Digital Operational Resilience Act Series: Article 25 - I have to test, what now?

Article 25 - Testing of ICT tools and systems

One of the five pillars of the Digital Operational Resilience Act (DORA), is the Digital Operational Resilience Testing (DORT) pillar.

Within this pillar are four articles:

24. General requirements for the performance of digital operational resilience testing

25. Testing of ICT tools and systems

26. Advanced testing of ICT tools, systems and processes based on Threat Led Penetration Testing

27. Requirements for testers for the carrying out of Threat Led Penetration Testing

This article focuses on article 25. For those preferring visual content: watch our summary video on article 25 at the end of this article!

Article 25 at its core, aims at making sure a company is using tests or assessments against its critical infrastructure to identify potential areas of weakness that would lead to data loss, reputational damage, customer information loss, ransomware, etc.

It sets out several examples of these tests (a few being):

1. Scenario based tests (based on real world threats)

2. Physical security reviews

3. Penetration testing

4. Source Code reviews

5. Vulnerability Scans

Continue reading to learn how this translates in practice!

Let's delve into scenario-based testing - a core component of Nemesis Breach and Attack Simulation (BAS) software. It allows financial entities to simulate scenarios based on hundreds of real world techniques, identified by globally recognized leading authorities in the field of cybersecurity.

Dynamic Threat Adaptation

Following a reported cybersecurity incident within the financial sector, a thorough root cause analysis is essential. The team of Nemesis BAS gathers insights from this analysis and uses it to craft custom techniques and scenarios for continuous testing. This is a crucial part of DORA compliance with Article 25 and ensures that your organization keeps improving its security posture, adapting to new threats and vulnerabilities as they arise. Continuous Assessment and Improvement

Those scenarios are then run as assessments. In the Nemesis BAS dashboard you can monitor the prevention rate of the the techniques over time, allowing for timely adjustments to security tools or policies, adding a proactive layer to your risk management strategy and a cornerstone for Digital Operational Resilience.

Executive Reporting and Compliance

The executive quality reporting from Nemesis BAS can easily be added to board packs, compliance reviews and audit presentations. Nemesis BAS simplifies the communication of your security status to senior management. Keep your Chief Risk Officer (CRO), Chief Compliance Officer (CCO) and Chief Information Security Officer (CISO) informed and confident that you are discharging your duties as appropriate.

The ability of Nemesis BAS to test your systems and tools, makes it a crucial part of your strategy for DORA compliance.

DORA Series: Nemesis Breach and Attack Simulation (BAS) for Article 25 (youtube.com)

On July 17th, 2024 the final drafts of the second set of Regulatory Technical Standards (RTS) will be released, which cover how to properly conduct a few of these testing regimes. By that time Persistent Security Industries will give a new update.

Remember with Nemesis Breach and Attack Simulation you are able to:

Want to know more? Reach out to us via the contact us button and we will schedule some time to chat about how we can help your firm on their compliance journey.