Intro
While this text is about DORA requirements, it is really about resilient availability of your service. Even if you are not bound to this regulation, maybe you are not a financial services provider, the requirements and tips on how to get there are invaluable to your client satisfaction.
Legal text
In order to address and manage ICT risk, financial entities shall use and maintain updated ICT systems, protocols and tools that are:
(a) appropriate to the magnitude of operations supporting the conduct of their activities, in accordance with the
proportionality principle as referred to in Article 4;
(b) reliable;
(c) equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and to deal with peak orders, message or transaction volumes, as needed, including where new technology is introduced;
(d) technologically resilient in order to adequately deal with additional information processing needs as required under
stressed market conditions or other adverse situations.
What do you need to do?
- Determine what systems you need.
- Inventory the systems you have.
- Make sure your systems and applications are sized right for your business
- and made resilient according to the business functions they support
in relation to the size of the business functions they support (proportionality) - and are reliable, meaning they produce consistent results
- and are resilient, meaning they can withstand adverse effects where needed
- and made resilient according to the business functions they support
How do you do this?
For requirement (a)
- Identify the capacity requirements for your services
- Also identify the capacity requirements in case of serious decapacitating events (Business continuity)
- Detail your capacity management plan so that you can meet the requirements
- Test your systems for compliamce with these requirements
For requirement (b)
- Show the parts of your IT policy that deals with availability,
- Show the technical Disaster recovery plans and their execution reports (ideally over a number of years)
- Show the availability reports for your systems.
- Show the vulnerability management reports for your systems (optional)
For requirement (C)
- Show the availability reports for your systems: this is really the end-result: if you can show that your systems are available even under heavy load, you have won half the battle.
- Show the capacity requirements for your systems. This is where you can prove you really thought about demad for your service.
- Show the capacity monitoring plans, plans and roadmaps and reports for your systems
- Show the load testing reports executed on your systems
For requirement (d)
- Show the identified attacks scenarios and you defend against them
- Show the results of your resilience test plans: talk about High availability, Disaster recovery, and manual workaround or alternative workflows (that is business continuity.)
Many of these solutions will depend on the the solutions and responses to other DORA requirements.