Ensure EU Digital Operational Resilience Act Compliance
How Cybersecurity Asset Management Addresses Multiple DORA Requirements
With the ever-increasing dependence of the financial services industry on technology, information communication technologies (ICT) risks are a growing concern. The Digital Operational Resilience Act (DORA) (European Union (EU) Regulation 2022/2554) is the European Commission's effort to address the existing patchwork of digital operational resilience on an EU-wide level.
DORA entered into force on January 16, 2023, and the regulation will be enforceable 24 months later (January 16, 2025). Financial entities subject to the regulation will be expected to comply with DORA requirements by January 17, 2025.
Cybersecurity asset management addresses key aspects of DORA, playing a crucial role in your compliance efforts. This paper will cover the key capabilities of a cybersecurity asset management solution, as well as outline which aspects of DORA cybersecurity asset management solutions address and how.
This document is not a complete record of all the provisions and requirements outlined in DORA. You can find the complete text of DORA on EUR-Lex here.
What Is Cybersecurity Asset Management?
The primary goal of cybersecurity asset management is to gain a comprehensive understanding of an organization's digital assets in order to improve security and reduce risk. Effective cybersecurity asset management solutions enhance an organization's overall cybersecurity posture by providing a solid foundation for risk assessment, vulnerability management, access control, and incident response. It helps organizations make informed decisions about resource allocation and prioritization, ultimately contributing to better security operations.
Key components of a cybersecurity asset management solution include:
Asset Discovery and Inventory: Cybersecurity asset management solutions are designed to automatically discover and inventory all the assets within your organization's network. This includes computers, servers, routers, switches, mobile devices, and other IT, IoT, and OT assets. These solutions use methods such as network sensor-based data collection to identify and catalog assets as well as to map dependencies between assets and between assets and critical business functions.
Critical Business Function Identification: Cybersecurity asset management solutions use AI and data science to identify critical business functions. These functions are the core activities that keep an organization running smoothly and generating revenue. Identifying and prioritizing critical business functions is crucial for building cyber resilience, allocating security and IT resources, and developing effective business continuity and disaster recovery plans.
Real-Time Monitoring: Cybersecurity asset management solutions provide real-time monitoring of assets on your network. Continuously monitoring and tracking assets allows your organization to detect changes or anomalies in its IT environment, aiding in the early identification of potential security incidents.
Incident Response: In the event of a cybersecurity incident, cybersecurity asset management provides a foundation for incident response teams to quickly identify affected assets and take appropriate action to contain and mitigate the incident.
Compliance and Audit: Effective cybersecurity asset management is essential to prove that security policies and compliance requirements are met. Maintaining an accurate inventory of assets is often required to comply with regulatory requirements and for audit purposes. Additionally, understanding the location of sensitive data and its interaction with various assets is essential for data protection and compliance with data privacy regulations.
Vulnerability Management: Vulnerability scanning tools identify and assess vulnerabilities present in your organization's environment. This includes software vulnerabilities, misconfigurations, and other weaknesses that could be exploited by attackers. Cybersecurity asset management allows security teams to focus on addressing the most critical issues first by prioritizing vulnerable assets. It does this by evaluating the impacted asset’s connection to critical business functions and their interdependencies with other assets.
Business Continuity and Disaster Recovery: Understanding the full scope of your organization's digital assets allows for effective risk assessment. It is integral to developing robust continuity and recovery strategies, ensuring that essential assets are prioritized, protected, and efficiently restored in the event of a cybersecurity incident or disaster.
Risk Management: Accurate and constantly updated asset information, including known vulnerabilities and dependencies, enables your organization to assess potential risks associated with specific assets. You can prioritize security efforts, allocate resources effectively, and implement targeted measures to mitigate risks, enhancing your overall cybersecurity resilience.
Effective cybersecurity asset management enhances an organization's overall cybersecurity posture by providing a solid foundation for risk management, vulnerability management, and incident response. It helps organizations make informed decisions about resource allocation and prioritization, ultimately contributing to better security and more efficient IT operations.
How Can Cybersecurity Asset Management Help Enable DORA Compliance?
Broadly speaking, the parts of DORA that can be addressed by cybersecurity asset management are covered in Chapters 2 through 5. These chapters cover risk management, incident management, digital operational resilience testing, and managing third-party risk.
Risk Management Framework
According to DORA, financial entities must establish a robust risk management framework, including strategies, policies, procedures, and tools. The purpose of this framework is to ensure the protection of information and assets, with a focus on minimizing risk through appropriate strategies and protocols. The framework must be documented, reviewed annually, and subject to internal audits. The digital operational resilience strategy contained within this framework should outline risk tolerance levels, information security objectives, reference architecture, incident detection mechanisms, resilience testing, and communication strategies.
Within their risk management framework, financial entities must identify, classify, and document ICT-supported business functions, roles, responsibilities, information assets, and dependencies. They should review the adequacy of this classification yearly, continuously identify risk sources, assess cyber threats and vulnerabilities, and review risk scenarios at least yearly. Additionally, financial entities should perform risk assessments during major infrastructure changes, identify critical information and assets, document processes dependent on third-party service providers, and conduct specific risk assessments on legacy systems yearly.
Cybersecurity asset management helps you address this regulatory requirement through:
Asset Inventory Management: A comprehensive inventory of all digital assets and resources within an organization, including hardware, software, devices, web applications, cloud services, and network infrastructure. It uses sensors in your network to create a map of your IT infrastructure, including cloud, on-premises, and container-based assets. This gives you complete visibility into the true extent of your environment, including which assets are interdependent as well as your connections with third-party vendors and contractors. It gives you the visibility into your environment that you need to identify, evaluate, and prioritize potential risks to your organization.
Critical Business Function Identification: Critical business functions (CBFs) are the core activities that keep an organization running smoothly and generate revenue. In a financial institution, critical functions may include transaction processing, risk management, and regulatory compliance. Understanding which functions are critical allows you to identify which assets in your asset inventory are required to enable that part of the business to function and focus your resources and efforts on protecting these areas.
Vulnerability Management: Identify, evaluate, and prioritize weaknesses in a system, network, or application by scanning your organization's assets and systems to identify vulnerabilities that could be exploited by attackers. It assesses vulnerabilities based on their severity and the effectiveness of existing controls, helping you make informed decisions to manage or mitigate risks and achieve optimal operational resilience.
Protection and Prevention
According to DORA, in order to protect ICT systems financial entities must continuously monitor and control system security, minimize risk through appropriate security tools and policies, and design and implement security measures ensuring resilience, continuity, and high standards of data integrity and confidentiality. As part of their risk management framework, financial entities should develop and document information security policies, establish network and infrastructure management structures, implement access controls, deploy strong authentication mechanisms, and have policies in place for change management and patches to address cybersecurity risks and ensure the secure functioning of their systems.
Cybersecurity asset management helps you address this regulatory requirement through:
Continuous Monitoring: Cybersecurity asset management continuously monitors your environment and detects changes in your IT technology and vulnerabilities. This ongoing process ensures a dynamic and up-to-date understanding of your organization's security posture.
Data Protection: Cybersecurity asset management can track assets that contain sensitive data and their interaction with other assets, which is essential for data protection and compliance with data privacy regulations.
Anomaly Detection
According to DORA, financial entities must establish mechanisms for promptly detecting anomalous activities, network performance issues, and potential single points of failure. They must regularly test these detection mechanisms, and ensure multiple layers of control with defined alert thresholds for initiating incident response processes, including automatic alerts for relevant staff. They should allocate adequate resources to monitor user activity, ICT anomalies, and incidents, especially cyberattacks.
Cybersecurity asset management helps you address this regulatory requirement through:
Tracking and Monitoring: Cybersecurity asset management continuously monitors and tracks assets, allowing your organization to quickly detect changes or anomalies in its IT environment, aiding in the early identification of potential security incidents.
Response & Recovery
According to DORA, financial entities must establish a business continuity policy and implement it through documented arrangements, plans, and procedures to ensure the continuity of critical functions, respond to ICT incidents effectively, activate containment measures, estimate impacts, and communicate during crises. They should conduct business impact analyses, test business continuity plans yearly, review policies regularly, and, if applicable, maintain a crisis management function.
Financial entities must gather information on vulnerabilities, cyber threats, and ICT-related incidents, conducting post-incident reviews to analyze disruptions, implement improvements, and communicate changes to competent authorities. Lessons from digital operational resilience testing and real-life incidents should inform continuous improvements to the risk assessment process. Monitoring the effectiveness of the digital operational resilience strategy and reporting findings to the management body is essential, and comprehensive ICT security awareness programs and training must be developed for all employees and senior management.
Cybersecurity asset management helps you address this regulatory requirement through:
Business Continuity and Disaster Recovery Planning Support: Cybersecurity asset management gives you the complete visibility into your IT infrastructure you need to create an effective BCDR plan and perform successful testing. In addition to having an asset inventory, cybersecurity asset management can identify your critical business functions, which assets are required for those functions to work properly, and understand how your assets are interconnected. This information is vital to understanding which parts of your environment are most critical. It gives you the information you need to build an effective BCDR plan and be truly resilient.
Incident Management
According to DORA, financial entities must establish and implement an incident management process, putting in place early warning indicators, categorization of incidents, role assignments, communication plans, and response procedures to prevent and mitigate the impact of incidents. The process should cover the detection, categorization, communication, and response to incidents in order to ensure timely resolution and reporting to relevant authorities and stakeholders.
Cybersecurity asset management helps you address this regulatory requirement through:
Incident Response: Cybersecurity asset management enhances incident response capabilities by providing complete visibility into your IT environment along with proactive vulnerability management. In the event of a cybersecurity incident, cybersecurity asset management provides a foundation for incident response teams to quickly identify affected assets and take appropriate action to contain and mitigate the incident. After an incident, it supports comprehensive forensic analysis so that lessons learned can be documented and incorporated into improving procedures and policies.
Digital Operational Resilience Testing
According to DORA, financial entities are required to develop and maintain a comprehensive digital operational resilience testing program. It should follow a risk-based approach and use independent testing to identify and address weaknesses and deficiencies in its ICT systems that support critical functions. These entities must conduct these tests at least yearly, establishing procedures to prioritize and remedy issues, contributing to their overall digital operational resilience.
Cybersecurity asset management helps you address this regulatory requirement through:
Realistic and Customized Testing: Cybersecurity asset management provides a comprehensive understanding of an organization's digital assets. Using this, your organization can identify critical components and dependencies, allowing you to design realistic testing scenarios that assess the impact of potential disruptions on your operations. This proactive testing helps enhance operational resilience by identifying vulnerabilities, improving response capabilities, and ensuring the continuity of essential functions in the face of various challenges.
Managing Third-Party Risk
According to DORA, as part of their risk management framework, financial entities are required to adopt a third-party risk strategy, maintain a register of information on contractual arrangements, and report to competent authorities yearly, ensuring that contractual arrangements are appropriately documented and comply with information security standards.
Cybersecurity asset management helps you address this regulatory requirement through:
Identify Connections With Third-Party Vendors and Contractors: Cybersecurity asset management gives you complete visibility into the true extent of your environment, including third-party vendors and contractors whose systems are connected to or communicating with assets in your environment. This comprehensive list of external vendors allows you to accurately understand your third-party dependencies and measure your third-party risk.
Conclusion: Improve Overall Cybersecurity & Compliance
Cybersecurity asset management plays a crucial role in enabling compliance with the Digital Operational Resilience Act (DORA) by addressing key aspects.
Supports a robust risk management framework through asset inventory management, critical business function identification, and vulnerability management, allowing financial entities to assess, prioritize, and manage risks effectively.
Continuous monitoring, access control, and data protection contribute to securing ICT systems.
Tracking and monitoring assets facilitates early detection of anomalies and potential security incidents.
Supports business continuity and disaster recovery planning, incident management, and digital operational resilience testing, enhancing an organization's overall resilience.
Independently identifies third-party vendors and contractors to help financial entities understand and mitigate associated risks, ensuring compliance with DORA's requirements.
Overall, accurate and constantly updated asset information, including known vulnerabilities and dependencies, enables your organization to assess potential risks associated with specific assets and critical business functions. You can prioritize security efforts, allocate resources effectively, and implement targeted measures to mitigate risks, enhancing your overall cybersecurity resilience.
