DORA expects financial entities to establish, maintain, and review a sound and comprehensive digital operational resilience testing program as an integral part of the ICT risk-management framework.
In this blog, we will cover 10 Expectations from Resilience Testing by the Regulator (DORA), before that let us understand what is resilience testing?
Resilience testing is a type of testing that evaluates a system’s ability to recover from failures or disruptions and continue operating effectively. The main goal of resilience testing is to ensure that a system can maintain its functionality and performance under adverse conditions. This type of testing typically involves simulating various failure scenarios, such as hardware failures, network issues, or other unexpected events, to observe how well the system can adapt, recover, and continue to deliver its intended services. The purpose is to identify weaknesses, and potential points of failure, and to enhance the overall robustness of the system.
DORA – 10 Expectations from Resilience Testing by the Regulator
- Apart from considering the generic ICT risks, the financial entity must also look at specific risk exposures, based on the criticality of the information assets and services provided.
- Tests are undertaken by independent parties, whether internal or external.
- Establish procedures and policies to prioritize, classify, and remedy all issues revealed throughout the performance of the tests.
- Establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies, or gaps are fully addressed.
- Ensure, at least yearly, that appropriate tests are conducted on all ICT systems and applications supporting critical functions. It also recommends that financial entities shall carry out at least every 3 years advanced testing utilizing TLPT.
- Competent authorities shall identify financial entities that are required to perform TLPT taking into account the criteria set as detailed in the technical standard along with the scope, methodology, and process.
- Each threat-led penetration test shall cover several or all critical or important functions of a financial entity and shall be performed on live production systems supporting such functions.
- Financial entities shall identify all relevant underlying ICT systems, processes, and technologies supporting critical or important functions and ICT services, including those supporting the critical or important functions that have been outsourced or contracted to ICT third-party service providers.
- Where ICT third-party service providers are included in the scope of TLPT, the financial entity shall take the necessary measures and safeguards to ensure the participation of such ICT third-party service providers in the TLPT. The ICT Third Party will also ensure proper risk management is followed with respect to data, assets, functions, and others. In specific cases ICT third-party service providers can directly enter contractual arrangements with an external tester, however, the scope will be as defined by the financial entity.
- Testing reports, remediation plans, and other details as required shall be provided to the authority. The financial entity must take from the authorities an attestation of test conformance.