The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following:
(a) the identification and implementation of measures to protect data in use, in transit, and at rest;
(b) the identification and implementation of security measures regarding the use of software, data storage media, systems and endpoint devices that transfer and store data of the financial entity;
(c) the identification and implementation of measures to prevent and detect unauthorised connections to the financial entity’s network, and to secure the network traffic between the financial entity’s internal networks and the internet and other external connections;
(d) the identification and implementation of measures that ensure the availability, authenticity, integrity, and confidentiality of data during network transmissions;
(e) a process to securely delete data on premises, or that are stored externally, that the financial entity no longer needs to collect or store;
(f) a process to securely dispose of, or decommission, data storage devices on premises, or data storage devices that are stored externally, that contain confidential information;
(g) the identification and implementation of measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the financial entity’s ability to carry out its critical activities in an adequate, timely, and secure manner.
To protect information transferred via public or private networks from reading or manipulation by third parties, the organization has:
The organization should have measures to ensure that teleworking and use of private endpoint devices are secured enough to not cause an impact to the organizations critical activities.
The organization must have process to securely delete data that in longer needs either on premises or data that is stored externally.
There also must be a secure process to dispose and decommission data storage devices, on-premises or external, that contain confidential information.
Implementing data deletion policies and using certified data erasure tools can enhance data security and compliance.
Control access to services based on knowledge of users and devices.
One example is if a user logs in via an unmanaged device (the organisation trusts the user but does not control the device) and gains access to fewer services than if the user logs in via an organisation-managed device (the organisation knows both the user and the device).
The organisation must have measures for ensuring correct addressing and correct transfer of information.
An electronic data exchange must be conducted using content or transport encryption suitable for the classification of data in transfer.
The organization must implement practices and procedures so that the information coming out of the services is complete and timely. The procedures must take into account:
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.
.png)
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
