, or to use the most reliable techniques, shall adopt mitigation and monitoring measures that ensure resilience against cyber threats. Article 6 3. {be resilient} {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 provisions for updating or changing, where necessary, the cryptographic technology on the basis of developments in cryptanalysis. Those updates or changes shall ensure that the cryptographic technology remains resilient against cyber threats, as required by Article 10(2), point (a). Financial entities that are not able to update or change the cryptographic technology shall adopt mitigation and monitoring measures that ensure resilience against cyber threats. Article 6 4.] | Technical security | Technical Security | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Technical security | Data and Information Management | |
| Include the expiration date in digital signatures. CC ID 13833 | Technical security | Data and Information Management | |
| Include audience restrictions in digital signatures. CC ID 13834 | Technical security | Data and Information Management | |
| Include the subject in digital signatures. CC ID 13832 | Technical security | Data and Information Management | |
| Include the issuer in digital signatures. CC ID 13831 | Technical security | Data and Information Management | |
| Include identifiers in the digital signature. CC ID 13829 | Technical security | Data and Information Management | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: encryption and cryptography; Article 1 ¶ 1(a) As part of their ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a policy on encryption and cryptographic controls. Article 6 1. {encryption policy} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: Article 6 2 ¶ 1 {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 a requirement to record the adoption of mitigation and monitoring measures adopted in accordance with paragraphs 3 and 4 and to provide a reasoned explanation for doing so. Article 6 2(d) ¶ 5.] | Technical security | Establish/Maintain Documentation | |
| Include monitoring procedures in the encryption management and cryptographic controls policy. CC ID 17207 [{mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 a requirement to record the adoption of mitigation and monitoring measures adopted in accordance with paragraphs 3 and 4 and to provide a reasoned explanation for doing so. Article 6 5.] | Technical security | Establish/Maintain Documentation | |
| Include mitigation measures in the encryption management and cryptographic controls policy. CC ID 17206 [{mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 a requirement to record the adoption of mitigation and monitoring measures adopted in accordance with paragraphs 3 and 4 and to provide a reasoned explanation for doing so. Article 6 5.] | Technical security | Establish/Maintain Documentation | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques; Article 2 1(c) {encryption policy} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the encryption of data in use, where necessary; Article 6 2 ¶ 1(b)] | Technical security | Data and Information Management | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Data and Information Management | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Data and Information Management | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Data and Information Management | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Communicate | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Data and Information Management | |
| Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Technical security | Communicate | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: encryption and cryptography; Article 1 ¶ 1(a)] | Technical security | Establish/Maintain Documentation | |
| Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Technical security | Establish Roles | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [{encryption policy} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the cryptographic key management referred to in Article 7, laying down rules on the correct use, protection, and lifecycle of cryptographic keys. Article 6 2 ¶ 1(d) Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1. {be resilient} {mitigation measure} Financial entities shall include in the policy on encryption and cryptographic controls referred to in paragraph 1 provisions for updating or changing, where necessary, the cryptographic technology on the basis of developments in cryptanalysis. Those updates or changes shall ensure that the cryptographic technology remains resilient against cyber threats, as required by Article 10(2), point (a). Financial entities that are not able to update or change the cryptographic technology shall adopt mitigation and monitoring measures that ensure olor:#F0BBBC;" class="termolor:#CBD0E5;" class="term_secondary-verb">_primary-noun">resilience against cyber threats. Article 6 4.] | Technical security | Establish/Maintain Documentation | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Establish/Maintain Documentation | |
| Include cryptographic key expiration in the cryptographic key management procedures. CC ID 17079 | Technical security | Establish/Maintain Documentation | |
| Generate strong cryptographic keys. CC ID 01299 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Data and Information Management | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical security | Technical Security | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Data and Information Management | |
| Store cryptographic keys securely. CC ID 01298 [Financial entities shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorised access, disclosure, and modification. Financial entities shall design those controls on the basis of the results of the approved data classification and the ICT risk assessment. Article 7 2. Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Data and Information Management | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties upon cryptographic key supersession. CC ID 17084 | Technical security | Communicate | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Data and Information Management | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Technical Security | |
| Archive outdated cryptographic keys. CC ID 06884 [Financial entities shall include in the cryptographic key management policy referred to in Article 6(2), point (d), requirements for managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking, and destroying those cryptographic keys. Article 7 1.] | Technical security | Data and Information Management | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Establish Roles | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 [Financial entities shall ensure the prompt renewal of certificates in advance of their expiration. Article 7 5.] | Technical security | Establish/Maintain Documentation | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [{encryption policy} {data in transit} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the encryption of data at rest and in transit; Article 6 2 ¶ 1(a) The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: measures to protect logging systems and log information against tampering, deletion, and unauthorised access at rest, in transit, and, where relevant, in use; Article 12 2 ¶ 1(d) As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: Article 14 1. As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: the availability, authenticity, integrity and confidentiality of data during network transmission, and the establishment of procedures to assess compliance with those requirements; Article 14 1(a) As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: the prevention and detection of data leakages and the secure transfer of information between the financial entity and external parties; Article 14 1(b) Financial entities shall design the policies, procedures, protocols, and tools to protect the information in transit referred to in paragraph 1 on the basis of the results of the approved data classification and of the ICT risk assessment. Article 14 2. {data in transit} {data at rest} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to protect data in use, in transit, and at rest; Article 35 ¶ 1(a) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures that ensure the availability, authenticity, integrity, and confidentiality of data during network transmissions; Article 35 ¶ 1(d) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures that ensure the availability, authenticity, integrity, and confidentiality of data during network transmissions; Article 35 ¶ 1(d)] | Technical security | Technical Security | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 [{encryption policy} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the encryption of internal network connections and traffic with external parties; Article 6 2 ¶ 1(c)] | Technical security | Technical Security | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Technical Security | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 [{encryption policy} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the encryption of internal network connections and traffic with external parties; Article 6 2 ¶ 1(c)] | Technical security | Technical Security | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the identification of security measures against malicious codes; Article 11 2 ¶ 1(d)] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall specify, document, and implement a physical and environmental security policy. Financial entities shall design that policy i light of the cyber threat landscape, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and in light of the overall risk profile of ICT assets and accessible information assets. Article 18 1. As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall specify, document, and implement a physical and environmental security policy. Financial entities shall design that policy i light of the cyber threat landscape, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and in light of the overall risk profile of ICT assets and accessible information assets. Article 18 1.] | Physical and environmental protection | Establish/Maintain Documentation | |
| Include compliance requirements in the physical and environmental protection policy. CC ID 14174 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include coordination amongst entities in the physical and environmental protection policy. CC ID 14173 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include management commitment in the physical and environmental protection policy. CC ID 14172 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include roles and responsibilities in the physical and environmental protection policy. CC ID 14171 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the scope in the physical and environmental protection policy. CC ID 14170 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the physical and environmental protection policy to interested personnel and affected parties. CC ID 14169 | Physical and environmental protection | Communicate | |
| Include the purpose in the physical and environmental protection policy. CC ID 14168 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061 [For the purposes of point (b), the measures to protect from environmental threats and hazards shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein. Article 18 2 ¶ 2 The protection from environmental threats and hazards shall be commensurate with the importance of the premises concerned and, where applicable, the data centres and the criticality of the operations or ICT systems located therein. Article 32 3.] | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain physical security procedures. CC ID 13076 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: Article 21 ¶ 1(g) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall identify and implement physical security measures designed on the basis of the threat landscape and in accordance with the classification referred to in Article 30(1) of this Regulation, the overall risk profile of ICT assets, and accessible information assets. Article 32 1.] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to protect from attacks, accidents, and environmental threats and hazards, the premises, data centres of the financial entity, and sensitive designated areas identified by the financial entity, where ICT assets and information assets reside; Article 18 2 ¶ 1(b) {physical security measures} The measures referred to in paragraph 1 shall protect the premises of financial entities and, where applicable, data centres of financial entities where ICT assets and information assets reside from unauthorised access, attacks, and accidents, and from environmental threats and hazards. Article 32 2.] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 [{closing procedure} For the purposes of point (a), central counterparties shall complete end of day procedures and payments on the required time and day in all circumstances. Article 24 2 ¶ 2] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Establish/Maintain Documentation | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Behavior | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Establish/Maintain Documentation | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Establish/Maintain Documentation | |
| Create security zones in facilities, as necessary. CC ID 16295 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to protect from attacks, accidents, and environmental threats and hazards, the premises, data centres of the financial entity, and sensitive designated areas identified by the financial entity, where ICT assets and information assets reside; Article 18 2 ¶ 1(b)] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Establish/Maintain Documentation | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Communicate | |
| Control physical access to (and within) the facility. CC ID 01329 [{critical asset} {ad hoc access} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the granting of physical access rights to critical ICT assets to authorised persons only, in accordance with the need-to-know and least privilege principles, and on an ad-hoc basis; Article 21 ¶ 1(g)(ii)] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 [{logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: Article 33 ¶ 1 {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: Article 33 ¶ 1] | Physical and environmental protection | Establish/Maintain Documentation | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the identification and logging of natural persons that are authorised to access premises, data centres, and sensitive designated areas identified by the financial entity where ICT and information assets reside; Article 21 ¶ 1(g)(i) {critical asset} {ad hoc access} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the granting of physical access rights to critical ICT assets to authorised persons only, in accordance with the need-to-know and least privilege principles, and on an ad-hoc basis; Article 21 ¶ 1(g)(ii) {not be necessary} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the review of physical access rights to ensure that unnecessary access rights are promptly revoked. Article 21 ¶ 1(g)(iv) {physical access} For the purposes of point (g)(i), the identification and logging shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein. Article 21 ¶ 4] | Physical and environmental protection | Establish/Maintain Documentation | |
| Log the individual's address in the facility access list. CC ID 16921 | Physical and environmental protection | Log Management | |
| Log the contact information for the person authorizing access in the facility access list. CC ID 16920 | Physical and environmental protection | Log Management | |
| Log the organization's name in the facility access list. CC ID 16919 | Physical and environmental protection | Log Management | |
| Log the individual's name in the facility access list. CC ID 16918 | Physical and environmental protection | Log Management | |
| Log the purpose in the facility access list. CC ID 16982 | Physical and environmental protection | Log Management | |
| Log the level of access in the facility access list. CC ID 16975 | Physical and environmental protection | Log Management | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Human Resources Management | |
| Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Process or Activity | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Process or Activity | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Establish/Maintain Documentation | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Physical and Environmental Protection | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Human Resources Management | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Physical and Environmental Protection | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Business Processes | |
| Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Establish/Maintain Documentation | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Physical and Environmental Protection | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Physical and Environmental Protection | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Physical and Environmental Protection | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Human Resources Management | |
| Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001 | Physical and environmental protection | Business Processes | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Physical and environmental protection | Establish/Maintain Documentation | |
| Restrict physical access mechanisms to authorized parties. CC ID 16924 | Physical and environmental protection | Process or Activity | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Physical and environmental protection | Establish/Maintain Documentation | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to protect from attacks, accidents, and environmental threats and hazards, the premises, data centres of the financial entity, and sensitive designated areas identified by the financial entity, where ICT assets and information assets reside; Article 18 2 ¶ 1(b) {physical security measures} The measures referred to in paragraph 1 shall protect the premises of financial entities and, where applicable, data centres of financial entities where ICT assets and information assets reside from unauthorised access, attacks, and accidents, and from environmental threats and hazards. Article 32 2.] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Physical and Environmental Protection | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Communicate | |
| Record the purpose of the visit in the visitor log. CC ID 16917 | Physical and environmental protection | Log Management | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Establish/Maintain Documentation | |
| Record the date and time of departure in the visitor log. CC ID 16897 | Physical and environmental protection | Log Management | |
| Record the type of identification used in the visitor log. CC ID 16916 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain a physical access log. CC ID 12080 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: physical access controls measures including: the identification and logging of natural persons that are authorised to access premises, data centres, and sensitive designated areas identified by the financial entity where ICT and information assets reside; Article 21 ¶ 1(g)(i) {physical access} For the purposes of point (g)(i), the identification and logging shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein. Article 21 ¶ 4] | Physical and environmental protection | Establish/Maintain Documentation | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Include the requestor's name in the physical access log. CC ID 16922 | Physical and environmental protection | Log Management | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [{unattended equipment} For the purposes of point (c), the physical and environmental security policy referred to in paragraph 1 shall contain measures to provide appropriate protection to unattended ICT assets. Article 18 2 ¶ 3] | Physical and environmental protection | Physical and Environmental Protection | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Physical and environmental protection | Log Management | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Physical and environmental protection | Technical Security | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include management commitment in the media protection policy. CC ID 14182 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the scope in the media protection policy. CC ID 14167 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the purpose in the media protection policy. CC ID 14166 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Physical and environmental protection | Communicate | |
| Treat archive media as evidence. CC ID 00960 | Physical and environmental protection | Records Management | |
| Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Physical and Environmental Protection | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system; Article 8 2 ¶ 1(a)(i) The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the process to securely dispose or decommission of data storage devices present on premises of the financial entity or stored externally containing confidential information; Article 11 2 ¶ 1(h)] | Physical and environmental protection | Establish/Maintain Documentation | |
| Obtain management approval prior to decommissioning assets. CC ID 17269 | Physical and environmental protection | Business Processes | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 [{on-site physical control} {off-site physical control} {on-site logical control} {off-site logical control} The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to secure ICT assets, both within and outside the premises of the financial entity, taking into account the results of the ICT risk assessment related to the relevant ICT assets; Article 18 2 ¶ 1(c)] | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 [{on-site physical control} {off-site physical control} {on-site logical control} {off-site logical control} The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to secure ICT assets, both within and outside the premises of the financial entity, taking into account the results of the ICT risk assessment related to the relevant ICT assets; Article 18 2 ¶ 1(c)] | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 [{on-site physical control} {off-site physical control} {on-site logical control} {off-site logical control} The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to secure ICT assets, both within and outside the premises of the financial entity, taking into account the results of the ICT risk assessment related to the relevant ICT assets; Article 18 2 ¶ 1(c)] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 [{on-site physical control} {off-site physical control} {on-site logical control} {off-site logical control} The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to secure ICT assets, both within and outside the premises of the financial entity, taking into account the results of the ICT risk assessment related to the relevant ICT assets; Article 18 2 ¶ 1(c)] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of security measures regarding the use of software, data storage media, systems and endpoint devices that transfer and store data of the financial entity; Article 35 ¶ 1(b)] | Physical and environmental protection | Establish/Maintain Documentation | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Physical and environmental protection | Data and Information Management | |
| Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain mobile device activation procedures. CC ID 16999 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Physical and environmental protection | Process or Activity | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Business Processes | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Physical and Environmental Protection | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Data and Information Management | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 [Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements: requirements for staff of the financial entity and of the ICT third-party service providers using or accessing ICT assets of the financial entity to: for the staff, to return to the financial entity, upon termination of employment, all ICT assets and tangible information assets in their possession that belong to the financial entity. Article 19 ¶ 1(b)(iii)] | Physical and environmental protection | Behavior | |
| Establish, implement, and maintain a clean desk policy. CC ID 06534 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: a clear desk policy for papers; Article 18 2 ¶ 1(e)(i)] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a clear screen policy. CC ID 12436 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: a clear screen policy for information processing facilities. Article 18 2 ¶ 1(e)(ii)] | Physical and environmental protection | Technical Security | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and environmental protection | Physical and Environmental Protection | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and environmental protection | Physical and Environmental Protection | |
| Employ environmental protections. CC ID 12570 [For the purposes of point (b), the measures to protect from environmental threats and hazards shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein. Article 18 2 ¶ 2 {physical security measures} The measures referred to in paragraph 1 shall protect the premises of financial entities and, where applicable, data centres of financial entities where ICT assets and information assets reside from unauthorised access, attacks, and accidents, and from environmental threats and hazards. Article 32 2.] | Physical and environmental protection | Process or Activity | |
| Establish, implement, and maintain geomagnetic disturbance operating procedures. CC ID 17158 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include coordination amongst entities in the geomagnetic disturbance operating plan. CC ID 17157 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a geomagnetic disturbance operating plan. CC ID 17156 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate space weather information to interested personnel and affected parties. CC ID 17155 | Physical and environmental protection | Communicate | |
| Include roles and responsibilities in the geomagnetic disturbance operating procedures. CC ID 17154 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a cold weather preparedness plan. CC ID 17131 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include design specifications for applicable assets in the cold weather preparedness plan. CC ID 17144 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include limitations in the cold weather preparedness plan. CC ID 17143 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include performance data in the cold weather preparedness plan. CC ID 17142 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include maintenance requirements in the cold weather preparedness plan. CC ID 17141 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include freeze protection measures in the cold weather preparedness plan. CC ID 17140 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain pest control systems in organizational facilities. CC ID 16139 | Physical and environmental protection | Physical and Environmental Protection | |
| Alert appropriate personnel when an environmental control alert threshold is exceeded. CC ID 17268 | Physical and environmental protection | Communicate | |
| Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a business continuity policy. CC ID 12405 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include escalation procedures in the business continuity policy. CC ID 17203 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the governance and organisation to implement the ICT business continuity policy, including roles, responsibilities and escalation procedures ensuring that sufficient resources are available; Article 24 1(b)(i)] | Operational and Systems Continuity | Systems Continuity | |
| Include coordination amongst entities in the business continuity policy. CC ID 14235 [In addition to the requirements referred to in paragraph 1, central securities depositories shall ensure that their ICT business continuity policy: takes into account any links and interdependencies to users, critical utilities and critical service providers, other central securities depositories and other market infrastructures; Article 24 3(a)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the scope in the business continuity policy. CC ID 14231 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the scope of the ICT business continuity arrangements, plans, procedures, and mechanisms, including limitations and exclusions; Article 24 1(a)(ii) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the timeframe to be covered by the ICT business continuity arrangements, plans, procedures, and mechanisms; Article 24 1(a)(iii)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a business continuity testing policy. CC ID 13235 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 [The testing of business continuity plans referred to in paragraph 1 shall demonstrate that the financial entities referred to in that paragraph are able to sustain the viability of their businesses until critical operations are re-established and identify any deficiencies in those plans. Article 40 2.] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include testing critical applications in the business continuity testing strategy. CC ID 13261 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: Article 25 2 ¶ 1 {continuity test} For the purposes of point (c), the testing shall verify whether at least critical or important functions can be operated appropriately for a sufficient period of time, and whether the normal functioning may be restored. Article 25 2 ¶ 4] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a continuity framework. CC ID 00732 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Explain any exclusions to the scope of the continuity framework. CC ID 12236 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the scope of the ICT business continuity arrangements, plans, procedures, and mechanisms, including limitations and exclusions; Article 24 1(a)(ii)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Operational and Systems Continuity | Records Management | |
| Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 [{political issue} {social issue} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: political and social instability, including, where relevant, in the ICT third-party service provider's jurisdiction and the location where the data are stored and processed; Article 26 2(h)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include a pandemic plan in the continuity plan. CC ID 06800 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: impact of climate change and environment degradation related events, natural disasters, pandemics, and physical attacks, including intrusions and terrorist attacks; Article 26 2(f)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the governance and organisation to implement the ICT business continuity policy, including roles, responsibilities and escalation procedures ensuring that sufficient resources are available; Article 24 1(b)(i) {response measure} {recovery measure} The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the business continuity plans of the financial entity, and the response and recovery measures referred to in Article 16(1), point (f), of Regulation (EU) 2022/2554; Article 28 2(d)(ii)] | Operational and Systems Continuity | Establish Roles | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment between the ICT business continuity plans and the overall business continuity plans, concerning at least all of the following: Article 24 1(b)(ii)] | Operational and Systems Continuity | Systems Continuity | |
| Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 [The financial entities referred to in paragraph 1 shall continuously monitor threats and vulnerabilities that are relevant to their critical or important functions, and information assets and ICT assets, and shall regularly review the risk scenarios impacting those critical or important functions. Article 31 3.] | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [{response measure} {recovery measure} The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the business continuity plans of the financial entity, and the response and recovery measures referred to in Article 16(1), point (f), of Regulation (EU) 2022/2554; Article 28 2(d)(ii) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop their ICT business continuity plans considering the results of the analysis of their exposures to and potential impact of severe business disruptions and scenarios to which their ICT assets supporting critical or important functions might be exposed, including a cyber-attack scenario. Article 39 1. The ICT business continuity plans referred to in paragraph 1 shall: be approved by the management body of the financial entity; Article 39 2¶ 1(a) {be readily accessible} The ICT business continuity plans referred to in paragraph 1 shall: be documented and readily accessible in the event of an emergency or crisis; Article 39 2¶ 1(b) The ICT business continuity plans referred to in paragraph 1 shall: be updated in line with lessons learned from incidents, tests, new risks, and threats identified, changed recovery objectives, major changes to the financial entity's organisation, and to the ICT assets supporting critical or business functions. Article 39 2¶ 1(j)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Communicate | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the governance and organisation to implement the ICT business continuity policy, including roles, responsibilities and escalation procedures ensuring that sufficient resources are available; Article 24 1(b)(i)] | Operational and Systems Continuity | Human Resources Management | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: allocates and reviews at least once a year the budget necessary to fulfil the financial entity's digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training and ICT skills for all staff; Article 28 2(e) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the governance and organisation to implement the ICT business continuity policy, including roles, responsibilities and escalation procedures ensuring that sufficient resources are available; Article 24 1(b)(i) The ICT business continuity plans referred to in paragraph 1 shall: allocate sufficient resources for their execution; Article 39 2¶ 1(c)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 [{continuity arrangement} For the purposes of point (c)(i), arrangements referred to in that point shall address the availability of adequate human resources, the maximum downtime of critical functions, and fail over and recovery to a secondary site. Article 24 2 ¶ 3 {be unavailable} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: the non-availability of a critical number of staff or staff members in charge of guaranteeing the continuity of operations; Article 26 2(e)] | Operational and Systems Continuity | Human Resources Management | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Systems Continuity | |
| Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Configuration | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include tolerance levels in the continuity plan. CC ID 17305 | Operational and Systems Continuity | Systems Continuity | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [{disseminate and communicate} {response plan} {recovery plan} For the purposes of point (d), financial entities shall clearly specify roles and responsibilities. Article 26 1 ¶ 2] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Document and use the lessons learned to update the continuity plan. CC ID 10037 [{response plan} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: Article 26 2. The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups, and redundant facilities; Article 26 2(a) The ICT business continuity plans referred to in paragraph 1 shall: be updated in line with lessons learned from incidents, tests, new risks, and threats identified, changed recovery objectives, major changes to the financial entity's organisation, and to the ICT assets supporting critical or business functions. Article 39 2¶ 1(j)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Process or Activity | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Process or Activity | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment between the ICT business continuity plans and the overall business continuity plans, concerning at least all of the following: potential failure scenarios, including the scenarios referred to in Article 26(2) of this Regulation; Article 24 1(b)(ii)(1) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: provide for both short-term and long-term recovery options, including partial systems recovery; Article 26 1 ¶ 1(e) {response plan} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: Article 26 2. {response plan} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: Article 26 2. {response plan} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: Article 26 2. The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups, and redundant facilities; Article 26 2(a) The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups, and redundant facilities; Article 26 2(a) Where the primary recovery measures may not be feasible in the short term because of costs, risks, logistics, or unforeseen circumstances, the ICT response and recovery plans referred to in paragraph 1 shall consider alternative options. Article 26 3. The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: scenarios in which the quality of the provision of a critical or important function deteriorates to an unacceptable level or fails, and duly consider the potential impact of the insolvency, or other failures, of any relevant ICT third-party service provider; Article 26 2(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop their ICT business continuity plans considering the results of the analysis of their exposures to and potential impact of severe business disruptions and scenarios to which their ICT assets supporting critical or important functions might be exposed, including a cyber-attack scenario. Article 39 1. The ICT business continuity plans referred to in paragraph 1 shall: consider alternative options where recovery may not be feasible in the short term because of costs, risks, logistics, or unforeseen circumstances; Article 39 2¶ 1(h)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Establish Roles | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Communicate | |
| Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the ICT business continuity requirements, including recovery time objectives and recovery point objectives; Article 4 2(b)(vi)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 [{response plan} Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development, testing and review of ICT response and recovery plans, in accordance with Articles 25 and 26 of this Regulation; Article 24 1(b)(iv) {response plan} Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development, testing and review of ICT response and recovery plans, in accordance with Articles 25 and 26 of this Regulation; Article 24 1(b)(iv) {response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d) {response plan} {success} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: lay down the objectives of ICT response and recovery plans and the conditions to declare a successful execution of those plans. Article 26 1 ¶ 1(f)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Human Resources Management | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the criteria for activation in the recovery plan. CC ID 13293 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the criteria to activate and deactivate ICT business continuity plans, ICT response and recovery plans, and crisis communications plans; Article 24 1(a)(iv) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: specify the conditions prompting their activation or deactivation, and any exceptions for such activation or deactivation; Article 26 1 ¶ 1(a) {detection process} {incident response process} Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554: indications that malicious activity may have been carried out in an ICT system or network, or that such ICT system or network may have been compromised; Article 23 5(a) {detection process} {incident response process} Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554: adverse impact detected on financial entity's transactions and operations; Article 23 5(c) {detection process} {incident response process} Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554: data losses detected in relation to the availability, authenticity, integrity, and confidentiality of data; Article 23 5(b) {detection process} {incident response process} Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554: ICT systems' and network unavailability. Article 23 5(d) {trigger} {detection process} {incident response process} Article 23 6. For the purposes of paragraph 5, financial entities shall also consider the criticality of the services affected. Article 23 6.] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 [{response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d)] | Operational and Systems Continuity | Communicate | |
| Include restoration procedures in the continuity plan. CC ID 01169 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: backup and restore requirements of ICT systems; Article 8 2 ¶ 1(b)(i) {restoration measure} The ICT business continuity plans referred to in paragraph 1 shall: identify the restoration and recovery measures for critical or important business functions, supporting processes, information assets, and their interdependencies to avoid adverse effects on the functioning of the financial entities; Article 39 2¶ 1(f)] | Operational and Systems Continuity | Establish Roles | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development of ICT business continuity plans for severe business disruptions as part of those plans, and the prioritisation of ICT business continuity actions using a risk-based approach; Article 24 1(b)(iii)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the recovery plan in the continuity plan. CC ID 01377 [When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: describe what actions are to be taken to ensure the availability, integrity, continuity, and recovery of at least ICT systems and services supporting critical or important functions of the financial entity; Article 26 1 ¶ 1(b) {restoration measure} The ICT business continuity plans referred to in paragraph 1 shall: identify the restoration and recovery measures for critical or important business functions, supporting processes, information assets, and their interdependencies to avoid adverse effects on the functioning of the financial entities; Article 39 2¶ 1(f)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045 | Operational and Systems Continuity | Communicate | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: substantial failure of ICT assets or of the communication infrastructure; Article 26 2(d) The ICT business continuity plans referred to in paragraph 1 shall: identify the conditions that may prompt the activation of the ICT business continuity plans and what actions are to be taken to ensure the availability, continuity, and recovery of the financial entities' ICT assets supporting critical or important functions; Article 39 2¶ 1(e)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include emergency operating procedures in the continuity plan. CC ID 11694 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include load-shedding in the emergency operating procedures. CC ID 17133 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include redispatch of generation requests in the emergency operating procedures. CC ID 17132 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include outages in the emergency operating procedures. CC ID 17129 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the development of ICT business continuity plans for severe business disruptions as part of those plans, and the prioritisation of ICT business continuity actions using a risk-based approach; Article 24 1(b)(iii) {widespread interruption} The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: widespread power outages. Article 26 2(i)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include energy resource management in the emergency operating procedures. CC ID 17128 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the ICT business continuity requirements, including recovery time objectives and recovery point objectives; Article 4 2(b)(vi) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: describe what actions are to be taken to ensure the availability, integrity, continuity, and recovery of at least ICT systems and services supporting critical or important functions of the financial entity; Article 26 1 ¶ 1(b) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be designed to meet the recovery objectives of the operations of the financial entities; Article 26 1 ¶ 1(c) {recovery time objective} {recovery point objective} The ICT business continuity plans referred to in paragraph 1 shall: establish planned recovery levels and timeframes for the recovery and resumption of functions and key internal and external dependencies, including ICT third-party service providers; Article 39 2¶ 1(d)] | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the ICT business continuity requirements, including recovery time objectives and recovery point objectives; Article 4 2(b)(vi) {recovery time objective} In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: contains a maximum recovery time for their critical functions that is not longer than 2 hours; Article 24 2 ¶ 1(a) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment between the ICT business continuity plans and the overall business continuity plans, concerning at least all of the following: recovery objectives, specifying that the financial entity shall be able to recover the operations of its critical or important functions after disruptions within a recovery time objective and a recovery point objective; Article 24 1(b)(ii)(2) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment between the ICT business continuity plans and the overall business continuity plans, concerning at least all of the following: recovery objectives, specifying that the financial entity shall be able to recover the operations of its critical or important functions after disruptions within a recovery time objective and a recovery point objective; Article 24 1(b)(ii)(2) In addition to the requirements referred to in paragraph 1, central securities depositories shall ensure that their ICT business continuity policy: requires its ICT business continuity arrangements to ensure that the recovery time objective for their critical or important functions shall not be longer than 2 hours. Article 24 3(b) In addition to the requirements referred to in paragraph 1, trading venues shall ensure that their ICT business continuity policy ensures that: trading can be resumed within or close to 2 hours of a disruptive incident; Article 24 4(a) {recovery time objective} {recovery point objective} The ICT business continuity plans referred to in paragraph 1 shall: establish planned recovery levels and timeframes for the recovery and resumption of functions and key internal and external dependencies, including ICT third-party service providers; Article 39 2¶ 1(d)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the capacity of critical resources in the critical resource list. CC ID 17099 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 [In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: requires that arrangements are in place to: ensure the continuity of critical or important functions of the central counterparty based on disaster scenarios; Article 24 2 ¶ 1(c)(i)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include telecommunications continuity procedures in the continuity plan. CC ID 11691 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: substantial failure of ICT assets or of the communication infrastructure; Article 26 2(d)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 [{geographical risk factor} For the purposes of point (c)(ii), the secondary processing site referred to in that point shall have a geographical risk profile which is distinct from that of the primary site. Article 24 2 ¶ 4] | Operational and Systems Continuity | Physical and Environmental Protection | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include naming conventions in the backup policy. CC ID 16218 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: backup and restore requirements of ICT systems; Article 8 2 ¶ 1(b)(i) The ICT business continuity plans referred to in paragraph 1 shall: identify backup procedures and measures that specify the scope of the data that are subject to the backup, and the minimum frequency of the backup, based on the criticality of the function using those data; Article 39 2¶ 1(g)] | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271 | Operational and Systems Continuity | Communicate | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Operational and Systems Continuity | Systems Continuity | |
| Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 [{response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d) {response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d)] | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Operational and Systems Continuity | Data and Information Management | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Operational and Systems Continuity | Data and Information Management | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Operational and Systems Continuity | Data and Information Management | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Operational and Systems Continuity | Data and Information Management | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: a description of: the criteria to activate and deactivate ICT business continuity plans, ICT response and recovery plans, and crisis communications plans; Article 24 1(a)(iv) Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment of the ICT business continuity policy to: the communication policy referred to in Article 14(2) of Regulation (EU) 2022/2554; Article 24 1(b)(vi)(1) {communication protocol} {incident communication protocol} Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment of the ICT business continuity policy to: the communication and crisis communication actions referred to in Article 11(2), point (e), of Regulation (EU) 2022/2554. Article 24 1(b)(vi)(2) {communication protocol} The ICT business continuity plans referred to in paragraph 1 shall: specify the internal and external communication arrangements, including escalation plans; Article 39 2¶ 1(i)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 [{be readily accessible} The ICT business continuity plans referred to in paragraph 1 shall: be documented and readily accessible in the event of an emergency or crisis; Article 39 2¶ 1(b)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Prepare the alternate facility for an emergency offsite relocation. CC ID 00744 [{backup site} In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: requires that arrangements are in place to: maintain or have immediate access to a secondary business site, to allow staff to ensure continuity of the service if the primary location of business is not available; Article 24 2 ¶ 1(c)(iii) {continuity arrangement} For the purposes of point (c)(i), arrangements referred to in that point shall address the availability of adequate human resources, the maximum downtime of critical functions, and fail over and recovery to a secondary site. Article 24 2 ¶ 3 The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: partial or total failure of premises, including office and business premises, and data centres; Article 26 2(c)] | Operational and Systems Continuity | Systems Continuity | |
| Include alert processes in Service Level Agreements for alternate facilities. CC ID 17127 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include monitoring and logging processes in Service Level Agreements for alternate facilities. CC ID 17126 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include recovery time in Service Level Agreements for all alternate facilities. CC ID 16331 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include priority-of-service provisions in Service Level Agreements for all alternate facilities. CC ID 16330 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include backup media transportation in Service Level Agreements for alternate facilities. CC ID 16329 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include transportation services in Service Level Agreements for alternate facilities. CC ID 16328 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Configure the alternate facility to meet the least needed operational capabilities. CC ID 01395 [{backup site} {be identical} In addition to the requirements referred to in paragraph 1, central counterparties shall ensure that their ICT business continuity policy: requires that arrangements are in place to: maintain a secondary processing site capable of ensuring continuity of critical or important functions of the central counterparty identical to the primary site; Article 24 2 ¶ 1(c)(ii)] | Operational and Systems Continuity | Configuration | |
| Establish, implement, and maintain logical access controls at alternate facilities. CC ID 13227 | Operational and Systems Continuity | Technical Security | |
| Establish, implement, and maintain physical access controls for alternate facilities. CC ID 13226 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Establish, implement, and maintain physical security controls at the alternate facility. CC ID 17125 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Notify the primary facilities of any changes at the alternate facilities that could affect the continuity plan. CC ID 13225 | Operational and Systems Continuity | Communicate | |
| Train personnel on the continuity plan. CC ID 00759 [{ICT third-party service provider} {assets} {digital operational resilience} For the purposes of point (k), financial entities shall consider the following: the need to ensure and maintain adequate competences within the financial entity in the management and security of the service used; Article 11 2 ¶ 3(c)] | Operational and Systems Continuity | Behavior | |
| Include coordination and interfaces among third parties in continuity plan training. CC ID 17102 | Operational and Systems Continuity | Training | |
| Include cross-team coordination in continuity plan training. CC ID 16235 | Operational and Systems Continuity | Training | |
| Include stay at home order training in the continuity plan training. CC ID 14382 | Operational and Systems Continuity | Training | |
| Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Operational and Systems Continuity | Training | |
| Include personal protection in continuity plan training. CC ID 14394 | Operational and Systems Continuity | Training | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Testing | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include recovery procedures in the continuity test plan. CC ID 14876 [Financial entities shall include in their ICT business continuity policy referred to in Article 11(1) of Regulation (EU) 2022/2554 all of the following: provisions on: the alignment between the ICT business continuity plans and the overall business continuity plans, concerning at least all of the following: recovery objectives, specifying that the financial entity shall be able to recover the operations of its critical or important functions after disruptions within a recovery time objective and a recovery point objective; Article 24 1(b)(ii)(2) {redundant infrastructure} Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: for financial entities, other than microenterprises, as referred to in Article 11(6), second subparagraph, of Regulation (EU) 2022/2554, contain scenarios of switchover from primary ICT infrastructure to the redundant capacity, backups and redundant facilities; Article 25 2 ¶ 1(c) {continuity test} For the purposes of point (c), the testing shall verify whether at least critical or important functions can be operated appropriately for a sufficient period of time, and whether the normal functioning may be restored. Article 25 2 ¶ 4] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test objectives and scope of testing in the continuity test plan. CC ID 14874 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: be designed to challenge the assumptions on which the business continuity plans are based, including governance arrangements and crisis communication plans; Article 25 2 ¶ 1(d)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test scenarios in the continuity test plan. CC ID 13506 [For the purposes of point (a), financial entities shall always include in the testing the scenarios considered for the development of the business continuity plans. Article 25 2 ¶ 2 {continuity test} For the purposes of point (b), financial entities shall duly consider scenarios linked to insolvency or failures of the ICT third-party service providers or linked to political risks in the ICT third-party service providers' jurisdictions, where relevant. Article 25 2 ¶ 3] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the risk assessment results in the continuity test plan. CC ID 17205 [When testing the ICT business continuity plans in accordance with Article 11(6), of Regulation (EU) 2022/2554, financial entities shall take into account the financial entity's business impact analysis (BIA) and the ICT risk assessment referred to in Article 3(1), point (b), of this Regulation. Article 25 1.] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the business impact analysis test results in the continuity test plan CC ID 17204 [When testing the ICT business continuity plans in accordance with Article 11(6), of Regulation (EU) 2022/2554, financial entities shall take into account the financial entity's business impact analysis (BIA) and the ICT risk assessment referred to in Article 3(1), point (b), of this Regulation. Article 25 1.] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Validate the emergency communications procedures during continuity plan tests. CC ID 12777 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: be designed to challenge the assumptions on which the business continuity plans are based, including governance arrangements and crisis communication plans; Article 25 2 ¶ 1(d)] | Operational and Systems Continuity | Testing | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 [Financial entities shall assess through the testing of their ICT business continuity plans referred to in paragraph 1 whether they are able to ensure the continuity of the financial entity's critical or important functions. That testing shall: contain the testing of ICT services provided by ICT third-party service providers, where applicable; Article 25 2 ¶ 1(b)] | Operational and Systems Continuity | Testing | |
| Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: critical utilities and critical service providers; Article 25 4(b) In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: critical utilities and critical service providers; Article 25 4(b) In addition to the requirements referred to in paragraph 2, central counterparties shall involve in the testing of their ICT business continuity plans referred to in paragraph 1: clearing members; Article 25 3(a) In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: users of the central securities depositories; Article 25 4(a) In addition to the requirements referred to in paragraph 2, central counterparties shall involve in the testing of their ICT business continuity plans referred to in paragraph 1: external providers; Article 25 3(b) In addition to the requirements referred to in paragraph 2, central counterparties shall involve in the testing of their ICT business continuity plans referred to in paragraph 1: relevant institutions in the financial infrastructure with which central counterparties have identified interdependencies in their business continuity policies. Article 25 3(c) In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: other central securities depositories; Article 25 4(c) In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: other market infrastructures; Article 25 4(d) In addition to the requirements referred to in paragraph 2, central securities depositories shall involve in the testing of their ICT business continuity plans referred to in paragraph 1, as appropriate: any other institutions with which central securities depositories have identified interdependencies in their business continuity policy. Article 25 4(e)] | Operational and Systems Continuity | Testing | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [{continuity plan test} Financial entities shall document the results of the testing referred to in paragraph 1. Any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 25 5. {continuity plan test} Financial entities shall document the results of the testing referred to in paragraph 1. Any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 25 5. The financial entities referred to in paragraph 1 shall document the results of the testing of business continuity plans and any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 40 3. The financial entities referred to in paragraph 1 shall document the results of the testing of business continuity plans and any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 40 3.] | Operational and Systems Continuity | Actionable Reports or Measurements | |
| Address identified deficiencies in the continuity plan test results. CC ID 17209 [The financial entities referred to in paragraph 1 shall document the results of the testing of business continuity plans and any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 40 3. {continuity plan test} Financial entities shall document the results of the testing referred to in paragraph 1. Any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body. Article 25 5.] | Operational and Systems Continuity | Testing | |
| Notify interested personnel and affected parties of the time requirements for updating continuity plans. CC ID 17134 | Operational and Systems Continuity | Communicate | |
| Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 | Human Resources management | Establish Roles | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the classification of information assets of the financial entity as referred to in Article 30(1) of this Regulation, the list of main risks identified, and the business impact analysis and related policies; Article 28 2(d)(i)] | Human Resources management | Human Resources Management | |
| Define and assign roles and responsibilities for network management. CC ID 13128 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the identification of the roles and responsibilities and steps for the specification, implementation, approval, change, and review of firewall rules and connections filters; Article 13 ¶ 1(h)] | Human Resources management | Human Resources Management | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): the assignment of roles and responsibilities regarding: the acceptance of the residual ICT risks that exceed the financial entity's risk tolerance level referred to in point (a); Article 3 ¶ 1(d)(ii)(1) {residual risk} Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: for the residual ICT risks that are still present following the implementation of the ICT risk treatment measures referred to in point (c): the assignment of roles and responsibilities regarding: for the review process referred to in point (iv) of this point (d); Article 3 ¶ 1(d)(ii)(2) The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: bears the overall responsibility for ensuring that the simplified ICT risk management framework allows for the achievement of the financial entity's business strategy in accordance with the risk appetite of that financial entity, and ensures that ICT risk is considered in that context; Article 28 2(a) The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: sets clear roles and responsibilities for all ICT-related tasks; Article 28 2(b)] | Human Resources management | Human Resources Management | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources management | Human Resources Management | |
| Assign the roles and responsibilities for the change control program. CC ID 13118 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: Article 17 1(c) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the identification of fall-back procedures and responsibilities, including procedures and responsibilities for aborting changes or recovering from changes not successfully implemented; Article 17 1(e)] | Human Resources management | Human Resources Management | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Behavior | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: allocates and reviews at least once a year the budget necessary to fulfil the financial entity's digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training and ICT skills for all staff; Article 28 2(e)] | Human Resources management | Establish/Maintain Documentation | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Human Resources management | Training | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Establish/Maintain Documentation | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 [Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements: requirements for staff of the financial entity and of the ICT third-party service providers using or accessing ICT assets of the financial entity to: be informed about, and adhere to, the financial entity's ICT security policies, procedures, and protocols; Article 19 ¶ 1(b)(i)] | Human Resources management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 [Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements: requirements for staff of the financial entity and of the ICT third-party service providers using or accessing ICT assets of the financial entity to: be informed about, and adhere to, the financial entity's ICT security policies, procedures, and protocols; Article 19 ¶ 1(b)(i)] | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Communicate | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Establish/Maintain Documentation | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Establish/Maintain Documentation | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Establish/Maintain Documentation | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Establish/Maintain Documentation | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Training | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
| Include identity and access management in the security awareness program. CC ID 17013 | Human Resources management | Training | |
| Include the encryption process in the security awareness program. CC ID 17014 | Human Resources management | Training | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Training | |
| Include data management in the security awareness program. CC ID 17010 | Human Resources management | Training | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Human Resources management | Training | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Training | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Training | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Training | |
| Include social networking in the security awareness program. CC ID 17011 | Human Resources management | Training | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Training | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Establish/Maintain Documentation | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Establish/Maintain Documentation | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Establish/Maintain Documentation | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Establish/Maintain Documentation | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Human Resources Management | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Establish/Maintain Documentation | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Human Resources Management | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements: requirements for staff of the financial entity and of the ICT third-party service providers using or accessing ICT assets of the financial entity to: be aware of the reporting channels put in place by the financial entity for the detection of anomalous behaviour, including, where applicable, the reporting channels established in line with Directive (EU) 2019/1937 of the European Parliament and of the Council (11); Article 19 ¶ 1(b)(ii)] | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Training | |
| Establish, implement, and maintain an insider threat program. CC ID 10687 [The ICT response and recovery plans referred to in paragraph 1 shall identify relevant scenarios, including scenarios of severe business disruptions and increased likelihood of occurrence of disruption. Those plans shall develop scenarios based on current information on threats and on lessons learned from previous occurrences of business disruptions. Financial entities shall duly take into account all of the following scenarios: insider attacks; Article 26 2(g)] | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a capacity management plan. CC ID 11751 [{capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the identification of capacity requirements of their ICT systems; Article 9 1(a) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: identify capacity requirements of their ICT assets and measures to maintain and improve the availability and efficiency of ICT systems and prevent ICT capacity shortages before they materialise; Article 34 ¶ 1(c)] | Operational management | Establish/Maintain Documentation | |
| Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: identify capacity requirements of their ICT assets and measures to maintain and improve the availability and efficiency of ICT systems and prevent ICT capacity shortages before they materialise; Article 34 ¶ 1(c)] | Operational management | Business Processes | |
| Establish, implement, and maintain workload forecasting tools. CC ID 00936 | Operational management | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [{governance, risk, and compliance framework} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk to achieve a high level of digital operational resilience. Article 28 1.] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Establish/Maintain Documentation | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the compliance policy. CC ID 14812 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Communicate | |
| Include management commitment in the compliance policy. CC ID 14808 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Establish/Maintain Documentation | |
| Conduct governance meetings, as necessary. CC ID 16946 | Operational management | Process or Activity | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Communicate | |
| Include governance threshold requirements in the governance policy. CC ID 16933 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Establish/Maintain Documentation | |
| Define the scope for the internal control framework. CC ID 16325 | Operational management | Business Processes | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: Article 8 2 ¶ 1(b)] | Operational management | Business Processes | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Establish/Maintain Documentation | |
| Include cloud services in the internal control framework. CC ID 17262 | Operational management | Establish/Maintain Documentation | |
| Include cloud security controls in the internal control framework. CC ID 17264 | Operational management | Establish/Maintain Documentation | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 [The financial entities referred to in paragraph 1 shall set out alert thresholds and criteria to trigger and initiate ICT- related incident response processes. Article 31 4.] | Operational management | Establish/Maintain Documentation | |
| Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Operational management | Process or Activity | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Communicate | |
| Establish, implement, and maintain a cybersecurity framework. CC ID 17276 | Operational management | Establish/Maintain Documentation | |
| Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279 | Operational management | Establish/Maintain Documentation | |
| Include protection measures in the cybersecurity framework. CC ID 17278 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the cybersecurity framework. CC ID 17277 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Communicate | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security program. CC ID 00812 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: Article 2 1. The ICT security measures shall include all of the measures referred to in Articles 30 to 38. Article 29 2 ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Include system development in the information security program. CC ID 12389 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: identify security practices and methodologies relating to the acquisition, development, and maintenance of ICT systems; Article 16 1(a)] | Operational management | Establish/Maintain Documentation | |
| Include system maintenance in the information security program. CC ID 12388 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: identify security practices and methodologies relating to the acquisition, development, and maintenance of ICT systems; Article 16 1(a) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii)] | Operational management | Establish/Maintain Documentation | |
| Include system acquisition in the information security program. CC ID 12387 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: identify security practices and methodologies relating to the acquisition, development, and maintenance of ICT systems; Article 16 1(a)] | Operational management | Establish/Maintain Documentation | |
| Include access control in the information security program. CC ID 12386 [{access rights} The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: a reference to the section of the policy on control of access management rights referred to in Article 21, first paragraph, point (g); Article 18 2 ¶ 1(a)] | Operational management | Establish/Maintain Documentation | |
| Include operations management in the information security program. CC ID 12385 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT operations security; Article 1 ¶ 1(b)] | Operational management | Establish/Maintain Documentation | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Establish/Maintain Documentation | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Establish/Maintain Documentation | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Establish/Maintain Documentation | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Operational management | Communicate | |
| Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Operational management | Communicate | |
| Include risk management in the information security program. CC ID 12378 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT operations security; Article 1 ¶ 1(b) When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity's activities. Article 1 ¶ 1(e) Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: Article 2 1. When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: Article 1 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 [{assess} The financial entities referred to in paragraph 1 shall review, asses and test ICT security measures, taking into consideration the overall risk profile of the ICT assets of the financial entity. Article 36 2.] | Operational management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: consider leading practices and, where applicable, standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012; Article 2 2(h) Financial entities shall ensure that the ICT security policies referred to in paragraph 1: take into account material changes concerning the financial entity, including material changes to the activities or processes of the financial entity, to the cyber threat landscape, or to applicable legal obligations. Article 2 2(k) Financial entities shall ensure that the ICT security policies referred to in paragraph 1: are reviewed in accordance with Article 6(5) of Regulation (EU) 2022/2554; Article 2 2(j) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide. Article 29 1.] | Operational management | Establish/Maintain Documentation | |
| Include data localization requirements in the information security policy. CC ID 16932 | Operational management | Establish/Maintain Documentation | |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the information security policy. CC ID 16120 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: specify the responsibilities of staff at all levels to ensure the financial entity's ICT security; Article 2 2(d) {digital operational resilience} For the purposes of point (k), financial entities shall consider the following: a clear allocation of information security roles and responsibilities between the financial entity and the ICT third-party service provider, in accordance with the principle of full responsibility of the financial entity over its ICT third-party service provider referred to in Article 28(1), point (a), of Regulation (EU) 2022/2554, and for financial entities referred to in Article 28(2) of that Regulation, and in accordance with the financial entity's policy on the use of ICT services supporting critical or important functions; Article 11 2 ¶ 3 (b) Financial entities shall include in their human resource policy or other relevant policies all of the following ICT security related elements: the identification and assignment of any specific ICT security responsibilities; Article 19 ¶ 1(a)] | Operational management | Establish/Maintain Documentation | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: take into account material changes concerning the financial entity, including material changes to the activities or processes of the financial entity, to the cyber threat landscape, or to applicable legal obligations. Article 2 2(k)] | Operational management | Establish/Maintain Documentation | |
| Include information security objectives in the information security policy. CC ID 13493 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: are aligned to the financial entity's information security objectives included in the digital operational resilience strategy referred to in Article 6(8) of Regulation (EU) 2022/2554; Article 2 2(a) The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: sets out information security objectives and ICT requirements; Article 28 2(c)] | Operational management | Establish/Maintain Documentation | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain information security procedures. CC ID 12006 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a data and system security procedure. Article 11 1.] | Operational management | Business Processes | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Process or Activity | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 [Financial entities shall ensure that the ICT security policies referred to in paragraph 1: identify the roles and responsibilities for the development, implementation and maintenance of ICT security policies, procedures, protocols, and tools; Article 2 2(i)] | Operational management | Human Resources Management | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes | |
| Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Operational management | Communicate | |
| Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Operational management | Communicate | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement policies and procedures to manage the ICT operations. Those policies and procedures shall specify how financial entities operate, monitor, control, and restore their ICT assets, including the documentation of ICT operations. Article 8 1.] | Operational management | Establish/Maintain Documentation | |
| Define the nomenclature requirements in the operating instructions. CC ID 17112 | Operational management | Establish/Maintain Documentation | |
| Define the situations that require time information in the operating instructions. CC ID 17111 | Operational management | Establish/Maintain Documentation | |
| Implement alternative actions for oral communications not received or understood. CC ID 17122 | Operational management | Communicate | |
| Reissue operating instructions, as necessary. CC ID 17121 | Operational management | Communicate | |
| Include congestion management actions in the operational control procedures. CC ID 17135 | Operational management | Establish/Maintain Documentation | |
| Update the congestion management actions in a timely manner. CC ID 17145 | Operational management | Establish/Maintain Documentation | |
| Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Operational management | Process or Activity | |
| Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Operational management | Process or Activity | |
| Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Operational management | Establish/Maintain Documentation | |
| Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Operational management | Communicate | |
| Include continuous monitoring in the operational control procedures. CC ID 17137 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: Article 8 2 ¶ 1(b)] | Operational management | Establish/Maintain Documentation | |
| Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Operational management | Communicate | |
| Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Operational management | Establish/Maintain Documentation | |
| Coordinate the transmission of electricity between affected parties. CC ID 17114 | Operational management | Business Processes | |
| Include coordination amongst entities in the operational control procedures. CC ID 17147 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an outage coordination process. CC ID 17161 | Operational management | Process or Activity | |
| Coordinate outages with affected parties. CC ID 17160 | Operational management | Process or Activity | |
| Coordinate energy resource management with affected parties. CC ID 17150 | Operational management | Process or Activity | |
| Coordinate the control of voltage with affected parties. CC ID 17149 | Operational management | Process or Activity | |
| Coordinate energy shortages with affected parties. CC ID 17148 | Operational management | Process or Activity | |
| Include roles and responsibilities in the operational control procedures. CC ID 17159 | Operational management | Establish/Maintain Documentation | |
| Include alternative actions in the operational control procedures. CC ID 17096 | Operational management | Establish/Maintain Documentation | |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
| Approve or deny requests in a timely manner. CC ID 17095 | Operational management | Process or Activity | |
| Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Operational management | Business Processes | |
| Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 | Operational management | Communicate | |
| Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Operational management | Communicate | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement policies and procedures to manage the ICT operations. Those policies and procedures shall specify how financial entities operate, monitor, control, and restore their ICT assets, including the documentation of ICT operations. Article 8 1.] | Operational management | Establish/Maintain Documentation | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
| Include system use information in the standard operating procedures manual. CC ID 17240 | Operational management | Establish/Maintain Documentation | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
| Include logging procedures in the standard operating procedures manual. CC ID 17214 | Operational management | Establish/Maintain Documentation | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
| Include resources in the standard operating procedures manual. CC ID 17212 | Operational management | Establish/Maintain Documentation | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
| Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Operational management | Establish/Maintain Documentation | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: scheduling requirements, taking into consideration interdependencies among the ICT systems; Article 8 2 ¶ 1(b)(ii)] | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 [{personally owned device} The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the implementation of security measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the ICT security of the financial entity; Article 11 2 ¶ 1(j) {employee-owned device} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the financial entity's ability to carry out its critical activities in an adequate, timely, and secure manner. Article 35 ¶ 1(g)] | Operational management | Establish/Maintain Documentation | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding the management of information assets used by ICT assets, including their processing and handling, both automated and manual; Article 8 2 ¶ 1(a)(ii)] | Operational management | Establish/Maintain Documentation | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 [{residual risk} The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the following requirements to secure the use of portable endpoint devices and private non-portable endpoint devices: the requirement to use removable data storage devices only where the residual ICT risk remains within the financial entity's risk tolerance level referred to in Article 3, first subparagraph, point (a); Article 11 2 ¶ 1(f)(iii)] | Operational management | Data and Information Management | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the identification of security measures to ensure that only authorised data storage media, systems, and endpoint devices are used to transfer and store data of the financial entity; Article 11 2 ¶ 1(e)] | Operational management | Establish/Maintain Documentation | |
| Include usage restrictions in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Operational management | Establish/Maintain Documentation | |
| Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Operational management | Establish/Maintain Documentation | |
| Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Operational management | Communicate | |
| Validate recipients prior to sending electronic messages. CC ID 16981 | Operational management | Business Processes | |
| Establish, implement, and maintain a Global Address List. CC ID 16934 | Operational management | Data and Information Management | |
| Include roles and responsibilities in the e-mail policy. CC ID 17040 | Operational management | Establish/Maintain Documentation | |
| Include content requirements in the e-mail policy. CC ID 17041 | Operational management | Establish/Maintain Documentation | |
| Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Operational management | Establish/Maintain Documentation | |
| Include usage restrictions in the e-mail policy. CC ID 17039 | Operational management | Establish/Maintain Documentation | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation | |
| Include message format requirements in the e-mail policy. CC ID 17038 | Operational management | Establish/Maintain Documentation | |
| Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Operational management | Communicate | |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Data and Information Management | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [{nondisclosure agreement} As part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit. Financial entities shall in particular ensure all of the following: that requirements on confidentiality or non-disclosure arrangements reflecting the financial entity's needs for the protection of information for both the staff of the financial entity and of third parties are implemented, documented, and regularly reviewed. Article 14 1(c)] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Communicate | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Establish/Maintain Documentation | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Establish/Maintain Documentation | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Establish/Maintain Documentation | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Business Processes | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Business Processes | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Business Processes | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Business Processes | |
| Review systems for compliance with organizational information security policies. CC ID 12004 [{assess} The financial entities referred to in paragraph 1 shall review, asses and test ICT security measures, taking into consideration the overall risk profile of the ICT assets of the financial entity. Article 36 2.] | Operational management | Business Processes | |
| Establish, implement, and maintain system administration procedures. CC ID 16481 [For the purposes of point (e)(ii), financial entities shall, where possible, use dedicated accounts for the performance of administrative tasks on ICT systems. Where feasible and appropriate, financial entities shall deploy automated solutions for the privilege access management. Article 21 ¶ 3] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Business Processes | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement a policy on management of ICT assets. Article 4 1.] | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Business Processes | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 [Financial entities shall develop, document, and implement a procedure for the management of ICT assets. Article 5 1. The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding the management of information assets used by ICT assets, including their processing and handling, both automated and manual; Article 8 2 ¶ 1(a)(ii) {legacy system} The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding the identification and control of legacy ICT systems; Article 8 2 ¶ 1(a)(iii) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: monitor and manage the lifecycle of all ICT assets; Article 34 ¶ 1(a)] | Operational management | Establish/Maintain Documentation | |
| Include installation requirements in the asset management program. CC ID 17195 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system; Article 8 2 ¶ 1(a)(i)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 [As part of the simplified ICT risk management framework referred to in Article 16(1), point (a), of Regulation (EU) 2022/2554, the financial entities referred to in paragraph 1 of that Article shall identify, classify, and document all critical or important functions, the information assets and ICT assets supporting them and their interdependencies. Financial entities shall review that identification and classification as needed. Article 30 1. The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the classification of information assets of the financial entity as referred to in Article 30(1) of this Regulation, the list of main risks identified, and the business impact analysis and related policies; Article 28 2(d)(i)] | Operational management | Establish/Maintain Documentation | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Systems Design, Build, and Implementation | |
| Define confidentiality controls. CC ID 01908 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques; Article 2 1(c) The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets, information assets, and physical access control devices of the financial entity through the appropriate maintenance; Article 18 2 ¶ 1(d) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1 The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures that ensure the availability, authenticity, integrity, and confidentiality of data during network transmissions; Article 35 ¶ 1(d)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 | Operational management | Establish/Maintain Documentation | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 [{continuity arrangement} For the purposes of point (c)(i), arrangements referred to in that point shall address the availability of adequate human resources, the maximum downtime of critical functions, and fail over and recovery to a secondary site. Article 24 2 ¶ 3] | Operational management | Process or Activity | |
| Define integrity controls. CC ID 01909 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques; Article 2 1(c) The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets, information assets, and physical access control devices of the financial entity through the appropriate maintenance; Article 18 2 ¶ 1(d) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: describe what actions are to be taken to ensure the availability, integrity, continuity, and recovery of at least ICT systems and services supporting critical or important functions of the financial entity; Article 26 1 ¶ 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1 The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Define availability controls. CC ID 01911 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques; Article 2 1(c) The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets, information assets, and physical access control devices of the financial entity through the appropriate maintenance; Article 18 2 ¶ 1(d) {capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the monitoring procedures for maintaining and improving: the availability of data and ICT systems; Article 9 1(c)(i) When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: describe what actions are to be taken to ensure the availability, integrity, continuity, and recovery of at least ICT systems and services supporting critical or important functions of the financial entity; Article 26 1 ¶ 1(b)] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Communicate | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 [As part of the simplified ICT risk management framework referred to in Article 16(1), point (a), of Regulation (EU) 2022/2554, the financial entities referred to in paragraph 1 of that Article shall identify, classify, and document all critical or important functions, the information assets and ICT assets supporting them and their interdependencies. Financial entities shall review that identification and classification as needed. Article 30 1. The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the classification> of all tyle="background-color:#F0BBBC;" class="term_primary-noun">ICT assets, as referred to in Article 8(1) of Regulation (EU) 2022/2254; Article 4 2(b)(iii) The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the classification> of all tyle="background-color:#F0BBBC;" class="term_primary-noun">ICT assets, as referred to in Article 8(1) of Regulation (EU) 2022/2254; Article 4 2(b)(iii)] | Operational management | Establish Roles | |
| Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Business Processes | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 [Financial entities shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorised access, disclosure, and modification. Financial entities shall design those controls on the basis of the results of the approved data classification and the ICT risk assessment. Article 7 2. The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: identifies and implements procedures, ICT protocols, and tools that are necessary to protect all information assets and ICT assets; Article 28 2(g) {unsupported asset} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: manage the risks related to outdated, unsupported, or legacy ICT assets; Article 34 ¶ 1(e)] | Operational management | Establish Roles | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [{storage device} {critical function} {keep up to date} Financial entities shall create and maintain a register for all certificates and certificate-storing devices for at least ICT assets supporting critical or important functions. Financial entities shall keep that register up to date. Article 7 4.] | Operational management | Business Processes | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: Article 8 2 ¶ 1(a)] | Operational management | Establish/Maintain Documentation | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a storage media inventory. CC ID 00694 [{storage device} {critical function} {keep up to date} Financial entities shall create and maintain a register for all certificates and certificate-storing devices for at least ICT assets supporting critical or important functions. Financial entities shall keep that register up to date. Article 7 4.] | Operational management | Establish/Maintain Documentation | |
| Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Technical Security | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the unique identifier of each ICT asset; Article 4 2(b)(i)] | Operational management | Data and Information Management | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Establish/Maintain Documentation | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Data and Information Management | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Data and Information Management | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Establish/Maintain Documentation | |
| Include source code in the asset inventory. CC ID 14858 | Operational management | Records Management | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Establish/Maintain Documentation | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Establish/Maintain Documentation | |
| Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the links and interdependencies among ICT assets and the business functions using each The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the links and interdependencies among ICT assets and the business functions using each | Operational management | Data and Information Management | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Establish/Maintain Documentation | |
| Record the software version in the asset inventory. CC ID 12196 | Operational management | Establish/Maintain Documentation | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Establish/Maintain Documentation | |
| Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Establish/Maintain Documentation | |
| Tag unsupported assets in the asset inventory. CC ID 13723 [{legacy system} The policy on management of ICT assets referred to in paragraph 1 shall: for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ="background-color:#CBD0E5;" class="term_secondary-verb">imary-noun">ICT risk assessment on all legacy ICT systems referred to in Article 8(7) of Regulation (EU) 2022/2554. Article 4 2(c) {legacy system} The policy on management of ICT assets referred to in paragraph 1 shall: for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ="background-color:#CBD0E5;" class="term_secondary-verb">imary-noun">ICT risk assessment on all legacy ICT systems referred to in Article 8(7) of Regulation (EU) 2022/2554. Article 4 2(c)] | Operational management | Establish/Maintain Documentation | |
| Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: where applicable, for all ICT assets, the end dates of the ICT third-party service provider's regular, extended, and custom support services after which those ICT assets are no longer supported by their supplier or by an ICT third-party service provider; Article 4 2(b)(ix)] | Operational management | Data and Information Management | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Establish/Maintain Documentation | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Establish/Maintain Documentation | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Establish/Maintain Documentation | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Establish/Maintain Documentation | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Data and Information Management | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Establish/Maintain Documentation | |
| Record the related business function for applicable assets in the asset inventory. CC ID 06636 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the business functions or services supported by the ICT asset; Article 4 2(b)(v)] | Operational management | Establish/Maintain Documentation | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 [{storage device} {critical function} {keep up to date} Financial entities shall create and maintain a register for all certificates and certificate-storing devices for at least ICT assets supporting critical or important functions. Financial entities shall keep that register up to date. Article 7 4.] | Operational management | Data and Information Management | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Data and Information Management | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: the identity of ICT asset owners; Article 4 2(b)(iv)] | Operational management | Establish/Maintain Documentation | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain software asset management procedures. CC ID 00895 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of security measures regarding the use of software, data storage media, systems and endpoint devices that transfer and store data of the financial entity; Article 35 ¶ 1(b)] | Operational management | Establish/Maintain Documentation | |
| Prevent users from disabling required software. CC ID 16417 | Operational management | Technical Security | |
| Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: a process to securely dispose of, or decommission, data storage devices on premises, or data storage devices that are stored externally, that contain confidential information; Article 35 ¶ 1(f)] | Operational management | Data and Information Management | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [The ICT project management policy referred to in paragraph 1 shall specify the elements that ensure the effective management of the ICT projects related to the acquisition, maintenance and, where applicable, development of the financial entity's ICT systems. Article 15 2.] | Operational management | Establish/Maintain Documentation | |
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Operational management | Maintenance | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Operational management | Maintenance | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Operational management | Maintenance | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Operational management | Maintenance | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: Article 16 1.] | Operational management | Establish/Maintain Documentation | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system; Article 8 2 ¶ 1(a)(i) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii)] | Operational management | Establish/Maintain Documentation | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Communicate | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: Article 37 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Communicate | |
| Establish, implement, and maintain a technology refresh schedule. CC ID 16940 | Operational management | Establish/Maintain Documentation | |
| Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938 | Operational management | Communicate | |
| Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174 | Operational management | Process or Activity | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Business Processes | |
| Log the performance of all remote maintenance. CC ID 13202 | Operational management | Log Management | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Maintenance | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Maintenance | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Maintenance | |
| Restart systems on a periodic basis. CC ID 16498 | Operational management | Maintenance | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Maintenance | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Human Resources Management | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Process or Activity | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: Article 22 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Operational management | Communicate | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 [The financial entities referred to in paragraph 1 shall set out alert thresholds and criteria to trigger and initiate ICT- related incident response processes. Article 31 4.] | Operational management | Establish/Maintain Documentation | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: identify and implement measures to monitor and analyse information on anomalous activities and behaviour for critical or important ICT operations; Article 34 ¶ 1(g)] | Operational management | Establish/Maintain Documentation | |
| Include incident management procedures in the Incident Management program. CC ID 12689 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: document the ICT-related incident management process referred to in Article 17 of Regulation (EU) 2022/2554; Article 22 ¶ 1(a) {cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish, implement, and operate technical, organisational, and operational mechanisms to support the ICT-related incident management process, including mechanisms to enable a prompt detection of anomalous activities and behaviours in accordance with Article 23 of this Regulation; Article 22 ¶ 1(c)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Establish/Maintain Documentation | |
| Log incidents in the Incident Management audit log. CC ID 00857 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: record, analyse, and evaluate any relevant information on all anomalous activities and behaviours automatically or manually. Article 23 2 ¶ 1(d)] | Operational management | Establish/Maintain Documentation | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Log Management | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Log Management | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 [{response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d) {response plan} {success} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: lay down the objectives of ICT response and recovery plans and the conditions to declare a successful execution of those plans. Article 26 1 ¶ 1(f)] | Operational management | Establish/Maintain Documentation | |
| Include addressing external communications in the incident response plan. CC ID 13351 | Operational management | Establish/Maintain Documentation | |
| Include addressing internal communications in the incident response plan. CC ID 13350 | Operational management | Establish/Maintain Documentation | |
| Include change control procedures in the incident response plan. CC ID 15479 | Operational management | Establish/Maintain Documentation | |
| Include addressing information sharing in the incident response plan. CC ID 13349 | Operational management | Establish/Maintain Documentation | |
| Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Operational management | Establish/Maintain Documentation | |
| Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Operational management | Establish/Maintain Documentation | |
| Include the management support needed for incident response in the incident response plan. CC ID 14300 | Operational management | Establish/Maintain Documentation | |
| Include root cause analysis in the incident response plan. CC ID 16423 | Operational management | Establish/Maintain Documentation | |
| Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Operational management | Establish/Maintain Documentation | |
| Include the resources needed for incident response in the incident response plan. CC ID 14292 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a cyber incident response plan. CC ID 13286 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838 [{response plan} When developing the ICT response and recovery plans referred to in Article 11(3) of Regulation (EU) 2022/2554, financial entities shall take into account the results of the financial entity's business impact analysis (BIA). Those ICT response and recovery plans shall: be documented and made available to the staff involved in the execution of ICT response and recovery plans and be readily accessible in case of emergency; Article 26 1 ¶ 1(d)] | Operational management | Communicate | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [Financial entities shall set clear roles and responsibilities to effectively detect and respond to ICT-related incidents and anomalous activities. Article 23 1.] | Operational management | Establish Roles | |
| Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 [{response measure} {recovery measure} The financial entities referred to in paragraph 1 shall, as part of their simplified ICT risk management framework, ensure that their management body: approves, oversees, and periodically reviews: the business continuity plans of the financial entity, and the response and recovery measures referred to in Article 16(1), point (f), of Regulation (EU) 2022/2554; Article 28 2(d)(ii)] | Operational management | Establish/Maintain Documentation | |
| Include personnel contact information in the event of an incident in the Incident Response program. CC ID 06385 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: establish a list of relevant contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on: the detection and monitoring of cyber threats; Article 22 ¶ 1(b)(i)] | Operational management | Establish/Maintain Documentation | |
| Include log management procedures in the incident response program. CC ID 17081 [{internal factor} The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity; Article 23 2 ¶ 1(a)(i)] | Operational management | Establish/Maintain Documentation | |
| Prepare for incident response notifications. CC ID 00584 [The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to: collect, monitor, and analyse all of the following: ICT-related incident notification from an ICT third-party service provider of the financial entity detected in the ICT systems and networks of the ICT third-party service provider and that may affect the financial entity; Article 23 2 ¶ 1(a)(iii)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the incident response policy. CC ID 14105 [{disseminate and communicate} {response plan} {recovery plan} For the purposes of point (d), financial entities shall clearly specify roles and responsibilities. Article 26 1 ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Operational management | Establish/Maintain Documentation | |
| Retain collected evidence for potential future legal actions. CC ID 01235 [{cybersecurity incident management policy} As part of the mechanisms to detect anomalous activities, including ICT network performance issues and ICT-related incidents, financial entities shall develop, document, and implement an ICT-related incident policy through which they shall: retain all evidence relating to ICT-related incidents for a period that shall be no longer than necessary for the purposes for which the data are collected, commensurate with the criticality of the affected business functions, supporting processes, and ICT and information assets, in accordance with Article 15 of Commission Delegated Regulation (EU) 2024/1772 (12) and with any applicable retention requirement pursuant to Union law; Article 22 ¶ 1(d)] | Operational management | Records Management | |
| Include time information in the chain of custody. CC ID 17068 | Operational management | Log Management | |
| Include actions performed on evidence in the chain of custody. CC ID 17067 | Operational management | Log Management | |
| Include individuals who had custody of evidence in the chain of custody. CC ID 17066 | Operational management | Log Management | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 [{ICT-related incident} For the purposes of point (d), financial entities shall retain the evidence referred to in that point in a secure manner. Article 22 ¶ 2 {data at rest} Financial entities shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use. Article 23 3.] | Operational management | Records Management | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Operational management | Actionable Reports or Measurements | |
| Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 [{capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the monitoring procedures for maintaining and improving: the prevention of ICT capacity shortages. Article 9 1(c)(iii)] | Operational management | Establish/Maintain Documentation | |
| Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: for network services agreements: the identification and specification of ICT and information security measures, service levels, and management requirements of all network services; Article 13 ¶ 1(m)(i)] | Operational management | Establish/Maintain Documentation | |
| Include the management requirements for network services in the Service Level Agreement. CC ID 12025 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: for network services agreements: the identification and specification of ICT and information security measures, service levels, and management requirements of all network services; Article 13 ¶ 1(m)(i)] | Operational management | Establish/Maintain Documentation | |
| Include the service levels for network services in the Service Level Agreement. CC ID 12024 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: for network services agreements: the identification and specification of ICT and information security measures, service levels, and management requirements of all network services; Article 13 ¶ 1(m)(i)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a change control program. CC ID 00886 [{project management} When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT project and change management; Article 1 ¶ 1 (d) The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2. The ICT project management policy referred to in paragraph 1 shall contain all of the following: change management requirements; Article 15 3(f)] | Operational management | Establish/Maintain Documentation | |
| Include version control in the change control program. CC ID 13119 | Operational management | Establish/Maintain Documentation | |
| Include service design and transition in the change control program. CC ID 13920 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a back-out plan. CC ID 13623 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: error handling concerning ICT systems, including all of the following: ICT system restart, rollback, and recovery procedures for use in the event of ICT system disruption. Article 8 2 ¶ 1(c)(iii)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the identification of fall-back procedures and responsibilities, including procedures and responsibilities for aborting changes or recovering from changes not successfully implemented; Article 17 1(e)] | Operational management | Establish/Maintain Documentation | |
| Include documentation of the impact level of proposed changes in the change request. CC ID 11942 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a verification of whether the ICT security requirements have been met; Article 17 1(a) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the identification of the potential impact of a change on existing ICT security measures and an assessment of whether such change requires the adoption of additional ICT security measures. Article 17 1(h) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the documentation and communication of change details, including: the expected outcomes; Article 17 1(d)(iii)] | Operational management | Establish/Maintain Documentation | |
| Document all change requests in change request forms. CC ID 06794 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: mechanisms to ensure the independence of the functions that approve changes and the functions responsible for requesting and implementing those changes; Article 17 1(b) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: changes are specified and planned; Article 17 1(c)(i) The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Operational management | Establish/Maintain Documentation | |
| Approve tested change requests. CC ID 11783 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: procedures to document, re-evaluate, assess, and approve emergency changes after their implementation, including workarounds and patches; Article 17 1(g) The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Operational management | Data and Information Management | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the documentation and communication of change details, including: Article 17 1(d) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the documentation and communication of change details, including: Article 17 1(d) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the documentation and communication of change details, including: the purpose and scope of the change; Article 17 1(d)(i) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: the documentation and communication of change details, including: the timeline for the implementation of the change; Article 17 1(d)(ii)] | Operational management | Behavior | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 [The patch management procedures referred to in paragraph 3 shall: identify emergency procedures for the patching and updating of ICT assets; Article 10 4(b) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: procedures, protocols, and tools to manage emergency changes that provide adequate safeguards; Article 17 1(f)] | Operational management | Establish/Maintain Documentation | |
| Perform emergency changes, as necessary. CC ID 12707 | Operational management | Process or Activity | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Process or Activity | |
| Log emergency changes after they have been performed. CC ID 12733 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: procedures to document, re-evaluate, assess, and approve emergency changes after their implementation, including workarounds and patches; Article 17 1(g)] | Operational management | Establish/Maintain Documentation | |
| Perform risk assessments prior to approving change requests. CC ID 00888 [{project management} When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT project and change management; Article 1 ¶ 1 (d)] | Operational management | Testing | |
| Implement changes according to the change control program. CC ID 11776 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: an adequate transition is designed; Article 17 1(c)(ii) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: a clear description of the roles and responsibilities to ensure that: the changes are tested and finalised in a controlled manner; Article 17 1(c)(iii) The financial entities referred to in paragraph 1 shall develop, document, and implement an ICT change management procedure to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner and with the adequate safeguards to preserve the financial entity's digital operational resilience. Article 38 2.] | Operational management | Business Processes | |
| Establish, implement, and maintain a transition strategy. CC ID 17049 | Operational management | Establish/Maintain Documentation | |
| Include monitoring requirements in the transition strategy. CC ID 17290 | Operational management | Establish/Maintain Documentation | |
| Include resources in the transition strategy. CC ID 17289 | Operational management | Establish/Maintain Documentation | |
| Include time requirements in the transition strategy. CC ID 17288 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Process or Activity | |
| Document the sources of all software updates. CC ID 13316 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a patch management policy. CC ID 16432 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain patch management procedures. CC ID 15224 [As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document and implement patch management procedures. Article 10 3. The patch management procedures referred to in paragraph 3 shall: to the extent possible identify and evaluate available software and hardware patches and updates using automated tools; Article 10 4(a)] | Operational management | Establish/Maintain Documentation | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 [The vulnerability management procedures referred to in paragraph 1 shall: prioritise the deployment of patches and other mitigation measures to address the vulnerabilities identified; Article 10 2 ¶ 1(f) The vulnerability management procedures referred to in paragraph 1 shall: prioritise the deployment of patches and other mitigation measures to address the vulnerabilities identified; Article 10 2 ¶ 1(f) {prioritization} {patch} {mitigation measure} For the purposes of point (f), financial entities shall consider the criticality of the vulnerability, the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and the risk profile of the ICT assets affected by the identified vulnerabilities. Article 10 2 ¶ 5 {prioritization} {patch} {mitigation measure} For the purposes of point (f), financial entities shall consider the criticality of the vulnerability, the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and the risk profile of the ICT assets affected by the identified vulnerabilities. Article 10 2 ¶ 5 The patch management procedures referred to in paragraph 3 shall: set deadlines for the installation of software and hardware patches and updates and escalation procedures in case those deadlines cannot be met. Article 10 4(d) {vulnerability assessment} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: perform automated vulnerability scanning and assessments of ICT assets commensurate to their classification as referred to in Article 30(1) and to the overall risk profile of the ICT asset, and deploy patches to address identified vulnerabilities; Article 34 ¶ 1(d)] | Operational management | Business Processes | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 | Operational management | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a configuration management policy. CC ID 14023 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include compliance requirements in the configuration management policy. CC ID 14072 [The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: an ICT assets description, including all of the following: requirements regarding secure installation, maintenance, configuration, and deinstallation of an ICT system; Article 8 2 ¶ 1(a)(i)] | System hardening through configuration management | Establish/Maintain Documentation | |
| Document external connections for all systems. CC ID 06415 [The policy on management of ICT assets referred to in paragraph 1 shall: prescribe that the financial entity keeps records of all of the following: whether the ICT asset can be or is exposed to external networks, including the internet; Article 4 2(b)(vii)] | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the identification of a secure configuration baseline for ICT assets that minimise exposure of those ICT assets to cyber threats and measures to verify regularly that those baselines are effectively deployed; Article 11 2 ¶ 1(b)] | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include installed custom software in the baseline configuration. CC ID 13274 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include network ports in the baseline configuration. CC ID 13273 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | System hardening through configuration management | Establish/Maintain Documentation | |
| Define the relationships and dependencies between Configurable Items. CC ID 02134 [As part of the simplified ICT risk management framework referred to in Article 16(1), point (a), of Regulation (EU) 2022/2554, the financial entities referred to in paragraph 1 of that Article shall identify, classify, and document all critical or important functions, the information assets and ICT assets supporting them and their interdependencies. Financial entities shall review that identification and classification as needed. Article 30 1.] | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system hardening standard. CC ID 00876 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the implementation of a secure configuration baseline of all network components, and the hardening of the network and of network devices in line with any vendor instructions, where applicable standards, as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and leading practices; Article 13 ¶ 1(k)] | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain configuration standards. CC ID 11953 | System hardening through configuration management | Configuration | |
| Include common security parameter settings in the configuration standards for all systems. CC ID 12544 | System hardening through configuration management | Establish/Maintain Documentation | |
| Apply configuration standards to all systems, as necessary. CC ID 12503 [{ICT third-party service provider} {assets} {digital operational resilience} For the purposes of point (k), financial entities shall consider the following: the implementation of vendor recommended settings on the elements operated by the financial entity; Article 11 2 ¶ 3(a)] | System hardening through configuration management | Configuration | |
| Configure security parameter settings on all system components appropriately. CC ID 12041 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the implementation of a secure configuration baseline of all network components, and the hardening of the network and of network devices in line with any vendor instructions, where applicable standards, as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and leading practices; Article 13 ¶ 1(k)] | System hardening through configuration management | Technical Security | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards. CC ID 04490 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the procedures to limit, lock, and terminate system and remote sessions after a specified period of inactivity; Article 13 ¶ 1(l)] | System hardening through configuration management | Configuration | |
| Configure the Intrusion Detection System and the Intrusion Prevention System to detect rogue devices and unauthorized connections. CC ID 04837 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the identification and implementation of network access controls to prevent and detect connections to the financial entity's network by any unauthorised device or system, or any endpoint not meeting the financial entity's security requirements; Article 13 ¶ 1(d) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to prevent and detect unauthorised connections to the financial entity's network, and to secure the network traffic between the financial entity's internal networks and the internet and other external connections; Article 35 ¶ 1(c)] | System hardening through configuration management | Configuration | |
| Install critical security updates and important security updates in a timely manner. CC ID 01696 [The patch management procedures referred to in paragraph 3 shall: test and deploy the software and hardware patches and the updates referred to in Article 8(2), points (b)(v), (vi) and (vii); Article 10 4(c) The patch management procedures referred to in paragraph 3 shall: set deadlines for the installation of software and hardware patches and updates and escalation procedures in case those deadlines cannot be met. Article 10 4(d)] | System hardening through configuration management | Configuration | |
| Include risk information when communicating critical security updates. CC ID 14948 | System hardening through configuration management | Communicate | |
| Configure each system's security alerts to organizational standards. CC ID 12113 [For the purposes of point (b), the tools referred to in that point shall contain the tools that provide automated alerts based on pre-defined rules to identify anomalies affecting the completeness and integrity of the data sources or log collection. Article 23 2 ¶ 2] | System hardening through configuration management | Technical Security | |
| Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881 [Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework. Financial entities shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that: contain safeguards against intrusions and data misuse; Article 2 1(b) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1] | System hardening through configuration management | Configuration | |
| Configure Hypertext Transfer Protocol headers in accordance with organizational standards. CC ID 16851 | System hardening through configuration management | Configuration | |
| Configure Hypertext Transfer Protocol security headers in accordance with organizational standards. CC ID 16488 | System hardening through configuration management | Configuration | |
| Configure "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to organizational standards. CC ID 15385 | System hardening through configuration management | Configuration | |
| Configure Microsoft Attack Surface Reduction rules in accordance with organizational standards. CC ID 16478 | System hardening through configuration management | Configuration | |
| Configure "Remote host allows delegation of non-exportable credentials" to organizational standards. CC ID 15379 | System hardening through configuration management | Configuration | |
| Configure "Configure enhanced anti-spoofing" to organizational standards. CC ID 15376 | System hardening through configuration management | Configuration | |
| Configure "Block user from showing account details on sign-in" to organizational standards. CC ID 15374 | System hardening through configuration management | Configuration | |
| Configure "Configure Attack Surface Reduction rules" to organizational standards. CC ID 15370 | System hardening through configuration management | Configuration | |
| Configure "Turn on e-mail scanning" to organizational standards. CC ID 15361 | System hardening through configuration management | Configuration | |
| Configure "Prevent users and apps from accessing dangerous websites" to organizational standards. CC ID 15359 | System hardening through configuration management | Configuration | |
| Configure "Enumeration policy for external devices incompatible with Kernel DMA Protection" to organizational standards. CC ID 15352 | System hardening through configuration management | Configuration | |
| Configure "Prevent Internet Explorer security prompt for Windows Installer scripts" to organizational standards. CC ID 15351 | System hardening through configuration management | Configuration | |
| Store state information from applications and software separately. CC ID 14767 | System hardening through configuration management | Configuration | |
| Configure the "aufs storage" to organizational standards. CC ID 14461 | System hardening through configuration management | Configuration | |
| Configure the "AppArmor Profile" to organizational standards. CC ID 14496 | System hardening through configuration management | Configuration | |
| Configure the "device" argument to organizational standards. CC ID 14536 | System hardening through configuration management | Configuration | |
| Configure the "Docker" group ownership to organizational standards. CC ID 14495 | System hardening through configuration management | Configuration | |
| Configure the "Docker" user ownership to organizational standards. CC ID 14505 | System hardening through configuration management | Configuration | |
| Configure "Allow upload of User Activities" to organizational standards. CC ID 15338 | System hardening through configuration management | Configuration | |
| Configure the "ulimit" to organizational standards. CC ID 14499 | System hardening through configuration management | Configuration | |
| Configure the computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender properly. CC ID 05282 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Help Ratings" setting. CC ID 05285 | System hardening through configuration management | Configuration | |
| Configure the "Decoy Admin Account Not Disabled" policy properly. CC ID 05286 | System hardening through configuration management | Configuration | |
| Configure the "Anonymous access to the registry" policy properly. CC ID 05288 | System hardening through configuration management | Configuration | |
| Configure the File System Checker and Popups setting. CC ID 05289 | System hardening through configuration management | Configuration | |
| Configure the System File Checker setting. CC ID 05290 | System hardening through configuration management | Configuration | |
| Configure the System File Checker Progress Meter setting. CC ID 05291 | System hardening through configuration management | Configuration | |
| Configure the Protect Kernel object attributes properly. CC ID 05292 | System hardening through configuration management | Configuration | |
| Verify crontab files are owned by an appropriate user or group. CC ID 05305 | System hardening through configuration management | Configuration | |
| Restrict the exporting of files and directories, as necessary. CC ID 16315 | System hardening through configuration management | Technical Security | |
| Verify the /etc/syslog.conf file is owned by an appropriate user or group. CC ID 05322 | System hardening through configuration management | Configuration | |
| Verify the traceroute executable is owned by an appropriate user or group. CC ID 05323 | System hardening through configuration management | Configuration | |
| Verify the /etc/passwd file is owned by an appropriate user or group. CC ID 05325 | System hardening through configuration management | Configuration | |
| Configure the "Prohibit Access of the Windows Connect Now Wizards" setting. CC ID 05380 | System hardening through configuration management | Configuration | |
| Configure the "Allow remote access to the PnP interface" setting. CC ID 05381 | System hardening through configuration management | Configuration | |
| Configure the "Do not create system restore point when new device driver installed" setting. CC ID 05382 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Access to All Windows Update Feature" setting. CC ID 05383 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Automatic Root Certificates Update" setting. CC ID 05384 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Event Views 'Events.asp' Links" setting. CC ID 05385 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Internet File Association Service" setting. CC ID 05389 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting. CC ID 05390 | System hardening through configuration management | Configuration | |
| Configure the "Turn off the 'Order Prints' Picture task" setting. CC ID 05391 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Windows Movie Maker Online Web Links" setting. CC ID 05392 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting. CC ID 05393 | System hardening through configuration management | Configuration | |
| Configure the "Don't Display the Getting Started Welcome Screen at Logon" setting. CC ID 05394 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Startup Sound" setting. CC ID 05395 | System hardening through configuration management | Configuration | |
| Configure the "Prevent IIS Installation" setting. CC ID 05398 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Active Help" setting. CC ID 05399 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Untrusted Content" setting. CC ID 05400 | System hardening through configuration management | Configuration | |
| Configure the "Turn off downloading of enclosures" setting. CC ID 05401 | System hardening through configuration management | Configuration | |
| Configure "Allow indexing of encrypted files" to organizational standards. CC ID 05402 | System hardening through configuration management | Configuration | |
| Configure the "Prevent indexing uncached Exchange folders" setting. CC ID 05403 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Calendar" setting. CC ID 05404 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Defender" setting. CC ID 05405 | System hardening through configuration management | Configuration | |
| Configure the "Turn off the communication features" setting. CC ID 05410 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Meeting Space" setting. CC ID 05413 | System hardening through configuration management | Configuration | |
| Configure the "Turn on Windows Meeting Space auditing" setting. CC ID 05414 | System hardening through configuration management | Configuration | |
| Configure the "Disable unpacking and installation of gadgets that are not digitally signed" setting. CC ID 05415 | System hardening through configuration management | Configuration | |
| Configure the "Override the More Gadgets Link" setting. CC ID 05416 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off User Installed Windows Sidebar Gadgets" setting. CC ID 05417 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Downloading of Game Information" setting. CC ID 05419 | System hardening through configuration management | Configuration | |
| Set the noexec_user_stack flag on the user stack properly. CC ID 05439 | System hardening through configuration management | Configuration | |
| Configure the "restrict guest access to system log" policy, as appropriate. CC ID 06047 | System hardening through configuration management | Configuration | |
| Configure the Trusted Platform Module (TPM) platform validation profile, as appropriate. CC ID 06056 | System hardening through configuration management | Configuration | |
| Enable or disable the standby states, as appropriate. CC ID 06060 | System hardening through configuration management | Configuration | |
| Configure the Trusted Platform Module startup options properly. CC ID 06061 | System hardening through configuration management | Configuration | |
| Configure the "Obtain Software Package Updates with apt-get" setting to organizational standards. CC ID 11375 | System hardening through configuration management | Configuration | |
| Configure the "display a banner before authentication" setting for "LightDM" to organizational standards. CC ID 11385 | System hardening through configuration management | Configuration | |
| Configure user accounts. CC ID 07036 | System hardening through configuration management | Configuration | |
| Employ multifactor authentication for accounts with administrative privilege. CC ID 12496 [As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: authentication methods, including all of the following: the use of strong authentication methods in accordance with leading practices and techniques for remote access to the financial entity's network, for privileged access, for access to ICT assets supporting critical or important functions or ICT assets that are publicly accessible; Article 21 ¶ 1(f)(ii) For the purposes of point (d), financial entities shall use strong authentication methods that are based on leading practices for remote access to the financial entities' network, for privileged access, and for access to ICT assets supporting critical or important functions that are publicly available. Article 33 ¶ 3] | System hardening through configuration management | Technical Security | |
| Review and approve the firewall rules, as necessary. CC ID 06745 [For the purposes of point (h), financial entities shall perform the review of firewall rules and connections filters on a regular basis in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of ICT systems involved. For ICT systems that support critical or important functions, financial entities shall verify the adequacy of the existing firewall rules and connection filters at least every 6 months. Article 13 ¶ 2 For the purposes of point (h), financial entities shall perform the review of firewall rules and connections filters on a regular basis in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and the overall risk profile of ICT systems involved. For ICT systems that support critical or important functions, financial entities shall verify the adequacy of the existing firewall rules and connection filters at least every 6 months. Article 13 ¶ 2] | System hardening through configuration management | Configuration | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | System hardening through configuration management | Configuration | |
| Configure the log to capture the user's identification. CC ID 01334 [{generic account} As part of their control of access management rights, financial entities shall develop, document, and implement a policy that contains all of the following: a provision on user accountability, by limiting to the extent possible the use of generic and shared user accounts and ensuring that users are identifiable for the actions performed in the ICT systems at all times; Article 21 ¶ 1(c) {logical access} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement procedures for the control of logical and physical access and shall enforce, monitor, and periodically review those procedures. Those procedures shall contain the following elements of control of logical and physical access: user accountability, which ensures that users can be identified for the actions performed in the ICT systems; Article 33 ¶ 1(b)] | System hardening through configuration management | Configuration | |
| Configure the log to capture a date and time stamp. CC ID 01336 [Financial entities shall log all relevant information for each detected anomalous activity enabling: the identification of the date and time of detection of the anomalous activity; Article 23 4(b) Financial entities shall log all relevant information for each detected anomalous activity enabling: the identification of the date and time of occurrence of the anomalous activity; Article 23 4(a)] | System hardening through configuration management | Configuration | |
| Configure the log to capture the type of each event. CC ID 06423 [Financial entities shall log all relevant information for each detected anomalous activity enabling: the identification of the type of the anomalous activity. Article 23 4(c)] | System hardening through configuration management | Configuration | |
| Configure all logs to capture auditable events or actionable events. CC ID 06332 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the requirement to log events related to all of the following: capacity management; Article 12 2 ¶ 1(c)(ii) The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the requirement to log events related to all of the following: ICT operations, including ICT system activities; Article 12 2 ¶ 1(c)(iv) The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the requirement to log events related to all of the following: logical and physical access control, as referred to in Article 21, and identity management; Article 12 2 ¶ 1(c)(i) Financial entities shall log all relevant information for each detected anomalous activity enabling: Article 23 4. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: log events related to logical and physical access control, ICT operations, including system and network traffic activities, and ICT change management; Article 34 ¶ 1(f)] | System hardening through configuration management | Configuration | |
| Configure the log to capture the amount of data uploaded and downloaded. CC ID 16494 | System hardening through configuration management | Log Management | |
| Configure the log to capture startups and shutdowns. CC ID 16491 | System hardening through configuration management | Log Management | |
| Configure the log to capture user queries and searches. CC ID 16479 | System hardening through configuration management | Log Management | |
| Configure the log to capture Internet Protocol addresses. CC ID 16495 | System hardening through configuration management | Log Management | |
| Configure the log to capture error messages. CC ID 16477 | System hardening through configuration management | Log Management | |
| Configure the log to capture system failures. CC ID 16475 | System hardening through configuration management | Log Management | |
| Configure the log to capture account lockouts. CC ID 16470 | System hardening through configuration management | Configuration | |
| Configure the log to capture execution events. CC ID 16469 | System hardening through configuration management | Configuration | |
| Configure the log to capture attempts to bypass or circumvent security controls. CC ID 17078 | System hardening through configuration management | Log Management | |
| Configure the log to capture AWS Organizations changes. CC ID 15445 | System hardening through configuration management | Configuration | |
| Configure the log to capture Identity and Access Management policy changes. CC ID 15442 | System hardening through configuration management | Configuration | |
| Configure the log to capture management console sign-in without multi-factor authentication. CC ID 15441 | System hardening through configuration management | Configuration | |
| Configure the log to capture route table changes. CC ID 15439 | System hardening through configuration management | Configuration | |
| Configure the log to capture virtual private cloud changes. CC ID 15435 | System hardening through configuration management | Configuration | |
| Configure the log to capture changes to encryption keys. CC ID 15432 | System hardening through configuration management | Configuration | |
| Configure the log to capture unauthorized API calls. CC ID 15429 | System hardening through configuration management | Configuration | |
| Configure the log to capture changes to network gateways. CC ID 15421 | System hardening through configuration management | Configuration | |
| Configure the log to capture user account additions, modifications, and deletions. CC ID 16482 | System hardening through configuration management | Log Management | |
| Configure the event log settings for specific Operating System functions. CC ID 06337 | System hardening through configuration management | Configuration | |
| Generate an alert when an audit log failure occurs. CC ID 06737 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: measures to detect a failure of logging systems; Article 12 2 ¶ 1(e)] | System hardening through configuration management | Configuration | |
| Configure dedicated systems used for system management according to organizational standards. CC ID 12132 [Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the use of a separate and dedicated network for the administration of ICT assets; Article 13 ¶ 1(c)] | System hardening through configuration management | Configuration | |
| Configure dedicated systems used for system management to prohibit them from composing documents. CC ID 12161 | System hardening through configuration management | Configuration | |
| Configure dedicated systems used for system management so they are prohibited from accessing e-mail. CC ID 12160 | System hardening through configuration management | Configuration | |
| Configure initial system hardening according to the secure configuration baseline. CC ID 13824 [For the purposes of point (b), the secure configuration baseline referred to in that point shall take into account leading practices and appropriate techniques laid down in the standards defined in Article 2, point (1), of Regulation (EU) No 1025/2012. Article 11 2 ¶ 2 Financial entities shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: the implementation of a secure configuration baseline of all network components, and the hardening of the network and of network devices in line with any vendor instructions, where applicable standards, as defined in Article 2, point (1), of Regulation (EU) No 1025/2012, and leading practices; Article 13 ¶ 1(k)] | System hardening through configuration management | Configuration | |
| Configure the system's password field with a unique default password. CC ID 13825 | System hardening through configuration management | Configuration | |
| Lock configurations to prevent circumventing security measures. CC ID 12187 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the following requirements to secure the use of portable endpoint devices and private non-portable endpoint devices: the requirement to use security mechanisms that cannot be modified, removed or bypassed by staff members or ICT third-party service providers in an unauthorised manner; Article 11 2 ¶ 1(f)(ii)] | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain a records authentication system. CC ID 11648 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: Article 18 2 ¶ 1(e)] | Records management | Establish/Maintain Documentation | |
| Remove dormant data from systems, as necessary. CC ID 13726 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: a process to securely delete data on premises, or that are stored externally, that the financial entity no longer needs to collect or store; Article 35 ¶ 1(e)] | Records management | Process or Activity | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 [For the purposes of point (a), financial entities shall establish the retention period, taking into account the business and information security objectives, the reason for recording the event in the logs, and the results of the ICT risk assessment. Article 12 2 ¶ 2 The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: the identification of the events to be logged, the retention period of the logs, and the measures to secure and handle the log data, considering the purpose for which the logs are created; Article 12 2 ¶ 1(a)] | Records management | Process or Activity | |
| Retain records in accordance with applicable requirements. CC ID 00968 [For the purposes of point (a), financial entities shall maintain records of all identity assignments. Those records shall be kept following a reorganisation of the financial entity or after the end of the contractual relationship without prejudice to the retention requirements laid down in applicable Union and national law. Article 20 2 ¶ 2 {access rights administration} For the purposes of point (e)(i), financial entities shall establish the retention period taking into account the business and information security objectives, the reasons for recording the event in the logs, and the results of the ICT risk assessment. Article 21 ¶ 2] | Records management | Records Management | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the process to securely delete data, present on premises of the financial entity or stored externally, that the financial entity no longer needs to collect or to store; Article 11 2 ¶ 1(g)] | Records management | Records Management | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain data processing integrity controls. CC ID 00923 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: Article 18 2 ¶ 1(e)] | Records management | Establish Roles | |
| Sanitize user input in accordance with organizational standards. CC ID 16856 | Records management | Process or Activity | |
| Provide encryption for different types of electronic storage media. CC ID 00945 [{encryption policy} {data in transit} Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basis of the results of an approved data classification and ICT risk assessment. That policy shall contain rules for all of the following: the encryption of data at rest and in transit; Article 6 2 ¶ 1(a)] | Records management | Technical Security | |
| Establish, implement, and maintain data availability controls. CC ID 15301 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: Article 18 2 ¶ 1(e) {capacity management procedure} As part of the ICT security policies, procedures, protocols, and tools referred to in Article 9(2) of Regulation (EU) 2022/2554, financial entities shall develop, document, and implement capacity and performance management procedures for the following: the monitoring procedures for maintaining and improving: the availability of data and ICT systems; Article 9 1(c)(i) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide. Article 29 1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: Article 35 ¶ 1 The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures that ensure the availability, authenticity, integrity, and confidentiality of data during network transmissions; Article 35 ¶ 1(d)] | Records management | Data and Information Management | |
| Establish, implement, and maintain electronic storage media security controls. CC ID 13204 [The logging procedures, protocols, and tools referred to in paragraph 1 shall contain all of the following: measures to protect logging systems and log information against tampering, deletion, and unauthorised access at rest, in transit, and, where relevant, in use; Article 12 2 ¶ 1(d) {data in transit} {data at rest} The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of measures to protect data in use, in transit, and at rest; Article 35 ¶ 1(a) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following: the identification and implementation of security measures regarding the use of software, data storage media, systems and endpoint devices that transfer and store data of the financial entity; Article 35 ¶ 1(b)] | Records management | Technical Security | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: Article 37 ¶ 1] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Systems design, build, and implementation | Data and Information Management | |
| Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469 | Systems design, build, and implementation | Communicate | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: Article 16 1.] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Implement manual override capability into automated systems. CC ID 14921 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Define and assign the system development project team roles and responsibilities. CC ID 01061 [The ICT project management policy referred to in paragraph 1 shall ensure the secure ICT project implementation through the provision of the necessary information and expertise from the business area or functions impacted by the ICT project. Article 15 4.] | Systems design, build, and implementation | Establish Roles | |
| Search for metadata during e-discovery. CC ID 01073 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain security design principles. CC ID 14718 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include reduced complexity of systems or system components in the security design principles. CC ID 14753 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include modularity and layering of systems or system components in the security design principles. CC ID 14750 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure evolvability of systems or system components in the security design principles. CC ID 14749 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include continuous protection of systems or system components in the security design principles. CC ID 14748 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include least common mechanisms between systems or system components in the security design principles. CC ID 14747 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure system modification of systems or system components in the security design principles. CC ID 14746 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include clear abstractions of systems or system components in the security design principles. CC ID 14745 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include least privilege of systems or system components in the security design principles. CC ID 14742 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include minimized sharing of systems or system components in the security design principles. CC ID 14741 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include acceptable security of systems or system components in the security design principles. CC ID 14740 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include minimized security elements in systems or system components in the security design principles. CC ID 14739 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include hierarchical protection in systems or system components in the security design principles. CC ID 14738 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include self-analysis of systems or system components in the security design principles. CC ID 14737 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure distributed composition of systems or system components in the security design principles. CC ID 14734 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include minimization of systems or system components in the security design principles. CC ID 14733 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure defaults in systems or system components in the security design principles. CC ID 14732 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include trusted communications channels for systems or system components in the security design principles. CC ID 14731 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include economic security in systems or system components in the security design principles. CC ID 14730 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include trusted components of systems or system components in the security design principles. CC ID 14729 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include procedural rigor in systems or system components in the security design principles. CC ID 14728 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include accountability and traceability of systems or system components in the security design principles. CC ID 14727 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include hierarchical trust in systems or system components in the security design principles. CC ID 14726 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include sufficient documentation for systems or system components in the security design principles. CC ID 14725 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include performance security of systems or system components in the security design principles. CC ID 14724 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include human factored security in systems or system components in the security design principles. CC ID 14723 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure metadata management of systems or system components in the security design principles. CC ID 14722 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include predicate permission of systems or system components in the security design principles. CC ID 14721 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain system design requirements. CC ID 06618 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements, including information security requirements, are clearly specified and approved by the business function concerned; Article 37 ¶ 1(a)] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Implement dual authorization in systems with critical business functions, as necessary. CC ID 14922 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Identify and document system development constraints. CC ID 11698 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include anti-counterfeit measures in the system requirements specification. CC ID 11547 | Systems design, build, and implementation | Physical and Environmental Protection | |
| Include anti-counterfeit measures that make attempts to circumvent them evident during the anti-counterfeit authentication test in the system requirements specification. CC ID 11552 | Systems design, build, and implementation | Physical and Environmental Protection | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 [The ICT project management policy referred to in paragraph 1 shall specify the elements that ensure the effective management of the ICT projects related to the acquisition, maintenance and, where applicable, development of the financial entity's ICT systems. Article 15 2.] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include data governance and management practices in the system design project management framework. CC ID 15053 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Analyze current technology investment factors that could affect implementing the system design project. CC ID 01050 | Systems design, build, and implementation | Testing | |
| Disseminate and communicate the implementation strategy to interested personnel and affected parties. CC ID 11796 | Systems design, build, and implementation | Communicate | |
| Include system interoperability in the system requirements specification. CC ID 16256 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include equipment interoperability in the system requirements specification. CC ID 16257 | Systems design, build, and implementation | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain project management standards. CC ID 00992 [{project management} When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: ICT project and change management; Article 1 ¶ 1 (d) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document, and implement an ICT project management policy. Article 15 1. The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project governance, including roles and responsibilities; Article 15 3(b)] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include objectives in the project management standard. CC ID 17202 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project objectives; Article 15 3(a)] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include time requirements in the project management standard. CC ID 17199 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project planning, timeframe, and steps; Article 15 3(c)] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain project management procedures. CC ID 17200 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project planning, timeframe, and steps; Article 15 3(c)] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain integrated project plans. CC ID 01056 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an ICT project management procedure and shall specify the roles and responsibilities for its implementation. That procedure shall cover all stages of the ICT projects from their initiation to their closure. Article 38 1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an ICT project management procedure and shall specify the roles and responsibilities for its implementation. That procedure shall cover all stages of the ICT projects from their initiation to their closure. Article 38 1.] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a project test plan. CC ID 01001 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: the testing of all requirements, including security requirements, and the respective approval process when deploying an ICT system in the production environment. Article 15 3(g)] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a project team plan. CC ID 06533 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: ICT project governance, including roles and responsibilities; Article 15 3(b)] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Separate the design and development environment from the production environment. CC ID 06088 [{production environment} {non-production environment} For the purposes of point (b)(v), the separation shall consider all of the components of the environment, including accounts, data or connections, as required by Article 13, first subparagraph, point (a). Article 8 2 ¶ 2 The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: requirements on the separation of ICT production environments from the development, testing, and other non-production environments; Article 8 2 ¶ 1(b)(v) The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: requirements to conduct the development and testing in environments which are separated from the production environment; Article 8 2 ¶ 1(b)(vi) The policies and procedures for ICT operations referred to in paragraph 1 shall contain all of the following: controls and monitoring of ICT systems, including all of the following: requirements to conduct the development and testing in production environments; Article 8 2 ¶ 1(b)(vii)] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Implement security controls in development endpoints. CC ID 16389 | Systems design, build, and implementation | Testing | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Develop new products based on best practices. CC ID 01095 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include security requirements in the system design specification. CC ID 06826 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements, including information security requirements, are clearly specified and approved by the business function concerned; Article 37 ¶ 1(a)] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain secure update mechanisms. CC ID 14923 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets: implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities in software and hardware, and check for corresponding new security updates. Article 34 ¶ 1(i)] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Implement cryptographic mechanisms to authenticate software updates before installation. CC ID 14925 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Automate secure update mechanisms, as necessary. CC ID 14933 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Follow security design requirements when developing systems. CC ID 06827 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii)] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Approve the design methodology before moving forward on the system design project. CC ID 01060 [The ICT project management policy referred to in paragraph 1 shall contain all of the following: the testing of all requirements, including security requirements, and the respective approval process when deploying an ICT system in the production environment. Article 15 3(g)] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect source code in accordance with organizational requirements. CC ID 16855 [The procedure referred to in paragraph 2 shall contain the implementation of controls to protect the integrity of the source code of ICT systems that are developed in-house or by an ICT third-party service provider and delivered to the financial entity by an ICT third-parties service provider. Article 16 7.] | Systems design, build, and implementation | Technical Security | |
| Establish and maintain the overall system development project management roles and responsibilities. CC ID 00991 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an ICT project management procedure and shall specify the roles and responsibilities for its implementation. That procedure shall cover all stages of the ICT projects from their initiation to their closure. Article 38 1.] | Systems design, build, and implementation | Establish Roles | |
| Disseminate and communicate the system testing policy to interested personnel and affected parties. CC ID 15473 | Systems design, build, and implementation | Communicate | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 [Financial entities shall develop, document, and implement an ICT systems' acquisition, development, and maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally. Article 16 2 ¶ 1] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Protect test data in the development environment. CC ID 12014 [{pseudonymized data} The procedure referred to in paragraph 2 shall provide that: non-production environments only store anonymised, pseudonymised, or randomised production data; Article 16 5(a) The procedure referred to in paragraph 2 shall provide that: financial entities are to protect the integrity and confidentiality of data in non-production environments. Article 16 5(b)] | Systems design, build, and implementation | Technical Security | |
| Test security functionality during the development process. CC ID 12015 [{system testing procedure} {static analysis} {dynamic analysis} The procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: Article 16 3.] | Systems design, build, and implementation | Testing | |
| Evaluate and document all known code anomalies and code deficiencies. CC ID 06611 [{address} {code anomalies} procedure referred to in paragraph 2 shall contain the performance of source code reviews covering both static and dynamic testing. That testing shall contain security testing for internet-exposed systems and applications in accordance with Article 8(2), point (b), points (v), (vi) and (vii). Financial entities shall: monitor the implementation of that action plan. Article 16 3(c)] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471 [By way of derogation from paragraph 5, the procedure referred to in paragraph 2 may provide that production data are stored only for specific testing occasions, for limited periods of time, and following the approval by the relevant function and the reporting of such occasions to the ICT risk management function. Article 16 6.] | Systems design, build, and implementation | Communicate | |
| Establish, implement, and maintain a system testing program for all system development projects. CC ID 01101 [Financial entities shall develop, document, and implement an ICT systems' acquisition, development, and maintenance procedure for the testing and approval of all ICT systems prior to their use and after maintenance, in accordance with Article 8(2), point (b), points (v), (vi) and (vii). The level of testing shall be commensurate to the criticality of the business procedures and ICT assets concerned. The testing shall be designed to verify that new ICT systems are adequate to perform as intended, including the quality of the software developed internally. Article 16 2 ¶ 1 The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure the testing and approval of ICT systems prior to their first use and before introducing changes to the production environment; Article 37 ¶ 1(b)] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Implement security controls during the system implementation integration process. CC ID 11556 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: specify measures to mitigate the risk of unintentional alteration or intentional manipulation of the ICT systems during the development, maintenance, and deployment of those ICT systems in the production environment. Article 16 1(c)] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Involve all stakeholders in the final acceptance test. CC ID 13168 [Central counterparties shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: clearing members and clients; Article 16 2 ¶ 2(a) {be interoperable} Central counterparties shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: interoperable central counterparties; Article 16 2 ¶ 2(b) Central counterparties shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: other interested parties. Article 16 2 ¶ 2(c) Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: users; Article 16 2 ¶ 3(a) Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: critical utilities and critical service providers; Article 16 2 ¶ 3(b) Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: other central securities depositories; Article 16 2 ¶ 3(c) Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: other market infrastructures; Article 16 2 ¶ 3(d) Central securities depositories shall, in addition to the requirements laid down in the first subparagraph, involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: any other institutions with which central securities depositories have identified interdependencies in their business continuity policy. Article 16 2 ¶ 3(e) {changes} Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph: any other institutions with which central securities depositories have identified interdependencies in their ICT business continuity policy. Article 17 2 ¶ 3(e) {changes} Central counterparties shall involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: clearing members and clients; Article 17 2 ¶ 2(a) {changes} {be interoperable} Central counterparties shall involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: interoperable central counterparties; Article 17 2 ¶ 2(b) {changes} Central counterparties shall involve, as appropriate, in the design and conduct of the testing referred to in the first subparagraph: other interested parties, Article 17 2 ¶ 2(c) {changes} Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph: users; Article 17 2 ¶ 3(a) {changes} Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph: critical utilities and critical service providers; Article 17 2 ¶ 3(b) {changes} Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph: other central securities depositories; Article 17 2 ¶ 3(c) {changes} Central securities depositories shall, as appropriate, involve in the design and conduct of the testing referred to in the first subparagraph: other market infrastructures; Article 17 2 ¶ 3(d)] | Systems design, build, and implementation | Human Resources Management | |
| Establish and maintain end user support communications. CC ID 06615 | Systems design, build, and implementation | Business Processes | |
| Establish, implement, and maintain a vulnerability disclosure policy. CC ID 14934 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain vulnerability disclosure procedures. CC ID 16489 [The vulnerability management procedures referred to in paragraph 1 shall: establish procedures for the responsible disclosure of vulnerabilities to clients, counterparties, and to the public; Article 10 2 ¶ 1(e)] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Perform a due diligence assessment on bidding suppliers prior to acquiring assets. CC ID 15714 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Require third parties to disclose all known vulnerabilities in third party products and services. CC ID 15491 [For the purposes of point (c), financial entities shall request that ICT third-party service providers investigate the relevant vulnerabilities, determine the root causes, and implement appropriate mitigating action. Article 10 2 ¶ 3 For the purposes of point (c), financial entities shall request that ICT third-party service providers investigate the relevant vulnerabilities, determine the root causes, and implement appropriate mitigating action. Article 10 2 ¶ 3 The vulnerability management procedures referred to in paragraph 1 shall: verify whether: whether those service providers report to the financial entity at least the critical vulnerabilities and statistics and trends in a timely manner; Article 10 2 ¶ 1(c)(ii)] | Acquisition or sale of facilities, technology, and services | Communicate | |
| Establish, implement, and maintain system acquisition contracts. CC ID 14758 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include security requirements in system acquisition contracts. CC ID 01124 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii) As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements, including information security requirements, are clearly specified and approved by the business function concerned; Article 37 ¶ 1(a)] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include operational requirements in system acquisition contracts. CC ID 00825 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: ensure that, before any acquisition or development of ICT systems takes place, the functional and non-functional requirements, including information security requirements, are clearly specified and approved by the business function concerned; Article 37 ¶ 1(a)] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Obtain system documentation before acquiring products and services. CC ID 01445 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: technical specifications and ICT technical specifications, as defined in Article 2, points (4) and (5), of Regulation (EU) No 1025/2012; Article 16 1(b)(i)] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Obtain user documentation before acquiring products and services. CC ID 14283 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Include instructions on how to use the security functions in the user documentation. CC ID 14314 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include security functions in the user documentation. CC ID 14313 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include user responsibilities for maintaining system security in the user documentation. CC ID 14312 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include a description of user interactions in the user documentation. CC ID 14311 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Require the information system developer to create a continuous monitoring plan. CC ID 14307 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Establish, implement, and maintain a product and services acquisition policy. CC ID 14028 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: Article 16 1.] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Obtain authorization for marketing new products. CC ID 16805 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Include compliance requirements in the product and services acquisition policy. CC ID 14163 [As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems. That policy shall: require the identification of: requirements relating to the acquisition, development, and maintenance of ICT systems, with a particular focus on ICT security requirements and on their approval by the relevant business function and ICT asset owner in accordance with the financial entity's internal governance arrangements; Article 16 1(b)(ii)] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include coordination amongst entities in the product and services acquisition policy. CC ID 14162 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include management commitment in the product and services acquisition policy. CC ID 14161 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include roles and responsibilities in the product and services acquisition policy. CC ID 14160 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include the scope in the product and services acquisition policy. CC ID 14159 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include the purpose in the product and services acquisition policy. CC ID 14158 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Establish, implement, and maintain product and services acquisition procedures. CC ID 14065 [The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall design and implement, where appropriate, a procedure governing the acquisition, development, and maintenance of ICT systems following a risk-based approach. That procedure shall: Article 37 ¶ 1 The ICT project management policy referred to in paragraph 1 shall specify the elements that ensure the effective management of the ICT projects related to the acquisition, maintenance and, where applicable, development of the financial entity's ICT systems. Article 15 2.] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [The physical and environmental security policy referred to in paragraph 1 shall contain all of the following: measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including: Article 18 2 ¶ 1(e) The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide. Article 29 1.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Data and Information Management | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Technical Security | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Data and Information Management | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Configuration | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Configuration | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Configuration | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Technical Security | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Data and Information Management | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Log Management | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Log Management | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Technical Security | |
| Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Technical Security | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Testing | |
| Limit data leakage. CC ID 00356 [The data and system security procedure referred to in paragraph 1 shall contain all of the following elements related to data and ICT system security, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554: the identification and implementation of security measures to prevent data loss and leakage for systems and endpoint devices; Article 11 2 ¶ 1(i)] | Privacy protection for information and data | Data and Information Management | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Business Processes | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Acquisition/Sale of Assets or Services | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain a privacy impact assessment. CC ID 13712 [When developing and implementing the ICT security policies, procedures, protocols and tools referred to in Title II and the simplified ICT risk management framework referred to in Title III, the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations shall be taken into account, including elements relating to: the potential impact of the ICT risk on confidentiality, integrity and availability of data, and of the disruptions on the continuity and availability of the financial entity's activities. Article 1 ¶ 1(e)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how to grant consent in the privacy impact assessment. CC ID 15519 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data handling procedures in the privacy impact assessment. CC ID 15516 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the intended use of information in the privacy impact assessment. CC ID 15515 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Privacy protection for information and data | Business Processes | |
| Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include contingency plans in the third party management plan. CC ID 10030 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 [{restoration measure} {recovery measure} For the purposes of point (f), the measures referred to in that point shall provide for the mitigation of failures of critical third-party providers. Article 39 2¶ 2] | Third Party and supply chain oversight | Systems Continuity | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the purpose in the information flow agreement. CC ID 17016 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the costs in the information flow agreement. CC ID 17018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include on-site visits in third party contracts. CC ID 17306 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include location requirements in third party contracts. CC ID 16915 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Systems Continuity | |
| Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301 | Third Party and supply chain oversight | Communicate | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 [The financial entities referred to in paragraph 1 shall identify all critical or important functions supported by ICT third-party service providers. Article 30 2.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 [For the purposes of point (c), financial entities shall request that ICT third-party service providers investigate the relevant vulnerabilities, determine the root causes, and implement appropriate mitigating action. Article 10 2 ¶ 3] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187 [{assets} {digital operational resilience} For the purposes of point (k), financial entities shall consider the following: technical and organisational measures to minimise the risks related to the infrastructure used by the ICT third-party service provider for its ICT services, considering leading practices, and standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012. Article 11 2 ¶ 3(d)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130 [{be responsible} The financial entities referred to in paragraph 1 may, in accordance with Union and national sectoral law, outsource the tasks of verifying compliance with ICT risk management requirements to ICT intra-group or ICT third-party service providers. In case of such outsourcing, financial entities shall remain fully responsible for the verification of compliance with the ICT risk management requirements. Article 28 3.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |