Question - Mapping processes to critical assets and third parties

ISSUE: The new regulation on resilience applicable to Banks and Insurance providers call out for consistency in the criticality. The criticality is usually defined at service/process level (with RTO/MTO among other things) and then cascaded to the supporting components such as assets and third party. Currently the asset and third party can be linked to a BU but not to a process and there is not criticality feature for process.

This the extract of DORA: “[…] perform the criticality assessment of information assets and ICT assets supporting business functions. The assessment shall take into account the ICT risk related to those business functions and their dependencies on the information assets or ICT assets […] impact their business processes and activities of the financial entity.”

RECOMMANDATION: create a criticality category (Critical|Important|Non essential) in the process view. Link the processes to supporting asset and third parties and cascade the criticality to asset and process.

Happy to discuss this in more detail.

Have you tried doing this with custom fields?

Hi Dave
This is my workaround. The problem is than it requires multiple entries of same data because modules can’t inherit custom field (if my understanding is correct). Basically criticality is defined at process level but I’d need to reenter this is asset/third party supporting this process. Plus there is not process to third party link.

these kind of changes affect many things to many people that simply dont need this, with that in mind is very unlikely for this to become a feature.

what might be a feature, maybe later this year, is that custom fields allows you to list items from other modules: Question: How do I get custom field names to work across different tabs?

Access to customised field across modules if defo a good thing.

It feels that current data model with link to BU is limiting the options. If assets and third parties could be linked to process rather than BU wouldn’t it help?

Would that be a good feature to add?

for the time being these type of changes are not in the roadmap, they are very structural, affect many things and is not a priority.

Only assets link to BUs, Third Parties do not link to BUs

This is Section 2, 5.2 (Art. 5 ICT asset management procedure - RMF) and the text is wider, the requirement asks for for a piece of paper (the word “procedure” is used) that describes how to define the criticality of “assets”. The requirements suggest the “process” should look at the risks of those assets and the business units (this is part of standard asset risk management in eramba) and a CIA classification on the asset (this can be done on the asset module in eramba as a classification).

I really dont see here the need for any new relationship on the software or the need to touch processes at all.

DORA does require “processes” (in eramba) to be linked to “Third Parties” as part of Section 2, 8.5 (Art. 8 Identification - DORA) and this is something we miss.

Please comment if we are not understanding each other but let’s stick to facts!!!

We are considering some new relationships in eramba to address the need to link “Processes” (not just Business Units) to Assets and Third Parties.

On the left side you see the current relationship, on the right one you see there are new connections (line dashed)

image2050×778 100 KB

These will be OPTIONAL relationships, not mandatory. They will also be hidden by default using customisation on new installs or updated instances.

• The “New” asset form will include an optional field called “Processes” that will list processes that relate to the selected Business Units using the naming convention “[BU Name] - Process”, this is ideally sorted alphabetically. The description will be “You can optionally associate business processes to this item”. The field “Processes” will be optional, hidden by default using customisations.
• The “New” Third Party form will include an optional field “Business Unit” and “Process” that works exactly the same way as in “Assets”, the only difference is that in this case both fields are optional. This is done this way to make the migration of eramba possible, people might have already created third parties without having a BU.
• The current “Business Risk” form needs to be updated to include the same naming convention (the field must be shown by default as it is now).
• The CSV Import must be updated on all three modules

The summary looks as follow:

image2044×770 106 KB

As for the visualisation of this data on filters:

On each one of the index pages for Assets, Third Parties and Business Units we need an option that display these Process (with a shortcut option).

image2310×370 45.3 KB

As for the visualisation of this data on Reports:

We need to make sure the Item table widget includes the table “Business Units” and “Processes” so we can include them on this view. This is actually there so we do not need anything here.

image2448×476 45.7 KB

On the chart that shows items and its related objects, we need to make sure this is included on the Asset and Third Party Item reports:

image2346×588 96.8 KB

github: https://github.com/eramba/eramba/issues/4876

Hello @kisero ,

Is there a date for this release?

Hello,

This change will most probably be part of 3. the phase of the new user interface.
No estimates yet.

Hi sam,

is there already a date for this release? It would be very helpful to have this function in eramba.

not before summer 2025 for sure

Thank you kisero, that’s a shame. For every financial company in the EU and their ICT service providers, this would be a very important feature for the implementation of DORA. We would be very pleased if you could give this topic a higher priority.

in the demographic of community users that is at best %3 - we have many other things to work that create far more impact in the community. we’ll try to do this later next year.