Posted on by admin

ICT Documents

Cosa dicono norme & standard

  • DORA (UE 2022/2554): richiede un ICT Risk Management Framework, una Digital Operational Resilience Strategy (DORS), Incident Management (incl. classificazione/notifiche), Business Continuity & DR, Testing program (DORT), Third-Party/Outsourcing con Information Register, governance e reporting.

  • CSSF 22/806 (e circolari collegate): specifica governance ICT, outsourcing (contratti/clausole, registro, notifiche), BCM/DR, risk assessment, change/access ecc.

  • ISO/IEC 27001:2022: richiede Information Security Policy e controlli documentati (Annex A) per accessi, controllo cambi, backup, logging, cifratura, supplier security, sviluppo sicuro ecc.

  • GDPR: impone Data Privacy Policy, Data Classification & Handling, DPIA, registro trattamenti.

Baseline “must-have” (nel tuo contesto)

Queste sono le policy/procedure che ti consiglio come set minimo (aspettativa tipica di audit DORA/CSSF/ISO):

  1. Information Security Policy

  2. ICT Risk Management Framework Policy (+ ICT Risk Assessment Policy)

  3. Digital Operational Resilience Strategy (DORS)

  4. Incident Response Policy/Procedure (con classificazione e notifiche regulatory)

  5. Business Continuity & Disaster Recovery Policy (BIA, test, RTO/RPO)

  6. Access Management / IAM Policy (JML, review, privilegi)

  7. Change Management Charter/Procedure

  8. Vulnerability & Patch Management Policy/Procedure

  9. Encryption/Cryptography Policy

  10. Third-Party/Outsourcing Policy (+ Information Register DORA)

  11. KRI Monitoring Policy (Appetite/Tolerance/Capacity + escalation)

  12. Security Testing / DORT Program

  13. Acceptable Use Policy (AUP)

  14. Data Classification & Handling Policy

  15. Backup & Restore Policy/Standard

  16. Logging & Monitoring / SIEM Standard

  17. Data Privacy Policy (GDPR, con DPO)

Regolamentate/di supporto (spesso richieste)

  • Value Chain / CIF Policy (perimetro CIF e mappatura dipendenze)

  • ICT Project Risk Management + Project Risk Assessment Methodology

  • Cloud/SaaS & Supplier Security Standard

  • Secure SDLC / DevSecOps Standard

  • Remote Work / Mobile Device / Email & DLP Standards

  • Physical & Environmental Security Standard

  • AI Governance/Policy (in arrivo lato gruppo)

Leave a Reply