I wouldn’t even start the implementation of DORA without defining the DIGITAL OPERATIONAL RESILIENCE STRATEGY. How do you know what tools to buy if you do not know what you want to achieve in digital resilience? Or how do you know if you need to change your current ICT architecture. Or simply what resource gaps you have.
I would begin with this. It’s not rocket science. Any competent risk manager should be able to help you develop the strategy’s structure, as the same principles apply to all risk management strategies.
I once worked with an Executive who taught me to approach tasks by asking, “What is the exam question?”. I am broken since. 😊
OVERALL OBJECTIVE
– 2-3 sentences to describe how the document responds to DORA requirements
– 2-3 sentences to position this strategy in the wider context of the business and introduce the third-party strategy which is the sub-strategy of this one
BUSINESS STRATEGY AND OBJECTIVES
– describe the Company’s strategy
– describe the business objectives
RISK APPETITE AND ICT RISK TOLERANCE LEVELS
– self-explanatory
INFORMATION SECURITY OBJECTIVES
– Between 3 and 10 security objectives (& KRIs) to be agreed and described in a few sentences – by answering the question “What do we want to achieve in information security?”
ICT REFERENCE ARCHITECTURE
– the current ICT architecture, including a description of main functional components, channels, architectural components, databases and infrastructure.
– 2-3 sentences to reply to the question – “Is the current architecture adequate to support business objectives?”
– a few sentences and / or graphics to explain the future plans that change the architecture and why?
ICT-RELATED INCIDENTS
– the tools, processes, oversight mechanisms to detect incidents.
– approach to prevent the impact of incidents and provide protection from impact.
CURRENT DIGITAL OPERATIONAL RESILIENCE CONTEXT
– external context, what trends were in recent years, why?
– What is ahead of us?
– Trends in incidents faced
– How preventive measures performed?
– How do we link all the above with plans that we talked above?
DIGITAL OPERATIONAL RESILIENCE TESTING
– What are the objectives of this mechanism? What is it set to achieve?
– What the testing mechanism will cover?
– What is the oversight for this mechanism?
– How do we intend to use the result to improve the overall operational resilience strategy?
ICT THIRD-PARTY STRATEGY
– A few sentences to explain that the ICT third-party strategy is a sub-component of this strategy.
– how the ICT third-party strategy contributes to this strategy?
APPROVAL
– a few sentences to explain that “the management body shall: bear the overall responsibility for setting and approving the digital operational resilience strategy”
You can find DORA text HERE.
Posted initially on LinkedIn: Claudia Craia
