1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall identify and implement physical security measures designed on the basis of the threat landscape and in accordance with the classification referred to in Article 30(1) of this Regulation, the overall risk profile of ICT assets, and accessible information assets.
2. The measures referred to in paragraph 1 shall protect the premises of financial entities and, where applicable, data centres of financial entities where ICT assets and information assets reside from unauthorised access, attacks, and accidents, and from environmental threats and hazards.
3. The protection from environmental threats and hazards shall be commensurate with the importance of the premises concerned and, where applicable, the data centres and the criticality of the operations or ICT systems located therein.
To ensure authorized access and prevent unauthorized access to data and other related resources, the organization has defined and implemented clear rules for physical and logical access control.
Rules are implemented and enforced through several different tasks, but are also combined into an access control policy for clear communication and review.
All accounts, access rights and privileges should be traceable to the role responsible for them and the person who approved them.
The organization should take into account the environmental threats and hazards and protect from them with controls that commensurate with the importance of the premises.
The organization should ensure that the data centers used by the organization have controls in place to protect ICT and information assets from unauthorized access, attacks, and accidents.
The data center should also have controls and plans in place to protect the assets from environmental threats and hazards. The protection from environmental threats and hazards should commensurate with the importance of the data centers and the criticality of the operations or ICT systems located there.
When performing maintenance on ICT products, physical provider access should be regulated and monitored.
The organization has a clear process, according to which it identifies the most critical functions in terms of its operations (e.g. services offered to customers), which are subject to the highest continuity requirements.
Items in the IT environment that are necessary for these activities (such as information systems, data reserves, operating processes, partners, units, hardware) are classified as critical.
Critical functions are considered with the highest priority, e.g. in continuity planning, and stricter safety requirements can be applied to them than to other objects in the environment.
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.
.png)
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
