Info
🔗 Back to Summary. 🇫🇷 French Version: 2024R1774_FR.4. Back to Summary of LVL1. Open the PDF. Direct link to EUR-LEX.
Article 3 – ICT risk management ⬅️ | ➡️ Article 5 – ICT asset management procedure
Références LVL1 <=> LVL2
Level 1 reference(s): 2022R2554_EN.15
Article 4 - ICT asset management policy
1.
As part of the ICT security policies, procedures, protocols, and tools referred to in 2022, financial entities shall develop, document, and implement a policy on management of ICT assets.
2.
The policy on management of ICT assets referred to in paragraph 1 shall:
(a)
prescribe the monitoring and management of the lifecycle of ICT assets identified and classified in accordance with 2022;
(b)
prescribe that the financial entity keeps records of all of the following:
(i)
the unique identifier of each ICT asset;
(ii)
information on the location, either physical or logical, of all ICT assets;
(iii)
the classification of all ICT assets, as referred to in 2022;
(iv)
the identity of ICT asset owners;
(v)
the business functions or services supported by the ICT asset;
(vi)
the ICT business continuity requirements, including recovery time objectives and recovery point objectives;
(vii)
whether the ICT asset can be or is exposed to external networks, including the internet;
(viii)
the links and interdependencies among ICT assets and the business functions using each ICT asset;
(ix)
where applicable, for all ICT assets, the end dates of the ICT third-party service provider’s regular, extended, and custom support services after which those ICT assets are no longer supported by their supplier or by an ICT third-party service provider;
(c)
for financial entities other than microenterprises, prescribe that those financial entities keep records of the information necessary to perform a specific ICT risk assessment on all legacy ICT systems referred to in 2022.