Click on the tag to access description and wallix recommendations.
Article 5.1
Governance
& organisation
Article 5.1 - Governance and organisation
1. Financial entities shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk, in accordance with Article 6(4), in order to achieve a high level of digital operational resilience.
Wallix recommendation
PAM can play a significant role in supporting an effective ICT risk management framework as required by Article 5(1). * Centralized Management: PAM centralizes the management of privileged accounts and access rights, allowing for easier identification, assessment, and mitigation of risks associated with these accounts. * Reduced Attack Surface: By restricting privileged access and enforcing least privilege principles, PAM reduces the potential impact of compromised privileged credentials. * Improved Monitoring and Logging: PAM solutions typically provide comprehensive logging of privileged user activity, which can be used for monitoring suspicious behavior and detecting potential threats. * Enhanced Accountability: PAM establishes a clear audit trail for privileged access, enabling better accountability and facilitating incident investigations.
Article 5.2
Governance
& organisation
Article 5.2 - Governance and organisation
The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1).
Subparagraphs/Preambles:
(a) bear the ultimate responsibility for managing the financial entity’s ICT risk;
(b) put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality, of data;
(c) set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions;
(d) bear the overall responsibility for setting and approving the digital operational resilience strategy as referred to in Article 6(8), including the determination of the appropriate risk tolerance level of ICT risk of the financial entity, as referred to in Article 6(8), point (b);
(e) approve, oversee and periodically review the implementation of the financial entity’s ICT business continuity policy and ICT response and recovery plans, referred to, respectively, in Article 11(1) and (3), which may be adopted as a dedicated specific policy forming an integral part of the financial entity’s overall business continuity policy and response and recovery plan;
(f) approve and periodically review the financial entity’s ICT internal audit plans, ICT audits and material modifications to them;
(g) allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training referred to in Article 13(6), and ICT skills for all staff;
(h) approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers;
(i) put in place, at corporate level, reporting channels;
Wallix recommendation
(a) Ultimate responsibility for managing ICT risk: While PASM itself doesn’t directly address ultimate responsibility, it provides a tool to enforce controls and improve risk posture, making it easier for management to fulfill this responsibility.
(b) Policies for data security: PASM doesn’t directly set data security policies, but by restricting access to data based on the principle of least privilege, it helps enforce existing policies and reduces the risk of unauthorized access or modification.
(c) Clear roles and responsibilities: PASM can help define clear roles for privileged users by assigning specific access rights based on job functions. This promotes accountability and reduces the risk of unauthorized access.
(d) Digital operational resilience strategy: PASM contributes to the overall resilience strategy by securing critical systems and data through privileged access controls.
(e) Business continuity and recovery plans: While not directly managing these plans, PASM helps ensure their effectiveness by limiting the potential for disruptions caused by compromised privileged accounts.
(f) ICT internal audit plans: PASM’s audit logs can be a valuable source of data for ICT internal audits, helping to assess the effectiveness of access controls and identify potential weaknesses.
(g) Budget allocation: The cost of implementing and maintaining a PASM solution contributes to the overall budget for digital operational resilience. However, it can also help reduce the need for future security investments by proactively mitigating risks.
(h) Policy on ICT third-party service providers: PASM can be integrated with third-party access management solutions to ensure consistent and secure access controls for external providers.
(i) Reporting channels: PASM systems can generate reports on privileged user activity, which can be used to inform management about potential risks and incidents related to privileged access.
Need Support?
Article 6.1
ICT risk management framework
Article 6 - ICT risk management framework
1. Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience.
Wallix recommendation
* Sound, Comprehensive, and Documented Framework:
• PASM supports a comprehensive approach by focusing on privileged access, a frequent target for attackers and a major ICT risk.
• PASM documentation details access controls and security measures, contributing to a well-documented framework.
Article 6.2
ICT risk management framework
Article 6.2 - ICT risk management framework
The ICT risk management framework shall include at least strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets, including computer software, hardware, servers, as well as to protect all relevant physical components and infrastructures, such as premises, data centres and sensitive designated areas, to ensure that all information assets and ICT assets are adequately protected from risks including damage and unauthorised access or usage.
Wallix recommendation
Protecting Information and ICT Assets:
PASM helps protect information assets and ICT assets by:
– Restricting access to critical systems and data based on the principle of least privilege.
– Monitoring privileged user activity to detect suspicious behavior.
Article 6.4
ICT risk management framework
Article 6.4 - ICT risk management framework
Financial entities, other than microenterprises, shall assign the responsibility for managing and overseeing ICT risk to a control function and ensure an appropriate level of independence of such control function in order to avoid conflicts of interest. Financial entities shall ensure appropriate segregation and independence of ICT risk management functions, control functions, and internal audit functions, according to the three lines of defence model, or an internal risk management and control model.
Wallix recommendation
4. Assigning Responsibility and Avoiding Conflicts:
PASM itself doesn’t assign responsibility but integrates with existing IT governance structures, supporting the control function’s role in managing ICT risk.
Article 6.5
ICT risk management framework
Article 6.5 - ICT risk management framework
The ICT risk management framework shall be documented and reviewed at least once a year, or periodically in the case of microenterprises, as well as upon the occurrence of major ICT-related incidents, and following supervisory instructions or conclusions derived from relevant digital operational resilience testing or audit processes. It shall be continuously improved on the basis of lessons derived from implementation and monitoring. A report on the review of the ICT risk management framework shall be submitted to the competent authority upon its request.
Wallix recommendation
Documented Framework, Review, and Improvement:
PASM’s configuration and audit logs provide valuable data for documenting the framework, reviewing its effectiveness, and identifying areas for improvement related to privileged access controls.
Article 6.6
ICT risk management framework
Article 6.6 - ICT risk management framework
The ICT risk management framework of financial entities, other than microenterprises, shall be subject to internal audit by auditors on a regular basis in line with the financial entities’ audit plan. Those auditors shall possess sufficient knowledge, skills and expertise in ICT risk, as well as appropriate independence. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity.
Wallix recommendation
Internal Audit by Auditors with ICT Expertise:
PASM’s audit logs can be used by internal auditors with ICT expertise to assess the effectiveness of privileged access controls and identify potential weaknesses.
Article 6.7
ICT risk management framework
Article 6.7 - ICT risk management framework
Based on the conclusions from the internal audit review, financial entities shall establish a formal follow-up process, including rules for the timely verification and remediation of critical ICT audit findings.
Wallix recommendation
Follow-up Process for Critical Findings:
PASM helps address critical findings related to privileged access by providing evidence of suspicious activity and facilitating investigations. WALLIX RCM to all 8
Article 6.8
ICT risk management framework
Article 6.8 - ICT risk management framework
The ICT risk management framework shall include a digital operational resilience strategy setting out how the framework shall be implemented. To that end, the digital operational resilience strategy shall include methods to address ICT risk and attain specific ICT objectives, by:
Wallix recommendation
Digital Operational Resilience Strategy:
- PASM contributes to the digital operational resilience strategy by:
Mitigating the risk of incidents caused by compromised privileged credentials. - Strengthening overall resilience through secure privileged access controls.
Overall, PASM plays a crucial role within DORA’s ICT risk management framework by securing privileged access. It helps organizations address a critical element of ICT risk, ultimately contributing to a more secure and resilient IT environment.
Note: While PASM doesn’t directly address all aspects of Article 6, it provides a valuable tool for managing a specific and significant ICT risk area – privileged access.
Need support?
Article 7
ICT systems, protocols
and tools
Article 7 - ICT systems, protocols and tools
Description: In order to address and manage ICT risk, financial entities shall use and maintain updated ICT systems, protocols and tools.
Subparagraphs/Preambles:
(a) appropriate to the magnitude of operations supporting the conduct of their activities, in accordance with the proportionality principle as referred to in Article 4;
(b) reliable;
(c) equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and to deal with peak orders, message or transaction volumes, as needed, including where new technology is introduced;
(d) technologically resilient in order to adequately deal with additional information processing needs as required under stressed market conditions or other adverse situations.
Wallix recommendation
PAM aligns with DORA Article 7 by providing a reliable, secure, and technologically resilient system for managing privileged access. PAM’s encryption of access protocols strengthens the overall security posture and contributes to the resilience of ICT infrastructure, helping financial entities achieve tolerable levels for potential disruptions.
PAM should be scaled appropriately to the size and complexity of the organization’s IT infrastructure and privileged access needs.
PAM solutions should be reliable and offer high availability to ensure consistent and uninterrupted management of privileged access.
- PAM should be built with robust security features, including encryption of protocols used to access target systems. This helps protect sensitive privileged credentials and data in transit from unauthorized access or interception.
- Regular updates to the PAM solution are crucial to address evolving threats and vulnerabilities.
By minimizing the risk of incidents caused by compromised privileged credentials, PAM contributes to achieving tolerable levels for ICT disruptions.
Need support?
Article 8.1
Identification
Article 8.1 - Identification
As part of the ICT risk management framework referred to in Article 6(1), financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk. Financial entities shall review as needed, and at least yearly, the adequacy of this classification and of any relevant documentation.
Wallix recommendation
Privileged accounts and their roles: PAM helps create a central repository of privileged accounts, aiding in documentation.
Systems and data accessed by privileged users: This information can be used to identify information assets and ICT assets requiring access control.
Article 8.2
Identification
Article 8.2 - Identification
Wallix recommendation
- Excessive access rights assigned to users or service accounts.
- Inactive privileged accounts that could be exploited if compromised.
- Users with access to more systems or data than they require (violation of least privilege).
Article 8.3
Identification
Article 8.3 - Identification
Wallix recommendation
PAM can be used to assess the impact of major changes on privileged access controls. For instance, introducing a new application might require granting privileged access to specific accounts. PAM helps evaluate the associated risks and implement appropriate access controls.
Article 8.4
Identification
Article 8.4 - Identification
Wallix recommendation
- Privileged accounts and their roles: PAM helps create a central repository of privileged accounts, aiding in documentation.
- Systems and data accessed by privileged users: This information can be used to identify information assets and ICT assets requiring access control.
Article 8.5
Identification
Article 8.5 - Identification
Wallix recommendation
Figure out Risk Class Model by WALLIX
Risk Class Model by WALLIX
Article 9.1
Protection and Prevention
Article 9.1 Protection and Prevention
1. For the purposes of adequately protecting ICT systems and with a view to organising response measures, financial entities shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.
Wallix recommendation
Contact us to know more…
Article 9.2
Protection and Prevention
Article 9.2 - Protection and Prevention
Wallix recommendation
PAM integrates seamlessly with existing security policies and procedures related to access control.
By securing privileged access, PAM contributes to the resilience, continuity, and availability of ICT systems, especially those supporting critical functions.
PAM helps maintain high standards of data security (availability, authenticity, integrity, and confidentiality) by:
- Restricting unauthorized access to sensitive data.
- Minimizing the risk of data breaches caused by compromised privileged credentials.
Article 9.3
Protection and Prevention
Article 9.3 - Protection and Prevention
(b) minimise the risk of corruption or loss of data, unauthorised access and technical flaws that may hinder business activity;
(c) prevent the lack of availability, the impairment of the authenticity and integrity, the breaches of confidentiality and the loss of data;
(d) ensure that data is protected from risks arising from data management, including poor administration, processing- related risks and human error.
Wallix recommendation
PAM can be configured to restrict privileged sessions to specific network segments or limit data transfer capabilities during privileged access sessions, enhancing data transfer security.
By enforcing least privilege and monitoring privileged activity, PAM helps minimize the risk of data corruption, loss, and unauthorized access.
PAM helps prevent issues like lack of data availability, data integrity breaches, and unauthorized data disclosure by securing privileged access.
- PAM mitigates risks arising from poor administration by providing centralized control over privileged accounts and access rights.
- It also reduces processing-related risks by minimizing the need for manual interventions and human errors during privileged access activities.”
Article 9.4
Protection and Prevention
Article 9.3 - Protection and Prevention
As part of the ICT risk management framework referred to in Article 6(1), financial entities shall:
(a) develop and document an information security policy defining rules to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets, including those of their customers, where applicable;
(b) following a risk-based approach, establish a sound network and infrastructure management structure using appropriate techniques, methods and protocols that may include implementing automated mechanisms to isolate affected information assets in the event of cyber-attacks;
(c) implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administration thereof;
(d) implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, and protection measures of cryptographic keys whereby data is encrypted based on results of approved data classification and ICT risk assessment processes;
(e) implement documented policies, procedures and controls for ICT change management, including changes to software, hardware, firmware components, systems or security parameters, that are based on a risk assessment approach and are an integral part of the financial entity’s overall change management process, in order to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner;
Wallix recommendation
PAM directly aligns with the information security policy objective of protecting data confidentiality by restricting access to sensitive information based on the principle of least privilege.
PAM doesn’t directly manage the entire network infrastructure, but it contributes to a sound management structure by:
- Enforcing access controls that limit lateral movement within the network by privileged users.
- Potentially integrating with network segmentation tools to further restrict access based on security zones.”
PAM plays a central role in implementing access control policies by:
- Providing a platform for defining and managing granular access rights for privileged users.
- Enforcing least privilege and limiting access to only the systems and data required for specific job functions.”
PAM typically integrates with existing strong authentication mechanisms for privileged access, such as multi-factor authentication (MFA).
While PAM itself might not directly handle data encryption, it can work alongside data encryption solutions by securing access to data at rest and in transit (through privileged sessions).”
PAM can be integrated with change management processes to ensure that any changes to access controls or privileged user permissions are properly reviewed, approved, and implemented in a controlled manner.
Need support?
Article 10.1
Detection
Article 10.1 - Detection
Financial entities shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 17, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure.
All detection mechanisms referred to in the first subparagraph shall be regularly tested in accordance with Article 25.
Wallix recommendation
PAM acts as a valuable tool for anomaly detection within the scope of privileged access. By providing insights into user behavior and enabling real-time monitoring, PAM supports DORA Article 10’s objective of promptly detecting anomalous activities and ICT-related incidents.
PAM monitors privileged user sessions and can detect activities that deviate from normal behavior, potentially indicating:
- Compromised privileged credentials being used.
- Unusual access attempts to critical systems or data.
- Privileged users exceeding their authorized access rights.
Article 10.2
Detection
Article 10.2 - Detection
Wallix recommendation
PAM integrates with existing security information and event management (SIEM) systems, enabling correlation of events from various sources. This creates multiple layers of control for anomaly detection.
PAM can be configured to generate alerts based on pre-defined thresholds and criteria related to privileged activity. These alerts can trigger automated incident response workflows and notify relevant staff for further investigation.
Article 10.3
Detection
Article 10.3 - Detection
Wallix recommendation
PAM provides a centralized platform for monitoring all privileged user sessions, offering a comprehensive view of user activity.
By detecting suspicious privileged activity, PAM can help identify potential cyberattacks or other ICT-related incidents.
Need support?
Article 11.1
Response and recovery
Article 11.1 - Response and recovery
1. As part of the ICT risk management framework referred to in Article 6(1) and based on the identification requirements set out in Article 8, financial entities shall put in place a comprehensive ICT business continuity policy, which may be adopted as a dedicated specific policy, forming an integral part of the overall business continuity policy of the financial entity.
Wallix recommendation
PAM plays a supporting role in DORA Article 11 by providing tools and insights that can aid in responding to and recovering from ICT-related incidents. Secure privileged access helps ensure business continuity by minimizing potential damage and facilitating faster recovery times.
PAM aligns with the overall objective of ensuring business continuity by securing privileged access, which is critical for maintaining core functions in case of an incident.
Article 11.2
Response and recovery
Article 11.2 - Response and recovery
Financial entities shall implement the ICT business continuity policy through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms aiming to:
(a) ensure the continuity of the financial entity’s critical or important functions;
(b) quickly, appropriately and effectively respond to, and resolve, all ICT-related incidents in a way that limits damage and prioritises the resumption of activities and recovery actions;
(c) activate, without delay, dedicated plans that enable containment measures, processes and technologies suited to each type of ICT-related incident and prevent further damage, as well as tailored response and recovery procedures established in accordance with Article 12;
(d) estimate preliminary impacts, damages and losses;
(e) set out communication and crisis management actions that ensure that updated information is transmitted to all relevant internal staff and external stakeholders in accordance with Article 14, and report to the competent authorities in accordance with Article 19.
Wallix recommendation
Effective Incident Response: By providing forensic logs of privileged activity, PAM can aid in investigating the root cause of ICT-related incidents and expediting recovery efforts.
Containment Measures: PAM allows for immediate temporary or permanent disabling of compromised privileged accounts, potentially limiting the impact of the incident.
Damage Estimation: PAM’s audit logs can be used to assess the scope of unauthorized access or potential data breaches caused by compromised privileged credentials.
Need support?
Article 13.1
Learning and Evolving
Article 13.1 - Learning and Evolving
Financial entities shall have in place capabilities and staff to gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyber-attacks, and analyse the impact they are likely to have on their digital operational resilience.
Wallix recommendation
PAM plays a crucial role in DORA Article 13 by providing valuable data for learning and improvement. By analyzing privileged access activity and incidents, financial institutions can continuously refine their security posture and strengthen their digital operational resilience.
PAM’s audit logs provide valuable data for analyzing privileged user activity, which can be used to:
- Identify potential vulnerabilities associated with privileged access.
- Detect suspicious behavior that might indicate cyberattacks targeting privileged accounts.
- Understand the impact of incidents involving compromised privileged credentials.
Article 13.2
Learning and Evolving
Article 13.2 - Learning and Evolving
(b) the quality and speed of performing a forensic analysis, where deemed appropriate;
Wallix recommendation
PAM’s forensic logs can be crucial for post-incident reviews, especially those involving compromised privileged access. This information can help identify:
- How compromised credentials were used to disrupt core activities.
- Weaknesses in privileged access controls that contributed to the incident.
Article 13.7
Learning and Evolving
Article 13.7 - Learning and Evolving
Financial entities, other than microenterprises, shall monitor relevant technological developments on a continuous basis, also with a view to understanding the possible impact of the deployment of such new technologies on ICT security requirements and digital operational resilience. They shall keep up-to-date with the latest ICT risk management processes, in order to effectively combat current or new forms of cyber-attacks.
Wallix recommendation
PAM vendors are constantly evolving their solutions to address emerging threats and vulnerabilities.
Financial institutions can leverage PAM vendors’ expertise and threat intelligence feeds to stay informed about the latest attack vectors targeting privileged access. • Leading PAM solutions integrate with security frameworks and best practices.
By maintaining a robust PAM solution, financial institutions can ensure their privileged access controls are aligned with evolving risk management approaches.
Need support?
Article 15
Further harmonisation of ICT risk management tools, methods, processes and policies
Article 15 - Further harmonisation of ICT risk management tools, methods, processes and policies
The ESAs shall, through the Joint Committee, in consultation with the European Union Agency on Cybersecurity (ENISA), develop common draft regulatory technical standards in order to:
(a) specify further elements to be included in the ICT security policies, procedures, protocols and tools referred to in Article 9(2), with a view to ensuring the security of networks, enable adequate safeguards against intrusions and data misuse, preserve the availability, authenticity, integrity and confidentiality of data, including cryptographic techniques, and guarantee an accurate and prompt data transmission without major disruptions and undue delays;
(b) develop further components of the controls of access management rights referred to in Article 9(4), point (c), and associated human resource policy specifying access rights, procedures for granting and revoking rights, monitoring anomalous behaviour in relation to ICT risk through appropriate indicators, including for network use patterns, hours, IT activity and unknown devices;
Wallix recommendation
Strong Authentication: DORA RTS might mandate the use of strong authentication mechanisms for privileged access, which aligns perfectly with PAM’s core functionality of enforcing multi-factor authentication (MFA) and other robust authentication methods.
Least Privilege: The principle of least privilege is likely to be emphasized in the RTS. PAM directly supports this principle by allowing granular control over access rights, ensuring users only have the minimum access required for their roles.
Data Encryption: DORA RTS might specify requirements for data encryption in transit and at rest. While PAM may not directly handle encryption itself, it can work alongside data encryption solutions by securing access to data at rest and in transit (through privileged sessions).
Granular Access Controls: DORA RTS are likely to mandate more granular access controls. PAM excels in this area by offering detailed control over user permissions, including specific systems, data objects, and actions that privileged users can perform.
Just-in-Time (JIT) Privileged Access: DORA RTS might encourage the use of JIT provisioning, granting privileged access only when required for specific tasks. PAM can support JIT access by enabling temporary privilege escalation and enforcing session recording or monitoring.
Monitoring and Anomalous Behavior Detection: DORA RTS might emphasize monitoring access activity and detecting suspicious behavior. PAM’s session monitoring and auditing capabilities directly address this requirement by identifying deviations from normal access patterns and alerting security teams of potential anomalies.