Virtualization Technology News and Information
Article
RSS
Data Loss Prevention is a Step Closer to DORA Compliance

By Ambler T. Jackson

The Digital Operational Resilience Act (DORA) requires European Union (EU) financial institutions, such as banks, insurance companies and investment firms, to follow rules for the protection, detection, containment, recovery and repair capabilities against information and communication technology (ICT) related incidents.  It provides uniform requirements concerning the security of network and information systems supporting the business processes of financial entities.  To address the threats introduced by third parties that provide services to entities operating in the financial sector, DORA requires financial entities to take measures for the "sound management of ICT third-party risk."  In this blog, I will discuss why financial institutions and ICT third parties should consider using data loss prevention (DLP) to help achieve DORA compliance.

ICT Risk Management Framework and DLP

DORA compliance is far-reaching as it not only applies to financial entities, but also applies to third parties that provide ICT-related services to financial entities. It creates a regulatory framework on digital operational resilience, whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.  Article 6, ICT Risk Management Framework states, in part, that financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system which shall include strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets.  A strong DLP program with the right technical capabilities can help financial entities protect all of their information assets.

DLP solutions help mitigate the risks associated with data loss due to insider-related incidents such as employee error (e.g., unintentional file deletion or the unintentional sharing of sensitive data in an email), and data breaches due to malicious attacks.  A worthwhile option for a DLP tool will identify sensitive data, manage insider threats, help entities understand their regulatory compliance requirements for all data types, and ultimately protect sensitive data (e.g., payment information, sensitive customer data, employee data, etc.) from leakage or theft.

DLP Policy Violations, Monitoring and Alerting

To protect information assets in accordance with the ICT risk management framework, financial entities have to prevent data loss and data exfiltration using tools that will not only identify the  information assets, but also monitor the environment to provide appropriate alerts when an asset like financial information is being used in a way that violates the entity's policy regarding such information.

DLP policies describe what happens when a user uses sensitive data in a way that the policy does not allow.  Policies are important to control data storage, file transfer and sharing, as well as what activity is permissible on employee endpoints.  A DLP solution should be capable of performing actions such as sending out alerts for DLP policy violations, warnings using pop-up messages, quarantining data and blocking data entirely.  Organizations should be able to define their policies based on their internal security policies, standards, controls and procedures. 

In further consideration of the requirements of the ICT framework, the following DLP capabilities will bring their risk management and governance practices closer to DORA compliance.

  • Identification of all types of sensitive data, regardless of where it is located and regardless of format; that is, whether structured or unstructured
  • Classification of data according to its value and the risk to the financial institution if it is leaked unintentionally or accessed by malicious actors
  • Organizationally-defined policies for each data type to support regulatory compliance requirements and enable incident response activities
  • Monitoring for violation of policies and prevention of information assets being transmitted to environments where financial entities may not have visibility

Incident Detection and Response

Threat and incident detection are key to DORA compliance.  DLP capabilities that combine analysis of data and user behavior are better positioned to detect insider threats.  In fact, Gartner recommends investing in a DLP solution that not only provides content inspection capabilities but also offers extra features such as data lineage for visibility and classification, user and entity behavior analytics (UEBA), and rich context for incident response.  UEBA is useful for insider-related incidents (e.g., UEBA might help identify data exfiltration by a dissatisfied employee).

Further, DLP tools capable of providing rich context for incident investigations and response helps to mitigate the impact of a breach more quickly.  Similarly, mitigating the impact of a breach allows companies to start recovery after an ICT-related incident more quickly.  Taken all together, these capabilities help to minimize the impact of any operational disruptions that may have resulted from the incident.

Conclusion   

Organizations that are in the planning phase of selecting a DLP solution to comply with DORA will need to fully understand DORA and ICT third-party requirements, as well as how modern DLP tools can provide capabilities that meet the requirements of DORA.  Given the many options and variables to consider, financial institutions must spend the appropriate amount of time understanding the nuances and distinctions among the many solutions on the market.   

##

About the Author

Ambler-Jackson 

Ambler is an attorney with an extensive background in corporate governance, regulatory compliance, and privacy law.  She currently consults on governance, risk and compliance, enterprise data management, and data privacy and security matters in Washington, DC. She also writes with Bora Design about today's most important cybersecurity and regulatory compliance issues.

Published Friday, August 04, 2023 7:35 AM by David Marshall
Filed under: ,
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<August 2023>
SuMoTuWeThFrSa
303112345
6789101112
13141516171819
20212223242526
272829303112
3456789