Financial enterprises in the European Union (EU) have received a mandate to prioritize cybersecurity. With the ratification of the Digital Operational Resilience Act (DORA), financial organisations will be required to define, approve, oversee, and be accountable for the implementation of all arrangements related to DORA’s risk-management framework by the 17th of January, 2025. Identity and access management (IAM) plays a critical role in DORA compliance.
IAM serves as a security discipline embedded into critical business processes. It ensures that only the right people have access to the right information at the right time. An expert IAM team can establish tailored solutions for employees, customers, and third-party partners. This includes implementing precise access management controls at both departmental and individual role levels, ensuring users can only access data and make system changes within their clearly defined responsibilities.
Five Areas of Focus for DORA Compliance
IAM plays a crucial role in addressing the five key areas outlined by DORA, including:
1. ICT risk management
DORA compliance requires firms to adopt information and communication technology (ICT) governance and control frameworks. These include an IT risk management framework that is documented and reviewed annually at a minimum. An access management solution brings comprehensive oversight to all levels of access to systems across an organisation. A well-implemented access solution supports multi-factor identification procedures before anyone can access a system. This clarifies who is accessing what information and when. IAM can also evaluate if a high-risk attempt at access is underway. If an issue is detected, additional controls can be automatically triggered to confirm or block the user’s access. Another benefit for risk management, IAM helps to manage the lifecycle of an employee and their system access. For example, an employee joins a company in one role, gets promoted, then leaves the company. At every step, IAM can ensure that the right access is available, and importantly, closed off. This prevents ‘access creep’, or perhaps disgruntled ex-employees retaining access and using it in unlawful ways.
2. ICT-related incident reporting
The key to DORA compliance is the requirement for prompt logging of any ICT security incidents. Additionally, the security and monitoring solution must report all major incidents to appropriate authorities using common templates and procedures. An identity security program makes it easier to see what happened, who did it, and where it happened in the system. IAM can also help to define who has reporting obligations and to which regulatory authorities. Using strong IAM frameworks and systems allows organisations to quickly highlight critical incident data. This data includes the number of users affected, the duration, the geographical spread, and the extent of the disruption. It also includes the extent of the impact on economic and societal activities. This is all critical in times of urgency following an incident.
3. ICT third-party risk management
A challenging aspect of DORA is the need to have secure ICT systems. This extends beyond the initial organisation and into third-party suppliers. DORA expects monitoring of third-party contractual arrangements. Additionally, the European Supervisory Authorities requires oversight of critical ICT third-party service providers. For example, supply chains are increasingly bringing risk into ICT systems. Enterprises frequently outsource support functions and collaborate with industry partners. This results in countless people outside of the core business gaining access to its systems. Alarmingly, much of this access is excessive, significantly expanding potential attack surfaces. An identity security solution closes off wide swaths of this attack surface by defining access rights beyond the initial organisation and enforcing limitations. This ensures that suppliers and partners can provide their critical services without compromising security.Enhancing access and identity visibility of third, fourth-party and nth party suppliers is critical in today’s software and data-centric world. The interconnected nature of supply chains is core to many financial services organisations. As such, this often leaves them even more exposed to attacks and vulnerabilities. The most mature organisations use IAM controls to remain constantly alert for potential issues and the security challenges third-party services can bring.
4. Information sharing
DORA encourages voluntary sharing of cyber threat information with other financial organisations. The goal is to build greater resilience across the whole industry. This information could include threat tactics, techniques, and indicators of compromise. When an enterprise shares the potential for a threat, an identity management solution can be quickly leveraged to securely help reduce the threat. Additionally, protecting this critical information through strong role-based access controls is critical to keeping sensitive threat or compromise information protected.IAM systems can continuously monitor data, identities, and permissions. This provides visibility into what sensitive information has been intentionally or unintentionally shared. Some organisations have enabled automatic alerts on abnormal behaviors outside of an ‘identity perimeter’. Therefore, robust IAM processes provide a better understanding of where systems share information and thus improve risk management.
5. Digital operational resilience testing
DORA expects organisations to perform annual resilience tests, alongside advanced threat-led penetration tests, at least every 3 years. Therefore, whilst organisations perform penetration and disaster recovery testing, an identity security solution can help identify and support remediation activities relating to toxic combinations of access or overprivileged accounts. This helps fulfill multiple requirements for DORA compliance. Conversely, the testing of IAM systems themselves is also key to ensuring that the processes and controls are performing optimally. This includes checking if administration procedures are in place and functioning. This requires validation that application access provisioning requirements are met, how application terminations are being processed, if user access reviews are being performed regularly, and if application profiles and permissions are correct.
Get Set for Digital Operational Resilience Act Success
As organisations increasingly use Software-as-a-Service and move workloads and infrastructure to the cloud, the IT estate and identity landscape grows increasingly complex. Achieving DORA compliance requires full visibility into how human and machine identities interact with protected data With DORA prioritizing ICT resilience, IAM emerges as a critical pillar for ensuring regulatory compliance and operational security.
Contact a Simeio identity expert now and learn how the Simeio team achieves DORA compliance.
Written by Steve Turner