The arrival of DORA will have implications for businesses far beyond the EU and the financial services vertical. Whether it’s a U.S.-based business that banks in the EU, or a Hong Kong-based bank that has offices in Europe, this regulation is certain to impact a vast majority of major businesses. As these organizations look at their IT systems and security capabilities, the need for significant digital transformation is clear.
With IT leaders beginning to navigate the complexities of DORA, they must prioritize several key areas for optimal risk management. But where is the right place to start? Here’s a look at four of the most important steps to take:
- Define clear roles and responsibilities
DORA outlines that management bodies will be expected to maintain an active role in adapting their ICT risk management framework and overall operational resilience strategy. Board members and executive leaders are responsible for defining, approving and overseeing the implementation of all arrangements related to the ICT risk management framework, including setting clear expectations and roles. Among others, these overarching responsibilities include putting policies in place that will ensure the highest standards of availability, authenticity, integrity and confidentiality, of data as well as setting clear roles and responsibilities for all ICT-related functions. They will also need to establish appropriate governance arrangements to ensure timely communication, cooperation and coordination across all of those functions and roles. - Implement a periodic review of the ICT Business Continuity Policy and ICT Disaster Recovery Policy
Implementing a regular review cadence for ICT business continuity and disaster recovery policies is crucial for effective risk management oversight. According to DORA, “financial entities shall regularly review their ICT Business Continuity Policy and ICT Disaster Recovery Plan taking into account the results of tests carried out in accordance with recommendations stemming from audit checks or supervisory reviews.” With regulatory technical standards outlining the need for organizations to design their IT infrastructure and business continuity measures to achieve less than 2 hours of downtime, moving to this model is a critical way to meet this challenge. Implementing these changes will help ensure they get the right people, processes and technology in place for compliance, stay ahead of current threats, and achieve business continuity amidst the ever-changing threat and regulatory landscape. - Allocate and consistently review budget related to fulfilling digital operational resilience needs
Preparing for a new set of regulations requires the right resources to be effective. As an example, DORA requires a crisis management function that implements clear procedures to manage internal and external crisis communications in accordance with Article 13. As organizations look to implement new digital operational resilience capabilities, they need to prioritize allocating enough budget to fully address risks and implement new technologies and processes. But since security risks and new vulnerabilities are always evolving, as are regulations, there should also be a periodic review of budgeting to ensure security concerns are adequately addressed at any given time. - Implement ICT security tools and processes
Any DORA-focused preparations need to take tools and processes into account. Organizations need to consider legacy systems like the mainframe as well as vulnerabilities that might be leaving the business exposed to excessive risk. Particularly as systems evolve, implementing the right security tools is critical to identifying and managing mainframe vulnerabilities. Precise vulnerability management tools, penetration testing, and compliance assessments are a few of the critical technologies and processes a business should consider for optimal risk management oversight.
Rocket Software brings a unique set of solutions that are ready to help modernize and secure critical IT infrastructure, whether it’s legacy systems, hybrid cloud, or cloud-based to help keep up with evolving demands. Partnering with Rocket Software can help any organization when it comes to vulnerability management, penetration testing and compliance assessments, as well as securing open-source languages and tools, managing and recovering your data and automating the health of the DevOps ecosystem.
