Close Sidebar
COPYRIGHT © PROFESSIONAL EVALUATION AND CERTIFICATION BOARD 2021 ALL RIGHTS RESERVED
Now Reading
Navigating DORA: Practical Steps for ICT Suppliers
Search for content, post, videos
Search for content, post, videos

Navigating DORA: Practical Steps for ICT Suppliers

September 10, 2024

In today’s landscape, operational resilience is crucial, especially for financial services reliant on information and communication technology (ICT). The Digital Operational Resilience Act (DORA) aims to fortify this resilience by setting regulatory requirements for financial institutions and their ICT suppliers. DORA is more than just a regulation—it is a shift in how we handle digital security, pushing us to be proactive and robust in our cybersecurity efforts.

When I first encountered DORA, I was unsure about its implications and requirements. However, as I delved deeper, I realized its transformative potential for our industry. Now, I want to share my insights to help you navigate these new regulations effectively. This article outlines practical steps ICT suppliers, especially critical suppliers, can take to comply with DORA and enhance their service offerings.

A major banking client recently emphasized the importance of DORA compliance, stating they would return to us, specifically because of our adherence to these regulations, despite not being a critical ICT supplier. This highlights the growing demand for compliant and resilient ICT suppliers in the financial sector. By understanding and implementing DORA’s requirements, you position your organization as a trustworthy and reliable partner.This journey involves critical thinking and a strategic approach. Here are the steps you need to follow to navigate DORA compliance effectively.

Step 1: Conducting a Risk Assessment

Identifying ICT Risks

The first step in navigating DORA is performing a comprehensive risk assessment. This involves identifying potential ICT risks that could compromise your operational resilience.

Start by mapping all ICT assets and processes supporting financial services. For example, consider a scenario where a financial institution’s core banking system experienced a cyber-attack, causing a significant disruption. Understanding these risks allows you to prioritize efforts and resources effectively. During one assessment, we discovered that a key supplier’s outdated security protocol posed a significant vulnerability. By addressing this, we not only improved our security posture but also increased our relationship with the client by demonstrating proactive risk management

Assessing Current Security Measures

After identifying the risks, assess your current security measures. Evaluate the effectiveness of existing controls and identify any gaps. For instance, we once found that our incident response plan lacked detailed procedures for communicating with stakeholders during an outage. This realization led us to enhance our communication protocols, ensuring that all parties are promptly informed during incidents.

This assessment might include reviewing cybersecurity policies, incident response plans, and disaster recovery procedures. One practical tip is to conduct a “tabletop exercise” where your team simulates a cyber incident. This exercise can reveal weaknesses in your response strategies and provide valuable insights for improvement. This assessment provides a baseline for developing a robust compliance strategy, ensuring you are well-prepared to meet DORA’s requirements

Step 2: Developing a Compliance Strategy

Setting Compliance Goals

With a clear understanding of ICT risks and your current security posture, the next step is to set your compliance goals. These goals should align with DORA’s requirements and be tailored to your organization’s specific needs. For instance, one of our goals was achieving full compliance with incident reporting requirements. We realized that improving our incident detection and reporting systems was crucial for meeting DORA standards and maintaining client trust. Another goal might be enhancing your ICT risk management framework. We worked with a financial services provider that wanted to improve the resilience of their critical systems.

Creating an Implementation Plan

Developing a comprehensive implementation plan is key to achieving your compliance goals. This plan should outline the steps to take, assign responsibilities, and set timelines for completion. For example, when we aimed to enhance our incident reporting system, our plan included steps like upgrading our monitoring tools, training staff on new reporting protocols, and conducting regular drills. Include key milestones to track progress and ensure adherence to the schedule.

For instance, we set quarterly milestones to review our progress on reducing system downtime, allowing us to make adjustments as needed.

Allocate the necessary financial and human resources to support your compliance efforts. In one project, we identified that additional cybersecurity experts were needed to implement advanced threat detection technologies. By securing the budget and hiring the right talent, we ensured that our implementation plan was feasible and effective.

Step 3: Implementing ICT Risk Management

Establishing Policies and Procedures

Effective ICT risk management begins with establishing policies and procedures that cover all aspects of risk management, including identification, assessment, mitigation, and monitoring. When we first started, the policies were scattered and not well-documented. This lack of clarity led to confusion during a minor cyber incident, causing delays in our response. Learning from this, we decided to overhaul our documentation.

We adopted best practices from recognized standards, such as ISO/IEC 27001, to structure our policies. This included creating a comprehensive risk management framework that clearly defined roles and responsibilities. For instance, one policy outlined steps for regularly updating and patching software, which helped prevent vulnerabilities from being exploited.

Document these policies clearly and ensure they are easily accessible to all relevant stakeholders. In our case, we implemented an internal portal where employees could quickly find any policy or procedure. This approach improved adherence and made our risk management.

Training and Awareness Programs

A critical component of ICT risk management is ensuring that all staff are aware of the policies and procedures and understand their roles in maintaining operational resilience. Regular training boosts compliance and preparedness. Develop training programs that cover DORA’s requirements and specific policies and procedures relevant to your organization. We started with an initial training session that introduced DORA and its implications. Then, we developed role-specific modules—technical teams learned about advanced threat detection, while the executive team focused on strategic decision-making during crises.

Regular training sessions and awareness campaigns are essential to maintain a high level of vigilance across the organization. For example, we conducted quarterly simulations of cyber incidents to test our response plans. These exercises revealed gaps and allowed us to improve our protocols continuously.

Additionally, awareness campaigns through emails, posters, and internal newsletters kept the importance of cybersecurity front and center. We also shared real-world examples of breaches and their impacts to highlight the importance of adherence to policies.

Step 4: Incident Management and Reporting

Developing Incident Response Plans

Incidents are inevitable, but a well-prepared organization can significantly mitigate their impact. A comprehensive incident response plan is crucial. During a simulated cyber-attack, we realized our initial response plan lacked clarity on roles and responsibilities, leading to confusion. This experience highlighted the need for a detailed, well-documented plan.

Your incident response plan should outline steps to take in the event of an ICT incident. Include procedures for detecting, reporting, responding to, and recovering from incidents. For example, our plan specifies that the IT security team is responsible for initial detection and containment, while the communication team handles external notifications.

Regularly test and update your incident response plans to ensure their effectiveness. We conduct bi-annual drills simulating different types of incidents, such as ransomware attacks or data breaches.

These drills help identify weaknesses and areas for improvement. After each drill, we update our plans based on the lessons learned.

Reporting Mechanisms

DORA requires financial entities and their ICT suppliers to establish incident reporting mechanisms. This was underscored by a real incident where quick reporting helped us mitigate further damage and maintain client trust. Ensure you have systems in place to detect and report incidents promptly.For instance, we implemented a centralized monitoring system that provides real-time alerts for any suspicious activity. This system is integrated with our incident response plan, enabling immediate action.

Set up clear communication channels and protocols for escalating incidents to the appropriate authorities. During one breach, our predefined communication protocols allowed us to quickly inform both internal stakeholders and regulatory bodies, minimizing the incident’s impact. Timely and accurate reporting is not only a regulatory requirement but also a key aspect of maintaining client trust.

Step 5: Continuous Monitoring and Improvement

Regular Audits and Reviews

Compliance is an ongoing process, not a one-time effort. Conducting regular audits and reviews of your ICT risk management practices and DORA compliance is key.

For example, we schedule quarterly audits to evaluate our security controls and compliance status. These audits help identify areas for improvement and ensure that our controls remain effective. During one audit, we discovered that our encryption protocols were outdated. This finding prompted us to upgrade our encryption methods, enhancing our overall security posture. Use the findings from these audits to update your policies and procedures as needed. Regular reviews also help ensure that any new vulnerabilities or threats are promptly addressed.

Adapting to Regulatory Changes

The regulatory landscape is constantly evolving, making it essential to stay informed about changes to DORA and other relevant regulations. DORA represents the European Union’s effort to standardize cybersecurity and operational resilience across key sectors. This new regulation will serve as a benchmark for global cybersecurity standards, influencing policies beyond Europe with their approach to digital resilience. Just as the General Data Protection Regulation (GDPR) revolutionized data privacy and protection standards worldwide, DORA is poised to do the same for cybersecurity and resilience. GDPR became the global gold standard for data laws, fundamentally changing how companies handle data privacy. Similarly, DORA is set to reshape cybersecurity practices globally.DORA is designed to be pragmatic, emphasizing reasonable and proportionate measures. While demonstrating pragmatism directly can be challenging, you can showcase your commitment by effectively mitigating risks. This means implementing practical, scalable security measures that address identified risks comprehensively and efficiently, thereby, aligning with the regulatory expectations. Ultimately, monitoring future authority decisions on the pragmatism of audited companies will help you to refine your approach.

Conclusion

Navigating DORA compliance requires a proactive, pragmatic, and systematic approach. By conducting thorough risk assessments, developing a compliance strategy, implementing ICT risk management, preparing for incidents, and continuously monitoring and improving your practices, you can ensure compliance with DORA and enhance your operational resilience.

Implementing pragmatic standards, such as ISO/IEC 27001 and ISO 22301 align well with DORA’s requirements and provide a practical framework for managing information security and business continuity.These steps not only help meet regulatory requirements but also position you as a trustworthy and reliable partner in the financial services sector. Now is the time to take action and embrace the opportunities that DORA compliance brings. Take ownership of your compliance journey by identifying the critical controls necessary for your organization and seeking additional budgets with DORA in mind. This proactive stance ensures that you have the required resources to meet compliance effectively. Moreover, by positioning yourself as a leader in compliance before the full enforcement of new directives, you gain a first-mover advantage that sets industry benchmarks and offers a competitive edge. Thus, your marketing and sales teams should capitalize on your early compliance efforts, targeting sectors such as finance and banking and showcasing your commitment to security and resilience. Highlighting your proactive stance on DORA compliance can significantly enhance your market position.

Christophe Mazzola

CISO, Cybersecurity Consultant, GRC Specialist, Auditor, Speaker, and Trainer In a career transition marked by an unwavering commitment to the realms of cybersecurity and digital risk management, Christophe gracefully exchanged the cape of a computer scientist for the distinguished mantle of a cyber threat hunter with the honorary title of Chief Information Security Officer (CISO). Hailing from a town that once embraced an identity of lawlessness, affectionately christened "Nameless-Town" during a period of revolutionary fervor, Christophe’s persona mirrors the raw, unconventional spirit of his place of origin. Over a decade spent in the landscapes of Belgium was motivated by a deep-seated love for the nation's culinary treasures, particularly its renowned fries, rather than the intricacies of Belgian taxation. Earning a coveted risk management diploma from the esteemed HarvardX, he primarily channels his expertise into offering CISO-as-a-Service/vCISO, audit, and ISO/IEC 27001 certification preparation services. As an educator, he adeptly navigates the complex terrain of the ISO/IEC 27000 family of standards, sharing his insights through training sessions, and gracing various forums as a knowledgeable speaker and panelist. Epitomizing a harmonious blend of cybersecurity expert, part-time DJ, devoted father, and self-appointed coach of Olympique de Marseille, Christophe passionately embraces opportunities to share the experiences of life, the intricacies of security, and the rhythms of music. Malcolm Xavier Cybersecurity Lead Malcolm Xavier has been working in the digital industry for over 18 years. He has worked with Global Clients in South Africa, the United States, and the United Kingdom. He has achieved many professional certifications like CISSP, Google Cloud Practitioner, TOGAF, Azure Cloud, ITIL v3, etc. His core competencies include IT strategy, cybersecurity, IT infrastructure management, data center migration and consolidation, data protection and compliance, risk management and governance, and information security program development and management.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts