By Moussa Ouedraogo March 7, 2023
A step towards DORA Compliance
Most organizations, regardless of the vertical, are often engaged in complex and massive interconnections leading to some security challenges. As a result, individual and local initiatives alone may not suffice to effectively defend against current and future threats. Indeed, more synergy and collaboration amongst companies that are “shareholders in security” hence affected by the breach from others, is essential. Recent EU cybersecurity initiatives including the NIS/NIS2 and DORA for the financial sector have ought to address the cybersecurity and resilience of both, organizations delivering essential and vital services on the one hand, and the financial services, on the other. According to both regulations, cyber risks from third party organizations and the ensuing disruption cannot be effectively managed without due attention to the supply chain risk management.
To minimize the impact of such disruptions, organizations develop cyber resilience strategy including business continuity plans (BCP) to prepare in advance of a disruption. Of course, the proliferation and sophistication of recent attacks means BC Planning gives the opportunity to organizations to reduce the impact of disaster by planning out procedures and steps to resume operations before the event occurs. In that vein of idea, Global cybersecurity and ICT leaders have issued frameworks and recommendations: ENISA for instance issued a threat landscape analysis for attacks and recommendations for mitigating Supply chain security risks. With major exploit happening from vulnerability at Software level, Google introduced, in June 2021, an End-to-End Framework for ensuring the integrity of software artifacts throughout the software supply chain called SLSA (Supply chain Levels for Software Artifacts).
The Digital Operations Resilience Act (DORA) which was validation end of last year, is the European Union’s attempt to streamline the third-party risk management process across financial institution. As such, DORA aims to bolster operational resilience within the financial industry so that business continuity can be guaranteed even while an organization’s ICT is suffering disruptions such as a cyber-attack. The core principle from DORA includes: (i) The strong implementation of risk management practices; (ii) awareness & management of third parties risks effective detection & response, and (iii) a comprehensive business continuity policy along with disaster and recovery plans to adequately react to identified security incidents and to ensure the resilience, continuity, and availability of ICT systems.
In line with the European initiative, the Horizon Europe Project CS AWARE NEXT offers a pragmatic means to enhancing resilience and security in the context of local or regional interdependent organizations. CS AWARE NEXT offers an opportunity for organizations to implement both DORA in the following ways:
- A Soft system analysis leading offers the opportunity to organization to understand their dependencies with their parties hence providing a baseline for adequately managing third party risks.
- A business continuity deviation or risk specification model which enables BC manager to specify events conducive service delivery impairment.
- Means to detect Business continuity related incidents
- Means to elaborate and trigger a recovery plan based on key indicators such as RTO & RPOs
- The recovery module in CS AWARE NEXT purports to ensure key services within an organization are rapidly (taking account of RTO and RPO) brought back in operation following a security incident.
By adopting CS Awareness sought solutions, organizations are increasing their state of resilience against service crippling attacks while aligning themselves to emerging regulations such DORA or NIST.