forked from intuitem/ciso-assistant-community
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcroe-for-fmi.yaml
4235 lines (4232 loc) · 203 KB
/
croe-for-fmi.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
urn: urn:intuitem:risk:library:croe-for-fmi
locale: en
ref_id: CROE-for-FMI
name: Cyber resilience oversight expectations for financial market infrastructures
description: "The cyber resilience oversight expectations (CROE) serves the following\
\ three key purposes: \n(i) it provides FMIs with detailed steps on how to operationalise\
\ the Guidance, ensuring they are able to foster improvements and enhance their\
\ cyber resilience over a sustained period of time; \n(ii) it provides overseers\
\ with clear expectations to assess the FMIs for which they are responsible;and\
\ \n(iii) it provides the basis for a meaningful discussion between the FMIs and\
\ their respective overseers.\n\nHere is the link to the document :\nhttps://www.ecb.europa.eu/paym/pdf/cons/cyberresilience/Cyber_resilience_oversight_expectations_for_financial_market_infrastructures.pdf"
copyright: ECB-PUBLIC
version: 1
provider: EUROPEAN CENTRAL BANK
packager: intuitem
objects:
framework:
urn: urn:intuitem:risk:framework:croe-for-fmi
ref_id: CROE-for-FMI
name: Cyber resilience oversight expectations for financial market infrastructures
description: "The cyber resilience oversight expectations (CROE) serves the following\
\ three key purposes: \n(i) it provides FMIs with detailed steps on how to operationalise\
\ the Guidance, ensuring they are able to foster improvements and enhance their\
\ cyber resilience over a sustained period of time; \n(ii) it provides overseers\
\ with clear expectations to assess the FMIs for which they are responsible;and\
\ \n(iii) it provides the basis for a meaningful discussion between the FMIs\
\ and their respective overseers.\n\nHere is the link to the document :\nhttps://www.ecb.europa.eu/paym/pdf/cons/cyberresilience/Cyber_resilience_oversight_expectations_for_financial_market_infrastructures.pdf"
implementation_groups_definition:
- ref_id: EVOLVING
name: EVOLVING
description: 'Essential capabilities are established, evolve and are sustained
across the
FMI to identify, manage and mitigate cyber risks, in alignment with the cyber
resilience
strategy and framework approved by the Board. Performance of practices is
monitored and managed.'
- ref_id: ADVANCING
name: ADVANCING
description: "In addition to meeting the evolving level\u2019s requirements,\
\ practices at this\nlevel involve implementing more advanced tools (e.g.\
\ advanced technology and risk\nmanagement tools) that are integrated across\
\ the FMI\u2019s business lines and have been\nimproved over time to proactively\
\ manage cyber risks posed to the FMI."
- ref_id: INNOVATING
name: INNOVATING
description: "In addition to meeting the evolving and advancing levels\u2019\
\ requirements,\ncapabilities across the FMI are enhanced as needed within\
\ the rapidly evolving cyber\nthreat landscape, in order to strengthen the\
\ FMI\u2019s cyber resilience and its ecosystem\nand by proactively collaborating\
\ with its external stakeholders. This level involves\ndriving innovation\
\ in people, processes and technology for the FMI and the wider\necosystem\
\ to manage cyber risks and enhance cyber resilience. This may call for new\n\
controls and tools to be developed or new information-sharing groups to be\
\ created."
requirement_nodes:
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2
assessable: false
depth: 1
ref_id: '2'
name: Cyber resilience oversight expectations
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2
ref_id: '2.1'
name: Governance
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.1
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1
ref_id: 2.1.1
name: Preamble
- urn: urn:intuitem:risk:req_node:croe-for-fmi:node5
assessable: false
depth: 4
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.1
description: "Cyber governance refers to the arrangements an FMI has put in\
\ place to establish, implement and review its approach to managing cyber\
\ risks. Effective cyber governance should start with a clear and comprehensive\
\ cyber resilience framework that prioritises the security and efficiency\
\ of the FMI\u2019s operations, and supports financial stability objectives.\
\ The framework should be guided by an FMI\u2019s cyber resilience strategy,\
\ define how the FMI\u2019s cyber resilience objectives are determined, and\
\ outline its people, processes and technology requirements for managing cyber\
\ risks and timely communication in order to enable an FMI to collaborate\
\ with relevant stakeholders to effectively respond to and recover from cyber\
\ attacks. It is essential that the framework is supported by clearly defined\
\ roles and responsibilities of the FMI\u2019s Board (or equivalent) and its\
\ management, and it is incumbent upon its Board and management to create\
\ a culture which recognises that staff at all levels have important responsibilities\
\ in ensuring the FMI\u2019s cyber resilience."
- urn: urn:intuitem:risk:req_node:croe-for-fmi:node6
assessable: false
depth: 4
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.1
description: "Strong cyber governance is essential to an FMI\u2019s implementation\
\ of a systematic and proactive approach to managing the prevailing and emerging\
\ cyber threats that it faces. It also supports efforts to appropriately consider\
\ and manage cyber risks at all levels within the organisation and to provide\
\ appropriate resources and expertise to deal with these risks. This chapter\
\ provides guidance on what basic elements an FMI\u2019s cyber resilience\
\ framework should include and how an FMI\u2019s governance arrangements should\
\ support that framework."
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1
ref_id: 2.1.2
name: Expectations
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1
assessable: false
depth: 4
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2
ref_id: 2.1.2.1
name: Cyber resilience strategy and framework
- urn: urn:intuitem:risk:req_node:croe-for-fmi:node9
assessable: false
depth: 5
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1
name: 'Cyber resilience strategy:'
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node9
ref_id: 2.1.2.1-1
description: 'The FMI should establish an internal, cross-disciplinary steering
committee comprised of senior management and appropriate staff (employees
and/or contractors) from multiple business units (e.g. business, finance,
risk management, internal audit, operations, cybersecurity, information technology
(IT), communications, legal and human resources, some of which may be external),
to collectively develop a cyber resilience strategy and framework. The steering
committee should provide multiple views and perspectives to ensure that the
cyber resilience strategy and framework is holistic and focuses on all elements
related to people, processes and technology. Among other things, the steering
committee should:'
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1.a
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1
ref_id: 2.1.2.1-1.a
description: "evaluate and prioritise internal and external stakeholders\u2019\
\ needs and expectations, deciding on the overall requirements from cyber\
\ resilience;"
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1.b
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1
ref_id: 2.1.2.1-1.b
description: provide direction to senior management on what cyber resilience
should achieve;
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1.c
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1
ref_id: 2.1.2.1-1.c
description: define who makes cyber resilience decisions and how those decisions
should be made;
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1.d
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1
ref_id: 2.1.2.1-1.d
description: "consider the FMI\u2019s risk landscape and risk tolerance when\
\ defining how cyber risks should be addressed;"
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1.e
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1
ref_id: 2.1.2.1-1.e
description: evaluate how the different business units are impacted and can
work together in an integrated manner to achieve enterprise-wide outcomes;
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1.f
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1
ref_id: 2.1.2.1-1.f
description: consider how to monitor the performance and outcomes of cyber resilience
and intervene if necessary to ensure that the specified direction is followed.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node9
ref_id: 2.1.2.1-2
description: Based on the above reflections, the FMI should document its cyber
resilience strategy. The FMI should ensure that the following aspects are
considered and included in the strategy.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.a
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2
ref_id: 2.1.2.1-2.a
description: The importance of cyber resilience to the FMI and its key stakeholders.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.b
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2
ref_id: 2.1.2.1-2.b
description: "Internal and external stakeholders\u2019 high-level requirements,\
\ so that these can be taken into account when defining cyber resilience governance\
\ and goals for cyber resilience management. Some common categories of stakeholders\
\ that may be considered include: owners and investors, customers and clients,\
\ suppliers, employees, legal and regulatory authorities, and competitors\
\ and industry bodies."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.c
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2
ref_id: 2.1.2.1-2.c
description: "The FMI\u2019s vision and mission in relation to cyber resilience."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.d
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2
ref_id: 2.1.2.1-2.d
description: "The cyber resilience objectives that the FMI will work towards,\
\ which should include ensuring the ongoing efficiency, effectiveness and\
\ economic viability of its services to its users and maintaining and promoting\
\ the FMI\u2019s ability to anticipate, withstand, contain and recover from\
\ cyber attacks."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.e
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2
ref_id: 2.1.2.1-2.e
description: "The FMI\u2019s cyber risk appetite, to ensure that it remains\
\ consistent with the FMI\u2019s risk tolerance, as well as with the FMI\u2019\
s overall business objectives and corporate strategy."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.f
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2
ref_id: 2.1.2.1-2.f
description: "Clear and credible cyber maturity targets and a roadmap or implementation\
\ plan with change delivery and planning of capabilities relating to people,\
\ processes and technology at pace with threats and proportionate to the FMI\u2019\
s size and criticality. The strategy should clearly set out how this roadmap\
\ or implementation plan will be delivered and how the Board should track\
\ and monitor delivery."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.g
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2
ref_id: 2.1.2.1-2.g
description: The high-level scope of technology and assets which will be used
to manage cyber resilience.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.h
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2
ref_id: 2.1.2.1-2.h
description: The interactions with other participants, FMIs and third parties,
on areas such as information sharing.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.i
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2
ref_id: 2.1.2.1-2.i
description: The governance necessary to enable cyber resilience to be designed,
transitioned, operated and improved.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.j
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2
ref_id: 2.1.2.1-2.j
description: How cyber resilience initiatives will be delivered, managed and
funded, including the budgeting process and organisational capabilities.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.k
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2
ref_id: 2.1.2.1-2.k
description: How cyber resilience will be integrated into all aspects of the
FMI, which includes people, processes, technology and new business initiatives.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-3
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node9
ref_id: 2.1.2.1-3
description: The FMI should ensure that the cyber resilience strategy is aligned
to its corporate strategy and other relevant strategies (e.g. enterprise risk
management, operational risk and IT).
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-4
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node9
ref_id: 2.1.2.1-4
description: "The FMI\u2019s Board should approve the cyber resilience strategy,\
\ and should ensure that it is regularly reviewed and updated according to\
\ the FMI\u2019s threat landscape."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-5
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node9
ref_id: 2.1.2.1-5
description: "The Board should be kept regularly informed of the FMI\u2019s\
\ cyber risk and ensure consistency with the FMI\u2019s risk tolerance and\
\ appetite, so that it can achieve the FMI\u2019s overall business objectives\
\ and corporate strategy."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:node32
assessable: false
depth: 5
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1
name: 'Cyber resilience framework:'
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-6
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node32
ref_id: 2.1.2.1-6
description: The FMI should have a cyber resilience framework that clearly sets
out how it determines its cyber resilience objectives and risk tolerance,
as well as how it effectively identifies, mitigates, and manages its cyber
risks to support its objectives.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-7
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node32
ref_id: 2.1.2.1-7
description: "The FMI\u2019s cyber resilience framework should systematically\
\ incorporate the requirements (i.e. policies, procedures and controls) related\
\ to governance, identification, protection, detection, response and recovery,\
\ testing, situational awareness, and learning and evolving."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-8
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node32
ref_id: 2.1.2.1-8
description: The FMI should use leading international, national and industry-level
standards, guidelines or recommendations (e.g. NIST, COBIT 5 and ISO/IEC 27000,
etc.), reflecting current industry best practices in managing cyber threats,
as a benchmark for designing its cyber resilience framework and incorporating
the most effective cyber resilience solutions.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-9
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node32
ref_id: 2.1.2.1-9
description: "At the broader level, the FMI\u2019s cyber resilience framework\
\ should be consistent with its enterprise risk management framework."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-10
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node32
ref_id: 2.1.2.1-10
description: "The FMI\u2019s Board should endorse this cyber resilience framework,\
\ ensuring it is aligned with the FMI\u2019s formulated cyber resilience strategy,\
\ review it at least annually and update it when needed to ensure that it\
\ remains relevant."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-11
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node32
ref_id: 2.1.2.1-11
description: "The FMI\u2019s cyber resilience framework should clearly define\
\ the roles and responsibilities, including accountability for decision-making\
\ within the organisation, for identifying, mitigating and managing cyber\
\ risk."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:node39
assessable: false
depth: 5
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1
name: 'Cyber resilience strategy and framework:'
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-12
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node39
ref_id: 2.1.2.1-12
description: The FMI should use maturity models and define relevant metrics
to assess and measure the adequacy and effectiveness of and adherence to its
cyber resilience framework through independent compliance programmes and audits
carried out by qualified staff on a regular basis.
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node39
ref_id: 2.1.2.1-13
description: 'The FMI should ensure that, as part of its formal process to review
and update its cyber resilience strategy and framework (including all policies,
procedures and controls), a number of factors are considered, such as:'
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13.a
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13
ref_id: 2.1.2.1-13.a
description: the current and evolving cyber threats (e.g. those associated with
the supply chain, use of cloud services, social networking, mobile applications
and the internet of things, etc.);
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13.b
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13
ref_id: 2.1.2.1-13.b
description: threat intelligence on threat actors and new tactics, techniques
and procedures which may specifically impact the FMI;
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13.c
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13
ref_id: 2.1.2.1-13.c
description: "the results of risk assessments of the FMI\u2019s critical functions,\
\ key roles, processes, information assets, third-party service providers\
\ and interconnections;"
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13.d
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13
ref_id: 2.1.2.1-13.d
description: actual cyber incidents that have impacted the FMI directly or external
cyber incidents from the ecosystem;
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13.e
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13
ref_id: 2.1.2.1-13.e
description: lessons learned from audits and tests on the cyber resilience framework;
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13.f
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13
ref_id: 2.1.2.1-13.f
description: "the FMI\u2019s performance against the relevant metrics and maturity\
\ models;"
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13.g
assessable: true
depth: 7
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13
ref_id: 2.1.2.1-13.g
description: new business developments and future strategic objectives.
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-14
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node39
ref_id: 2.1.2.1-14
description: "The FMI\u2019s cyber resilience strategy and framework should\
\ consider how the FMI would continuously review and proactively identify,\
\ mitigate and manage the cyber risks that it bears from and poses to its\
\ participants, other FMIs, vendors, vendor products and its service providers,\
\ which are collectively referred to as an FMI\u2019s ecosystem."
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:node50
assessable: false
depth: 5
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1
name: 'Cyber resilience strategy and framework:'
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-15
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node50
ref_id: 2.1.2.1-15
description: "The cyber resilience strategy should outline the FMI\u2019s future\
\ state of cyber resilience, in terms of maturity and/or risk, with short\
\ and long-term perspectives, and senior management should continuously improve\
\ and adapt the existing cyber resilience strategy and framework as the desired\
\ maturity level and/or risk landscape changes."
implementation_groups:
- INNOVATING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-16
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node50
ref_id: 2.1.2.1-16
description: "The FMI should establish the appropriate structures, processes\
\ and relationships with the key stakeholders in the ecosystem to continuously\
\ and proactively enhance the ecosystem\u2019s cyber resilience and promote\
\ financial stability objectives as a whole."
implementation_groups:
- INNOVATING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2
assessable: false
depth: 4
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2
ref_id: 2.1.2.2
name: Role of the Board and senior management
- urn: urn:intuitem:risk:req_node:croe-for-fmi:node54
assessable: false
depth: 5
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2
name: 'Board and management responsibilities:'
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-17
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node54
ref_id: 2.1.2.2-17
description: "The FMI\u2019s Board should be responsible for approving the cyber\
\ resilience strategy and framework, setting the FMI\u2019s risk tolerance\
\ for cyber risks and closely overseeing the FMI's implementation of its cyber\
\ resilience framework and the policies, procedures and controls that support\
\ it."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-18
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node54
ref_id: 2.1.2.2-18
description: "In order to carry out the aforementioned responsibilities, the\
\ FMI\u2019s Board should ensure that it collectively possesses the appropriate\
\ balance of skills, knowledge and experience to understand and assess the\
\ cyber risks facing the FMI. It should also be sufficiently informed and\
\ capable of credibly challenging the recommendations and decisions of designated\
\ senior management. Although the Board should collectively increase its skills\
\ and knowledge on cybersecurity, it can also access specific expertise through\
\ a Board member with adequate experience, or through experienced staff and/or\
\ external independent organisation(s) reporting to and advising the Board."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-19
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node54
ref_id: 2.1.2.2-19
description: The Board and senior management should ensure that a senior executive
(e.g. the CISO) is responsible and accountable for implementing the cyber
resilience strategy and framework at the enterprise level. The Senior Executive
should be independent, possess the appropriate balance of skills, knowledge
and experience, and have sufficient resources and direct access to the Board.
For further clarification on the possible roles and responsibilities of such
a senior executive, see Annex 3.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-20
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node54
ref_id: 2.1.2.2-20
description: The Board and senior management should ensure that staff (including
senior management) who are responsible for cyber activities have suitable
skills, knowledge and experience, and are sufficiently informed and empowered
to make timely decisions.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-21
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node54
ref_id: 2.1.2.2-21
description: "The Board and senior management should ensure that cyber risk,\
\ implementation of the cyber resilience framework and any associated issues\
\ appear regularly on the Board\u2019s meeting agenda. Boards should have\
\ adequate access to cybersecurity expertise (whether internal or external),\
\ and discussions about cyber risk management should be given adequate time\
\ on the Board\u2019s meeting agenda."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-22
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node54
ref_id: 2.1.2.2-22
description: Senior management should regularly provide a written report to
the Board on the overall status of its cyber resilience programme and keys
risks and issues.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-23
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node54
ref_id: 2.1.2.2-23
description: "As part of the Board\u2019s updates, senior management should\
\ provide their budgeting and forecasting activities plan for ongoing and\
\ future resource needs to ensure cyber resilience objectives are continually\
\ achieved."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:node62
assessable: false
depth: 5
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2
name: 'Culture:'
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-24
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node62
ref_id: 2.1.2.2-24
description: "The Board and senior management should cultivate a strong level\
\ of awareness of and commitment to cyber resilience. To that end, an FMI\u2019\
s Board and senior management should promote a culture that recognises that\
\ staff at all levels have important responsibilities for ensuring the FMI\u2019\
s cyber resilience, and lead by example."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-25
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node62
ref_id: 2.1.2.2-25
description: "The Board and senior management should ensure that behavioural\
\ and cultural change is nurtured and conveyed through leadership and vision,\
\ with clear and effective messages such as cyber resilience is everyone\u2019\
s duty. This could be executed throughout the FMI, possibly built into charters,\
\ vision statements and mandates from senior management, or through cyber\
\ awareness campaigns."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-26
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node62
ref_id: 2.1.2.2-26
description: Senior management should ensure that situational awareness materials
are made available to relevant employees when prompted by highly visible cyber
incidents, changes to the threat landscape and the impacts of these threats
to the FMI, or by regulatory alerts. For example, the FMI could send internal
emails about cyber events or post articles on its intranet site.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:node66
assessable: false
depth: 5
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2
name: 'Skills and accountability:'
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-27
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node66
ref_id: 2.1.2.2-27
description: "Senior management should ensure that it has a programme for continuing\
\ cyber resilience training and skills development for all staff. This training\
\ programme should include the Board members and senior management and should\
\ be conducted at least annually. The annual cyber resilience training should\
\ include incident response, current cyber threats (e.g. threats, threat actors\
\ and vulnerabilities), tactics and techniques (e.g. phishing, spear phishing,\
\ social engineering and mobile security) and emerging issues, according to\
\ staff members\u2019 levels of responsibility and the risks associated with\
\ their respective roles."
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-28
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node66
ref_id: 2.1.2.2-28
description: Senior management should ensure that employees and contractors
with privileged account permissions and/or access to sensitive assets and
information, receive additional cyber resilience training commensurate with
their levels of responsibility, and that business units are provided with
cyber resilience training relevant to their criticality to the business.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-29
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node66
ref_id: 2.1.2.2-29
description: In order to implement the cyber resilience strategy and framework,
senior management should ensure that it identifies the competencies, skills
and resources required. Senior management could adopt well-known skills frameworks,
such as the European e-Competence Framework (e-CF) or the Skills Framework
for the Information Age (SFIA) to determine its organisational needs.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-30
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node66
ref_id: 2.1.2.2-30
description: Senior management should continuously review the skills, competencies
and training requirements to ensure that it has the right set of skills as
technologies and risks evolve.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:node71
assessable: false
depth: 5
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2
name: 'Board and management responsibilities:'
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-31
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node71
ref_id: 2.1.2.2-31
description: "The FMI should ensure that the Board members\u2019 and senior\
\ managements\u2019 understanding of their roles and responsibilities with\
\ regard to cyber resilience is regularly assessed, including their knowledge\
\ of cyber risks."
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-32
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node71
ref_id: 2.1.2.2-32
description: "The Board should ensure that senior management regularly conducts\
\ a cyber resilience self-assessment5, which evaluates the FMI\u2019s cyber\
\ maturity. The Board should review the self-assessment and take appropriate\
\ decisions to improve the effectiveness of cyber activities and integration\
\ with the corporate strategy across the FMI."
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-33
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node71
ref_id: 2.1.2.2-33
description: The Board should review and approve senior management's prioritisation
and resource allocation decisions based on the results of the cyber (self-)
assessments, performance against key performance indicators (KPIs) and their
evolution against their target state of maturity, and the FMI's overall business
objectives.
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:node75
assessable: false
depth: 5
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2
name: 'Culture:'
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-34
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node75
ref_id: 2.1.2.2-34
description: Senior management should establish and sustain incentives (e.g.
staff recognition awards) to ensure behaviours are consistent with the intended
cyber risk culture.
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-35
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node75
ref_id: 2.1.2.2-35
description: "Senior management should produce a formal cyber Code of Conduct,\
\ which can be incorporated into the FMI\u2019s enterprise Code of Conduct,\
\ and ensure that all employees comply with it."
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-36
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node75
ref_id: 2.1.2.2-36
description: Senior management should validate the effectiveness of its cyber
resilience training programme (e.g. social engineering or phishing tests)
and assess whether training and awareness programmes positively influence
behaviour. Based on the lessons learned from its training programme, the FMI
should improve the employee awareness programmes.
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-37
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node75
ref_id: 2.1.2.2-37
description: Senior management should develop key performance metrics (e.g.
KPIs) and key risk metrics (e.g. key risk indicators (KRIs)) and markers (both
quantitative and qualitative) and ensure supporting data are routinely collected
at the senior management level to monitor, measure and report on the implementation,
effectiveness, consistency and persistence of cyber activities.
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:node80
assessable: false
depth: 5
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2
name: 'Skills and accountability:'
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-38
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node80
ref_id: 2.1.2.2-38
description: Senior management should embed a programme for talent recruitment,
retention and succession planning for the staff, and ensure such staff are
aligned to cyber activities and deployed effectively across the FMI.
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-39
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node80
ref_id: 2.1.2.2-39
description: Senior management should ensure that there are well-defined plans
for the succession of high-risk staff (e.g. senior management, system administrators,
software developers and critical system operators, etc.), and the recruitment
requirements for key cyber roles include suitable cyber skills, knowledge
and experience in alignment with defined succession plans.
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-40
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node80
ref_id: 2.1.2.2-40
description: Senior management should ensure that staff performance plans are
tied to compliance with cyber resilience policies and standards in order to
hold employees accountable.
implementation_groups:
- ADVANCING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:node84
assessable: false
depth: 5
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2
name: 'Board and management responsibilities:'
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-41
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node84
ref_id: 2.1.2.2-41
description: The FMI should appoint a dedicated cyber expert to the Board.
implementation_groups:
- INNOVATING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-42
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node84
ref_id: 2.1.2.2-42
description: The standard Board meeting package should include reports and metrics
that cover areas such as suspicious cybersecurity events (e.g. increased network
behaviour and unusual user activity), cyber incidents and threat intelligence
trends for the ecosystem to facilitate discussions on how the FMI should respond
accordingly.
implementation_groups:
- INNOVATING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-43
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node84
ref_id: 2.1.2.2-43
description: The Board and senior management should proactively enhance its
strategic goals, objectives and tactical plans, as needed, to support cyber
activities and improvements across the ecosystem, making use of any available
sector-defined requirements and coordinated initiatives, and clearly communicate
this to the relevant stakeholders.
implementation_groups:
- INNOVATING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:node88
assessable: false
depth: 5
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2
name: 'Culture:'
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-44
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node88
ref_id: 2.1.2.2-44
description: Senior management should cooperate proactively with other stakeholders
to promote a cyber resilience culture across the ecosystem.
implementation_groups:
- INNOVATING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:node90
assessable: false
depth: 5
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2
name: 'Skills and accountability:'
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-45
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node90
ref_id: 2.1.2.2-45
description: Senior management should regularly benchmark its cyber resilience
capabilities against the market to identify its gaps in terms of governance,
skills, resources and tools, treating these gaps as cyber risks and addressing
them accordingly.
implementation_groups:
- INNOVATING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-46
assessable: true
depth: 6
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node90
ref_id: 2.1.2.2-46
description: Senior management should actively foster partnerships with industry
associations and cybersecurity practitioners to develop solutions for future
cyber resilience needs, which will be useful to the FMI and the ecosystem
as a whole.
implementation_groups:
- INNOVATING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2
ref_id: '2.2'
name: Identification
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.1
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2
ref_id: 2.2.1
name: Preamble
- urn: urn:intuitem:risk:req_node:croe-for-fmi:node95
assessable: false
depth: 4
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.1
description: "Given that an FMI\u2019s operational failure can negatively impact\
\ financial stability, it is crucial that FMIs identify which of their operations\
\ and supporting information assets should, in order of priority, be protected\
\ against compromise. The ability of an FMI to understand its internal situation\
\ and external dependencies is key to being able to effectively respond to\
\ potential cyber threats that might occur. This requires an FMI to know its\
\ information assets and understand its processes, procedures, systems and\
\ all dependencies to strengthen its overall cyber resilience posture. This\
\ chapter outlines areas where an FMI should identify and classify business\
\ processes and information assets as well as external dependencies."
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2
ref_id: 2.2.2
name: Expectations
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2-1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2
ref_id: 2.2.2-1
description: ' The FMI should identify and document all its critical functions,
key roles, processes and information assets that support those functions,
and update this information on a regular basis.'
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2-2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2
ref_id: 2.2.2-2
description: The FMI should identify and document all processes that are dependent
on third-party service providers and identify its interconnections, and update
this information on a regular basis.
implementation_groups:
- EVOLVING
- urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2-3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2
ref_id: 2.2.2-3