Resilience as an emerging approach

- [Instructor] The number of successful attacks on and technical failures of critical infrastructure has been a concern for governments for some time. While nations have focused on the full spectrum of their own critical infrastructures, the European Union has focused its efforts on the European financial sector. The result has been the enactment of the Digital Operational Resilience Act, or DORA for short. In order to achieve a high common level of digital operational resilience across the European financial sector, DORA establishes a common set of security requirements, including cyber risk management, cyber incidents, resilience testing, threat and vulnerability, intelligence sharing and national cooperation, and third-party risk management. Risk management under DORA reflects existing best practice in cyber risk management. It requires a risk management body to be established with overall responsibility for the risk strategy, setting risk policy, and defining roles and responsibilities. This body would approve such things as business continuity, incident response plans, third party services, and audits. Organizations are required to support risk management with a comprehensive set of information security policies. A documented risk management framework must be put in place, reviewed annually, and be included in the audit plan. The framework must specify the organization's risk tolerance and define key performance indicators for information security. Continuous risk assessment of business processes and their related technology must be carried out. Organizations should establish business continuity plans, which include business impact assessments, and they must regularly test their plans. Central security depositories must have a geographically separated secondary processing site for enhanced resilience. Business continuity is one of the key aspects of the operational resilience focus of DORA. Organizations should have a comprehensive incident management process and document how cyber incidents are detected, the plan for communicating about incidents, and they must provide evidence that this approach is effective. Incident management should include early warning indicators. Incidents should be prioritized and their response tracked, and root cause analysis should be carried out. DORA introduces a classification approach for incidents, which takes into account key aspects such as the duration of the incident, the criticality of the asset, and the economic impact of the incident. Major incidents will need to be reported to national and European authorities in a harmonized format. Ensuring effective and time response to incidents is another key focus in DORA. Organizations are required to perform vulnerability assessments before any technology deployment into the financial infrastructure, and then maintain a comprehensive program of ongoing resilience testing. This will include vulnerability scans, analysis of any open source solutions which are in place, assessment of system network and physical security, source code reviews, scenario based and end-to-end testing, and compatibility and performance testing. DORA introduces the concept of an advanced Threat-Led Penetration Test, or TLPT, which must be performed by accredited TLPT testers at least once every three years. Testers will be expected to demonstrate specific expertise in utilizing threat intelligence and be competent in using penetration and red team testing techniques. Organizations must establish a comprehensive register of information detailing contractual arrangements with third-parties. Third-party arrangements will be reported annually to national authorities, and in turn, to European authorities. Service providers will be required to provide access for inspections and audits. Audits will assess various aspects of the service provider's security posture, including data protection, incident response capabilities, disaster recovery plans, and overall operational resilience. Cloud providers in particular must demonstrate adherence to DORA regulations regarding risk management, incident reporting, and digital operational resilience testing. DORA notes that financial entities may exchange threat intelligence within the trusted financial community. In addition, the European authorities will foster cooperation with non-European nations to promote the principles of DORA. DORA is a new act for the financial sector, but mostly just reflects existing best practices in information security, but with greater emphasis on areas of resilience. Technical standards to provide common levels of protection are being developed and will be issued as delegated regulations for the EU. These will apply to both financial institutions and their service providers.