StorageGuard - by Continuity™ - is the ONLY Security Posture Management solution for Storage & Backups, helping to ensure these systems are securely configured, and compliant with industry & security standards.
The EU Digital Operational Resilience Act (DORA) marks a pivotal milestone in safeguarding the financial sector from the growing threat of cyberattacks.
Designed to bolster the digital resilience of financial institutions, DORA emphasizes securing ICT assets—hardware and software within networks and information systems—while ensuring rapid recovery from security incidents. With its effective date set for 17 January 2025, organizations must act swiftly to achieve compliance.
In this blog series, we’ll explore DORA’s impact on storage and backup platforms, which lie at the heart of operational resilience strategies.
This first post will focus on the DORA ICT Risk Management chapter and the associated technical requirements, particularly for storage and backup systems.
DORA introduces comprehensive requirements for ICT Risk Management, emphasizing the need to safeguard critical ICT assets from cyber threats, and recover swiftly from disruptions to ensure operational resilience.
Storage and backup systems are among the most mission-critical ICT assets, as they store nearly all information assets, including sensitive financial data and house data copies essential for rapid cyber-recovery (CR) and disaster recovery (DR).
Both storage and backup systems support critical functions and are vital to maintaining operational resilience.
As an InfoSec manager or IT leader responsible for the cyber-security and operational resilience of your organization’s storage and backup platforms, you should familiarize yourself with the following DORA requirements:
DORA ICT Risk Management chapter | This Chapter outlines various requirements to control the security of ICT systems |
DORA Regulatory Technical Standards [JC 2023 86] | This complementary document depicts various technical requirements and required processes such as detail secure configuration baselines, hardening, and vulnerability assessments |
DORA Digital Operational Resilience Testing chapter | This Chapter outlines requirements to ensure systems withstand cyber threats |
Article | Requirement in a nutshell |
6 | minimize the impact of ICT risk by deploying tools |
7 | use and maintain updated ICT systems, protocols and tools |
8 | assess ICT vulnerabilities … on a regular basis, and at least yearly… |
8 | perform a risk assessment upon each major change in the network and information system infrastructure |
8 | identify all ICT assets, including network resources and hardware equipment |
8 | map the configuration of the ICT assets |
9 | continuously monitor and control the security of ICT systems … minimise the impact of ICT risk through the deployment of appropriate ICT security tools |
9 | implement ICT security tools that aim to ensure the resilience, continuity and availability of ICT systems… maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit…. |
9 | develop rules to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets |
9 | limit the logical access to information assets and ICT assets |
9 | strong authentication mechanisms |
9 | implement controls for ICT change management, including changes to software, hardware, firmware components, systems or security parameters… |
12 | When restoring backup data, use ICT systems that are physically and logically segregated from the source ICT system. The ICT systems shall be securely protected from any unauthorized access or ICT corruption. |
13 | have in place capabilities and staff to gather information on vulnerabilities |
16 | continuously monitor the security and functioning of all ICT system… minimise the impact of ICT risk through the use of sound, resilient and updated ICT systems, protocols and tools… protect availability, authenticity, integrity and confidentiality of data in the network and information systems; |
1 | Do we have process and automation for gathering and detecting vulnerability on our Storage & Backup systems? |
2 | Do we have processes and automation for detecting risks (e.g. misconfigurations, security weaknesses) introduced by Storage or Backup system change? |
3 | Do we have up-to-date configuration mapping for Storage and Backup platforms including software, firmware, hardware, system parameters, security parameters? |
4 | How do we ensure that at least one backup data copy is physically and logically segregated? |
5 | How do we continuously maintain high standards of availability, authenticity, integrity and confidentiality of data at-rest and in-transit and develop rules for strong authentication, limited logical access, updated software/firmware, updated protocols, backup data segregation, etc.? |
6 | What tools do we have to continuously control the security of ICT systems? |
If you can confidently answer “yes” to these questions, you’re on the right track toward DORA compliance!
The next item we shall explore is DORA-mandated Regulatory Technical Standards (RTS) [JC 2023 86]. Complementing the main act, the DORA RTS specify technical measures for ICT risk management. The standards explicitly mention storage systems, emphasizing the need to:
“Ensuring the security of data, systems, and networks is crucial… This involves implementing security measures for software, data storage media, systems, and endpoint devices”.
The following table reviews key RTS requirements:
Article | Requirement in a nutshell |
6 | rules for the encryption of data at rest and in transit |
6 | rules for the encryption of internal network connections |
7 | cryptographic key management |
10 | maintain awareness about vulnerabilities… Identify and evaluate available software and hardware patches and updates using automated tools |
11 | identification of secure configuration baseline for ICT assets that will minimise their exposure to cyber threats and measures to verify regularly that these baselines are those that are effectively deployed. The secure configuration baseline shall take into account leading practices and appropriate techniques referred to in standards, as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 |
12 | level of detail of the logs… retention period … secure and handle the log data… |
13 | separate and dedicated network for the administration of ICT assets |
13 | terminate system and remote sessions after a predefined period of inactivity |
13 | the implementation of a secure configuration baseline of all network components and hardening the network and network devices according to vendor instructions, to, where applicable, standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 and leading practices; |
14 | implement the policies, procedures, protocols and tools to protect information in transit |
21 | Provision on restrictions of access to ICT assets |
1 | Have we identified and implemented secure configuration baseline for Storage and Backup systems? |
2 | Do we have “measures to verify regularly that these baselines are those that are effectively deployed”? |
3 | Do our baselines take into account “leading practices and appropriate techniques referred to in standards”? vendor hardening instructions? |
4 | Are we meeting the specific technical requirements outlined by RTS? Storage / Backup systems encrypt data at rest Storage / Backup systems encrypt data in-transit Encryption keys kept securely Logging configured with sufficient detail and retention Are GUI / CLI idle sessions being terminated? Separated data and management to different network interfaces Storage/Backup access restricted (RBAC, Firewall, ACL, MFA, …) |
A positive response to these questions signals progress toward RTS compliance.
In the next blog post, we’ll present ways to solve DORA gaps you may be experiencing for your storage and backup systems, and also explore the Operational Resilience chapter.
Stay tuned!
It’s time to automate the secure configuration of your storage & backup systems.