DORA compliance is a hot topic at the minute, but should it really be of concern to any organization with an existing security compliance program of any sort? I do not believe so, and here is why.
This has been said before, but here it is once again - when it comes to security compliance standards or regulations, there is a simple reason they share mostly the same ingredients. These “frameworks” are simply collections of controls that have been defined based on risks that are deemed relevant to whomever the framework is geared towards. Yes, the risks come first, then the controls (aka mitigating controls) that an organization must implement in order to reduce these risks to an acceptable level.
So, rather than once more writing about the controls that must be implemented in order to achieve DORA compliance, let’s look at some risk events that the EU have defined that financial organizations ought to occupy themselves with 🙂
What lies behind this? Naturally, if management buy-in is not there, the likelihood of a security program succeeding is slim. Achieving management buy-in does unfortunately tend to be an outcome of fear, as a failing program can result in hefty fines and reputational damage.
But, is this a new risk? Of course not, “setting the tone at the top” in CC1.1 of the AICPA’s TSC’s (SOC2) and “top management shall demonstrate leadership and commitment with respect to the [ISMS]” in control 5.1 of ISO/IEC 27001:2013 are just two examples of “equivalent” controls to reduce this risk.
What lies behind this? The failure of critical functions will result in downtime, negatively impacting both the organization and their consumers. Therefore, it is in all parties interests to ensure appropriate controls have been implemented to ensure continuity.
But, is this a new risk? Once more, of course not! It is a risk commonly mitigated by a common “control package”, composed of business impact analysis, resilience processes for business critical systems and procedures and business continuity and disaster recovery plans. “Contingency Planning (CP)” in NIST 800-53, “Business Continuity Management and Operational Resilience” in CSA STAR are just two examples of “control packages” (categories) that can be implemented in order to effectively reduce this risk.
There are more risk events that the EU have defined critical to the financial sector, but they follow much the same approach, and do not reinvent the wheel by any means. So, if you have an existing control environment that adheres to industry standards and benchmarks, your DORA gap assessment should reveal little, if any delta!