Exploring DORA: Analysing the impact of the Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA) has recently come into force. We have looked at the problems it is helping infosec professionals solve and the opportunities it provides.
The purpose of DORA is to address risks posed by the financial sector’s reliance on third-party IT vendors. This is achieved by enforcing regulated entities to follow bloc-wide rules for the protection, detection, containment, recovery, and repair of capabilities against IT-related incidents. Bloc-wide rules establish an oversight framework for critical third-party providers and a consolidation and upgrade of IT risk mandates throughout the financial sector, leading to a common set of standards designed to reduce IT risk which everyone can follow.
Risk Management:
An internal governance and control framework will be enforced by DORA to ensure close management of IT risk is delivered and demonstrated. The Management team of the entity ultimately holds responsibility for ensuring this is established and maintained.
Incident Reporting:
While the goal of DORA is mitigation and prevention of incidents, there is of course a recognition that not everything can be avoided. Appropriate procedures and processes with documented roles and responsibilities must be established therefore to ensure the end to end lifecycle of incidents are identified, monitored, mitigated, remediated and learnt from to ensure the risk of reoccurrence is prevented or minimised.
Testing:
Regular testing will be essential to ensure IT remains free from common vulnerabilities and attack routes, as well as the response procedure underlying this is well rehearsed and understood. Given the rate and intensity of change in digital environments, annual testing will no longer suffice and instead organisations will look to the most efficient manner of reviewing environments and setups quarterly.
Third Party Risk:
For years one of the greatest risks to organisations has been that presented by their third-party IT providers. DORA encourages organisations to manage and document IT third-party risk as a key component of their risk management plan.
Demonstration of full adherence to DORA standards will be required by January 2025 when it becomes enforceable.
If you work in risk management within the financial industry and are looking to understand what DORA means for you, and the key steps you should take to ready yourself for its impact on your organisation and your role then please email NorthCap at hello@northcap.io
