fbpx
Yaniv Valik

Guide to DORA and its Impact on Storage & Backup ICT Assets – Part 1

  • December 23, 2024
  • 7 min read

About Continuity™

StorageGuard - by Continuity™ - is the ONLY Security Posture Management solution for Storage & Backups, helping to ensure these systems are securely configured, and compliant with industry & security standards.

Read more

The EU Digital Operational Resilience Act (DORA) marks a pivotal milestone in safeguarding the financial sector from the growing threat of cyberattacks.  

Designed to bolster the digital resilience of financial institutions, DORA emphasizes securing ICT assets—hardware and software within networks and information systems—while ensuring rapid recovery from security incidents. With its effective date set for 17 January 2025, organizations must act swiftly to achieve compliance. 

In this blog series, we’ll explore DORA’s impact on storage and backup platforms, which lie at the heart of operational resilience strategies.  

This first post will focus on the DORA ICT Risk Management chapter and the associated technical requirements, particularly for storage and backup systems. 

DORA introduces comprehensive requirements for ICT Risk Management, emphasizing the need to safeguard critical ICT assets from cyber threats, and recover swiftly from disruptions to ensure operational resilience.  

Storage and backup systems are among the most mission-critical ICT assets, as they store nearly all information assets, including sensitive financial data and house data copies essential for rapid cyber-recovery (CR) and disaster recovery (DR).  

Both storage and backup systems support critical functions and are vital to maintaining operational resilience. 

As an InfoSec manager or IT leader responsible for the cyber-security and operational resilience of your organization’s storage and backup platforms, you should familiarize yourself with the following DORA requirements: 

DORA ICT Risk Management chapter This Chapter outlines various requirements to control the security of ICT systems 
DORA Regulatory Technical Standards [JC 2023 86] This complementary document depicts various technical requirements and required processes such as detail secure configuration baselines, hardening, and vulnerability assessments 
DORA Digital Operational Resilience Testing chapter This Chapter outlines requirements to ensure systems withstand cyber threats 
Article Requirement in a nutshell 
minimize the impact of ICT risk by deploying tools 
use and maintain updated ICT systems, protocols and tools 
assess ICT vulnerabilities … on a regular basis, and at least yearly…  
perform a risk assessment upon each major change in the network and information system infrastructure 
identify all ICT assets, including network resources and hardware equipment 
map the configuration of the ICT assets 
continuously monitor and control the security of ICT systems … minimise the impact of ICT risk through the deployment of appropriate ICT security tools 
implement ICT security tools that aim to ensure the resilience, continuity and availability of ICT systems… maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit…. 
develop rules to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets 
limit the logical access to information assets and ICT assets 
strong authentication mechanisms 
implement controls for ICT change management, including changes to software, hardware, firmware components, systems or security parameters… 
12 When restoring backup data, use ICT systems that are physically and logically segregated from the source ICT system. The ICT systems shall be securely protected from any unauthorized access or ICT corruption. 
13 have in place capabilities and staff to gather information on vulnerabilities 
16 continuously monitor the security and functioning of all ICT system… minimise the impact of ICT risk through the use of sound, resilient and updated ICT systems, protocols and tools… protect availability, authenticity, integrity and confidentiality of data in the network and information systems; 
Do we have process and automation for gathering and detecting vulnerability on our Storage & Backup systems? 
Do we have processes and automation for detecting risks (e.g. misconfigurations, security weaknesses) introduced by Storage or Backup system change? 
Do we have up-to-date configuration mapping for Storage and Backup platforms including software, firmware, hardware, system parameters, security parameters? 
How do we ensure that at least one backup data copy is physically and logically segregated? 
How do we continuously maintain high standards of availability, authenticity, integrity and confidentiality of data at-rest and in-transit and develop rules for strong authentication, limited logical access, updated software/firmware, updated protocols, backup data segregation, etc.? 
What tools do we have to continuously control the security of ICT systems? 

If you can confidently answer “yes” to these questions, you’re on the right track toward DORA compliance! 

The next item we shall explore is DORA-mandated Regulatory Technical Standards (RTS) [JC 2023 86]. Complementing the main act, the DORA RTS specify technical measures for ICT risk management. The standards explicitly mention storage systems, emphasizing the need to: 

Ensuring the security of data, systems, and networks is crucial… This involves implementing security measures for software, data storage media, systems, and endpoint devices”.  

The following table reviews key RTS requirements: 

Article Requirement in a nutshell 
rules for the encryption of data at rest and in transit 
rules for the encryption of internal network connections 
cryptographic key management 
10 maintain awareness about vulnerabilities… Identify and evaluate available software and hardware patches and updates using automated tools 
11 identification of secure configuration baseline for ICT assets that will minimise their exposure to cyber threats and measures to verify regularly that these baselines are those that are effectively deployed. The secure configuration baseline shall take into account leading practices and appropriate techniques referred to in standards, as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 
12 level of detail of the logs… retention period … secure and handle the log data… 
13 separate and dedicated network for the administration of ICT assets  
13 terminate system and remote sessions after a predefined period of inactivity   
13 the implementation of a secure configuration baseline of all network components and hardening the network and network devices according to vendor instructions, to, where applicable, standards as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 and leading practices; 
14 implement the policies, procedures, protocols and tools to protect information in transit 
21 Provision on restrictions of access to ICT assets  
Have we identified and implemented secure configuration baseline for Storage and Backup systems? 
Do we have “measures to verify regularly that these baselines are those that are effectively deployed”?  
Do our baselines take into account “leading practices and appropriate techniques referred to in standards”? vendor hardening instructions? 
Are we meeting the specific technical requirements outlined by RTS? Storage / Backup systems encrypt data at rest Storage / Backup systems encrypt data in-transit Encryption keys kept securely  Logging configured with sufficient detail and retention Are GUI / CLI idle sessions being terminated?  Separated data and management to different network interfaces  Storage/Backup access restricted (RBAC, Firewall, ACL, MFA, …) 

A positive response to these questions signals progress toward RTS compliance. 

In the next blog post, we’ll present ways to solve DORA gaps you may be experiencing for your storage and backup systems, and also explore the Operational Resilience chapter.  

Stay tuned! 

Talk To An Expert

It’s time to automate the secure configuration of your storage & backup systems.

We use cookies to enable website functionality, understand the performance of our site, provide social media features, and serve more relevant content to you.
We may also place cookies on our and our partners’ behalf to help us deliver more targeted ads and assess the performance of these campaigns. You may review our
Privacy Policy I Agree