EBA Guidelines on ICT and security risk management
Long before Digital Operational Resilience Act (DORA), credit institutions (aka banks) and investment firms (aka investment banks, hedge funds, PE & VC firms, ...), but also PSPs (Payment Service Providers under Payments Services Directive 2 (PSD2) regulation) had to comply with these guidelines on ICT and security risk management.
If you compare both DORA and these guidelines, you'll see that there is an approximate 100% overlap between the two. DORA entirely includes (and superseded) all of these guidelines requirements (and added more of them of course, alas).
Guidelines
- Governance and strategy
- Governance
- Strategy
- Use of third party providers
- ICT and security risk management framework
- Organisation and objectives
- Identification of functions, processes and assets
- Classification and risk assessment
- Risk mitigation
- Reporting
- Audit
- Information security
- Information security policy
- Logical security
- Physical security
- ICT operation security
- Security monitoring
- Information security reviews, assessment and testing
- Information security training and awareness
- ICT operations management
- ICT incident and problem management
- ICT project and change management
- ICT project management
- ICT systems acquisition and development
- ICT change management
- Business continuity management
- Business impact analysis
- Business continuity planning
- Response and recovery plans
- Testing of plans
- Crisis communications
- Payment service user relationship management
The last one is perhaps particular, but it explains what mitigating controls a PSP needs to provide to its customers, specifically with regard to payments. For example:
- Educate and assist customers: provide information and guidance about security risks associated with payment services.
- Keep information up-to-date: regularly update educational materials to reflect new threats and vulnerabilities.
- Allow for customization: give customers the option to disable specific payment functionalities if desired.
- Offer flexible spending limits: allow customers to adjust spending limits within agreed-upon parameters.
- Provide fraud alerts: notify customers of suspicious activity on their accounts.
- Communicate security updates: keep customers informed about changes in security procedures.
- Offer support: assist customers with any security-related questions or issues.