Case Study

DORA - IT Network and Security

SUMMARY

The client had performed a gap analysis in order to assess their compliance with all relevant DORA regulation. To address the eight identified shortcomings, a consultant from Avantage Reply supported the client in producing actions plans and recommendations with the purpose to align all stakeholder expectations and achieve compliance for the eight IT Network and Security topics that were highlighted as a result of the gap analysis.

The consultant delivered these action plans and regular follow-up meetings were planned in order to ensure the plan was implemented correctly. Furthermore, two procedures were formalized addressing the regular review of firewall rules for critical and important applications and addressing the management of changes made to the firewall and proxy infrastructures.

CUSTOMER GOALS

The client had performed a gap analysis related to the bank’s compliance with DORA regulation. They identified eight IT Network and Security topics which need to be addressed in order to comply with the Regulatory Technical Standards under the DORA directive. The aim of the project was to work out action plans and recommendations in order to address all the gaps and implemented the agreed upon plan.

CHALLENGES

The main challenge of the project was to work out an action plan and align all the various stakeholders like the COO, Group CISO, head of IT Group Infrastructure, SMEs, etc. All the stakeholders needed to be aligned and agree on the action plans and recommendations in order to put them into practice and achieve compliance with all the relevant DORA related regulation.

SOLUTION

A consultant form Avantage Reply supported the client in addressing these challenges and performed the following work during the assignment:

  • The eight identified gaps concerning ‘Network and Security’ were contextualized in relation to internal policies and procedures. Interviews with various IT teams helped understand the operational context where dependencies existed between IT Network and Security and other IT Infrastructure teams.
  • Action plans and recommendations were proposed to achieve compliance for the eight Network and Security topics, validated by the head of IT Group Infrastructure, and presented to Client’s Subject Matter Experts (SME). These action plans aimed to operationalize the eight topics.
  • The final proposal of the action plan, once validated by the SME and the head of IT Group Infrastructure, was presented to the Client’s COO with an evaluation of the workload. Directives for the next steps of the assignment from the COO and the head of IT Group Infrastructure were collected to support the IT Network and Security team and other local and Group teams.
  • Action plans were presented to various IT stakeholders (Infrastructure and Development - local and group), and to the second line of defence (Group CISO). Support, assistance, and follow-up of tasks related to the action plans were provided to the IT Network and Security team and IT Infrastructure Manager.
  • Action plans presented to the DORA program’s Project Manager (Client) – and regular follow-up meetings were planned during the assignment.

CUSTOMER DESCRIPTION

The client is a medium-sized bank providing primarily private banking and wealth management services to their client locally and internationally.