{"id":45595,"date":"2023-10-13T14:48:50","date_gmt":"2023-10-13T12:48:50","guid":{"rendered":"https:\/\/www.usd.de\/?p=45595"},"modified":"2023-10-13T14:48:53","modified_gmt":"2023-10-13T12:48:53","slug":"dora-5-tips-on-what-to-consider-during-planning","status":"publish","type":"post","link":"https:\/\/www.usd.de\/en\/dora-5-tips-on-what-to-consider-during-planning\/","title":{"rendered":"Are You Ready for DORA? If Not, Here\u2019s 5 Tips on What to Consider during Planning"},"content":{"rendered":"\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:70%\">\n<p>The <a href=\"https:\/\/www.usd.de\/en\/security-consulting\/information-security-in-finance\/dora\/\">Digital Operational Resilience Act (DORA)<\/a> is a <a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=CELEX%3A32022R2554&amp;qid=1673554022989\" target=\"_blank\" rel=\"noopener\">regulatory framework<\/a> that aims to ensure the operational resilience of financial institutions in the European Union. While DORA came into force on January 16, 2023, organizations were granted two years to implement its security requirements. If your institution is affected by DORA, you are probably wondering what your next steps should be to get ready. To help you get a head start, our expert for information security in the financial sector, <strong>Dr. Christian Schwartz<\/strong>, has compiled five tips on what you should consider first while preparing for DORA. While none of these starting points may be the most obvious at first, each one will have a great impact on your organization\u2019s implementation of DORA requirements and, if taken into account early on, can save you a lot of time and effort later.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:30%\">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"768\" src=\"https:\/\/www.usd.de\/wp-content\/uploads\/Christian-Schwartz_rund.jpg-1024x768.png\" alt=\"Dr. Christian Schwartz, DORA expert\" class=\"wp-image-33514\" \/><\/figure>\n<\/div>\n<\/div>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Re-evaluate your method to classify services regarding criticality<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Reason: <\/strong><\/h4>\n\n\n\n<p>\u201cCritical or important services\u201d are subject to a number of additional requirements (e.g., regarding BCM, Vulnerability Management, ICS, Resilience Testing).<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Chances: <\/strong><\/h4>\n\n\n\n<p>Ensuring the correct classification as \"critical or important\"<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>applies leverage regarding the efforts to ensure compliance with the aforementioned requirements and<\/li>\n\n\n\n<li>ensures the existing risk for critical or important services is effectively managed.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Estimated effort:<\/strong><\/h4>\n\n\n\n<p><strong>Design:<\/strong> Medium <a id=\"_ftnref1\" href=\"#_ftn1\">[1]<\/a><\/p>\n\n\n\n<p><strong>Implementation:<\/strong> Medium (scales with number of services)<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">2. Implement changes regarding the information register for ICT third-party risk management<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Reason: <\/strong><\/h4>\n\n\n\n<p>Comprehensiveness and timeliness of information register is a prerequisite for compliance with DORA regarding ICT third-party risk management.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Chances: <\/strong><\/h4>\n\n\n\n<p>Provides foundation for<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>effective ICT third-party risk management and<\/li>\n\n\n\n<li>handling of incidents involving ICT-third-party service providers.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Estimated effort:<\/strong><\/h4>\n\n\n\n<p><strong>Design:<\/strong> Large<\/p>\n\n\n\n<p><strong>Implementation:<\/strong> Large (scales with number of ICT third-party service providers and contracts)<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. Consolidate contractual arrangements of ICT-third party service providers regarding operational resilience<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Reason: <\/strong><\/h4>\n\n\n\n<p>DORA (especially the consultation paper for the Regulatory Technical Standard \"for specifying the detailed content of the policy on the contractual arrangements regarding on the use of ICT services supporting critical or important functions provided by ICT third-party service providers\") contains explicit requirements on the contractual arrangements.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Chances: <\/strong><\/h4>\n\n\n\n<p>Updating existing contractual obligations (and defining a default for new contractual arrangements) ensures<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>compliance with DORA regarding the use of ICT-third party service providers and<\/li>\n\n\n\n<li>provides a chance to align contractual arrangements and reduce number of edge cases during ICT third-party risk management.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Estimated effort:<\/strong><\/h4>\n\n\n\n<p><strong>Design:<\/strong> Medium<\/p>\n\n\n\n<p><strong>Implementation:<\/strong> Large (scales with number of ICT third-party service providers and contracts)<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. Update incident response processes to address DORA requirements, especially considering the reporting of incidents<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Reason: <\/strong><\/h4>\n\n\n\n<p>In addition to requiring specific approaches during incident management (e.g., including specific properties during incident classification, such as direct and indirect damages, impacted countries, etc.), DORA also requires incident reporting to be fulfilled in a short time frame and include detailed information regarding the incident (both have yet to be determined by an RTS).<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Chances: <\/strong><\/h4>\n\n\n\n<p>Early alignment of the incident response process with asset and information registers allows<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>to ensure all required information for classification are available from and<\/li>\n\n\n\n<li>to reuse correlated information, e.g., to determine risk-based prioritization for threat led penetration testing.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Estimated effort:<\/strong><\/h4>\n\n\n\n<p><strong>Design:<\/strong> Medium<\/p>\n\n\n\n<p><strong>Implementation:<\/strong> Large (scales with number of services)<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">5. Tailor the approach for digital operational resilience testing<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Reason: <\/strong><\/h4>\n\n\n\n<p>The scale and selection of resilience testing can be selected regarding the proportionality principle and the risk profile of the financial entity.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Chances: <\/strong><\/h4>\n\n\n\n<p>Implement digital operational resilience testing while<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>leveraging the attention due to DORA to put a strong, risk-based focus on ICT-services exposed to actual risk and<\/li>\n\n\n\n<li>reducing the potential overall effort by focusing the majority of testing on critical or important systems <a id=\"_ftnref2\" href=\"#_ftn2\">[2]<\/a>.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong><strong>Estimated effort<\/strong>:<\/strong><\/h4>\n\n\n\n<p><strong>Design:<\/strong> Medium<\/p>\n\n\n\n<p><strong>Implementation:<\/strong> Very large (scales with the number of services and especially critical or important services)<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><em><a id=\"_ftn1\" href=\"#_ftnref1\">[1]<\/a> Compared to the total effort it will take your organization to design and implement all DORA requirements<\/em>.<\/p>\n\n\n\n<p><em><a id=\"_ftn2\" href=\"#_ftnref2\">[2]<\/a> Note that the relevance cannot only rely on the business impact of individual systems but must also consider the possibility of lateral movement and pivoting by attackers.<\/em><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Do You Need Help?<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-vertically-aligned-top is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:33.33%\">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"589\" src=\"https:\/\/www.usd.de\/wp-content\/uploads\/news-usd-AG-wie-werde-ich-Security-Consultant-1024x589.png\" alt=\"While two years may seem like plenty of time to prepare for DORA, we recommend you get started early and take it step by step. We are here for you if you need help or have any questions.\" class=\"wp-image-41057\" \/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:66.66%\">\n<p>While it may seem like there is plenty of time left to prepare for DORA, we recommend you get started early and take it step by step. We are here for you if you need help or have any questions.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.usd.de\/en\/contact-form-security-consulting\/\"><strong>Get in touch<\/strong><\/a><\/p>\n<\/div>\n<\/div>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Digital Operational Resilience Act (DORA) is a regulatory framework that aims to ensure the operational resilience of financial institutions in the European Union. While DORA came into force on January 16, 2023, organizations were granted two years to implement its security requirements. If your institution is affected by DORA, you are probably wondering what [&hellip;]<\/p>\n","protected":false},"author":91,"featured_media":31853,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"categories":[410,373],"tags":[3971,3972],"class_list":["post-45595","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-financial-sector-compliance-en","category-news-en","tag-digital-operational-resilience-act-2","tag-dora-2"],"_links":{"self":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/posts\/45595","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/users\/91"}],"replies":[{"embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/comments?post=45595"}],"version-history":[{"count":4,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/posts\/45595\/revisions"}],"predecessor-version":[{"id":45696,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/posts\/45595\/revisions\/45696"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/media\/31853"}],"wp:attachment":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/media?parent=45595"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/categories?post=45595"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/tags?post=45595"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}