The two sides of IT risk management: knowledge and protection.
With just over a year left to comply with the DORA regulation, the adoption of an ICT risk management framework is also required. But how can it become effectively operational without knowing the IT assets that need to be secured and protected? Let's see why ITAM makes a difference when it comes to cybersecurity.
EU Financial institutions have until January 17th, 2025, to comply with the new requirements of theDORA (Digital Operational Resilience ACT), the regulation that the EU has introduced to harmonize and consolidate at the European level the way cyber risk is managed.
The purpose of the regulation is to ensure that financial entities, thus banks, insurance companies, investment firms and credit institutions but also providers of cryptocurrency and crowfunding-related services, are able to ensure a high level of digital operational resilience, that is, prevent, mitigate and recover from all types of ICT-related incidents and threats.
In fact, operational incidents related to cybersecurity represent a cost and a serious threat to financial stability in general, given the high level of interconnectedness that exists between institutions, markets, financial market infrastructures, and in particular the interdependencies of their IT systems.
One of the crucial elements the legislation insists on is the absolute necessity of having an ICT risk management framework, as stated in Article 6.1. The purpose of this framework (see Article 6.3) is to describe in detail all the elements put in place-so ICT strategies, policies, protocols, and tools-to duly and adequately protect the organization's information and IT assets.
The assets mentioned in the text cover:
Financial sector operators must therefore protect not only their software and physical equipment (servers, endpoints, etc.), but also their information systems, including all physical components and infrastructure relevant to the protection of these assets such as premises or data centers.
At this point, the first step in ICT risk management becomes clear: how, in fact, can one put in place procedures and systems to protect IT assets if one does not have full knowledge of the very assets one is supposed to go about protecting? This is where IT Asset Management (ITAM) comes in.
In the 5th century BC. Socrates said "knowledge makes free." Today we can add that knowledge makes safe.
Among the main risk factors that lead to significantly increasing the risk profile of a financial institution are three in particular that are related to IT asset management:
This generic term refers to any software or system that is not distributed or managed by the IT department or corporate vendor.
According to research by Entrust, 65 percent of IT reports instances where the organization has not approved the SaaS tools used. In fact, users are able to access a plethora of cloud-based services with a few clicks, often bypassing corporate guidelines and creating an uncontrolled environment.
Shadow IT can offer opportunities for hackers: shares that expose sensitive information with unauthorized parties, failure to control access, insecure integrations between systems, credential acquisition, vulnerabilities outside the remediation plan but also penalties for systems that do not with industry data protection regulations.
Detecting everything that moves within the network is necessary to identify the presence of risky assets or misuse.
A financial organization's risk profile increases significantly if it has software and systems out of support.
Knowing the end-of-support date of the ICT asset vendor allows you to proactively act on the obsolescence of your technologies. Maintaining programs that are past their end-of-life (EOL, End of Life Software) is very dangerous; in fact, it is one of the most common vulnerabilities that increases the risk of data breaches.
Research from 2021 shows that Windows 7, despite being retired by Microsoft in January 2020,, was still running on 17 percent of desktops in 2021. So, we can say that the lesson has not been learned: in 2017 the WannaCry ransomware attack had exploited an OS vulnerability to affect 98 percent of computers running this OS.
Visibility on the "end of life" ensures that measures are put in place to ensure that data is not compromised after the asset is retired.
Patch management, or the application of patches and updates to remediate security-critical eventualities, involves knowing the types of devices, OSs, versions, and third-party applications running within the IT environment to relate this information to exploit reports and severity scores provided by the NDV (National Vulnerability Database), which is one of the common bases used by companies for risk management.
If you do not know what you have in place, you cannot make prioritization decisions in your remediation plan and consequently mitigate the risk.
Knowing what assets are moving within the network, where they are located, who owns them, how they are configured, what state they are in, and what vulnerabilities they have, in fact, makes it possible to identify and prioritize the most critical and sensitive assets to protect ... to apply security policies, patch but also identify misuse.
The link between ITAM and security is very strong: the latter needs up-to-date inventories to ensure effective protections. The topic is topical: just last year, the ISO standard(ISO/IEC 27002:2022) describing information security controls and cybersecurity added specific references to ISO standards for ITAM for the first time
IT asset management from a cybersecurity perspective translates as an organization's ability to conduct a continuous, real-time identification process of its IT assets and all interdependencies.
Therefore, in order to effectively draft the risk management framework required by the DORA regulation, it is necessary to have complete visibility of the data and assets acting within the network, from their activation/acquisition to their decommissioning.
As for IT assets, they need to be inventoried and managed so that all the risks to which they are exposed can be assessed. Any IT asset, in fact, could become a beachhead for launching a broader attack.
The problem is that often companies have inventories of their assets that are not aligned with reality: it is not uncommon to find assets registered to people long gone from the organization or devices with software that is no longer supported and therefore highly vulnerable.
Recognizing that manually updating Excel spreadsheets cannot keep up with the complexity of new devices entering the network every day, most companies try to solve with automated inventories such as SCCM or LANSWEEPER.
However, these are tools that are unable to provide us with useful data for risk management because:
The lack of reconciliation between these two elements, along with the difficulties of tracking changes in asset status, do not allow for complete and up-to-date coverage of the perimeter. Without it, what is a risk management framework based on?
Incidentally, the legislation is clear on this point: Article 5.4. specifies that members of the management body "shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk."
At WEGG we are involved in IT Asset Management and work daily to improve visibility through an integrated ITAM approach to security.
On the one hand we ensure the tracking of all IT assets, even unknown ones, to bring them into a single view of control, and on the other we relate the information obtained with process workflows to automate the management of critical issues, incidents, maintenance and replacement interventions.
We rely on:
Insights
OUR OFFICES
OUR OFFICES
PADUA
Via Arnaldo Fusinato 42, 35137
MILAN
Viale Enrico Forlanini 23, 20134
ROME
Viale Giorgio Ribotta 11, 00144
Copyright © 2022 WEGG S.r.l. • P.I 03447430285 • C.F. 02371140233 • REA 311023
Certified company ISO 9001:2015