ISSUE: The new regulation on resilience applicable to Banks and Insurance providers call out for consistency in the criticality. The criticality is usually defined at service/process level (with RTO/MTO among other things) and then cascaded to the supporting components such as assets and third party. Currently the asset and third party can be linked to a BU but not to a process and there is not criticality feature for process.
This the extract of DORA: “[…] perform the criticality assessment of information assets and ICT assets supporting business functions. The assessment shall take into account the ICT risk related to those business functions and their dependencies on the information assets or ICT assets […] impact their business processes and activities of the financial entity.”
RECOMMANDATION: create a criticality category (Critical|Important|Non essential) in the process view. Link the processes to supporting asset and third parties and cascade the criticality to asset and process.
Hi Dave
This is my workaround. The problem is than it requires multiple entries of same data because modules can’t inherit custom field (if my understanding is correct). Basically criticality is defined at process level but I’d need to reenter this is asset/third party supporting this process. Plus there is not process to third party link.
Access to customised field across modules if defo a good thing.
It feels that current data model with link to BU is limiting the options. If assets and third parties could be linked to process rather than BU wouldn’t it help?
Only assets link to BUs, Third Parties do not link to BUs
This is Section 2, 5.2 (Art. 5 ICT asset management procedure - RMF) and the text is wider, the requirement asks for for a piece of paper (the word “procedure” is used) that describes how to define the criticality of “assets”. The requirements suggest the “process” should look at the risks of those assets and the business units (this is part of standard asset risk management in eramba) and a CIA classification on the asset (this can be done on the asset module in eramba as a classification).
I really dont see here the need for any new relationship on the software or the need to touch processes at all.
DORA does require “processes” (in eramba) to be linked to “Third Parties” as part of Section 2, 8.5 (Art. 8 Identification - DORA) and this is something we miss.
Please comment if we are not understanding each other but let’s stick to facts!!!
The idea is that Business Units can be linked to Third Parties. Since many people needs also to select processes, we will allow such relationships as we do in Business Risks where the user selects Business Units and we let them choose Processes that relate to those selected Business Units.
BU: Select one or more Business Units that relate to this item
Process: Select one or more Process related to the Business Unit you selected on the field above
Notes:
The user must select first a business unit, then we display the related business units processes alone
CSV Imports must be updated on Assets, Third Parties module
Views must include the columns “Business Units” and “Processes” to be included and shown by default
The Process needs a naming convention $ProcessName ($BU name)
Please handle the edition of the fields carefully:
Addition of a BU: if the user has a BU already selected with 3 process and then “Adds” a BU on the dropdown (having two selected), do not refresh the “Process” field by removing what was already selected. Leave there what was selected and let the user choose more options.
Removing a BU: if the user removes a BU that was selected, simply remove the Process related to that previously selected BU, do not empty the “Process” field completely.
New installs and existing installs get these fields displayed by default, they can hide them if they want using customisation (those optional fields)
The business risk module includes some MTO, RTO stuff. Do not use any of that in Assets and Third Parties. We will update the Risk module later on.
Thank you kisero, that’s a shame. For every financial company in the EU and their ICT service providers, this would be a very important feature for the implementation of DORA. We would be very pleased if you could give this topic a higher priority.
in the demographic of community users that is at best %3 - we have many other things to work that create far more impact in the community. we’ll try to do this later next year.
