6. SECURITY IN NETWORK AND INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

6.10 Vulnerability handling and disclosure

6.10.1. The relevant entities shall obtain information about technical vulnerabilities in their network and information systems, evaluate their exposure to such vulnerabilities, and take appropriate measures to manage the vulnerabilities. 6.10.2. For the purpose of point 6.10.1., the relevant entities shall: (a) monitor information about vulnerabilities through appropriate channels, such as announcements of CSIRTs, competent

Von |2024-09-11T14:29:01+02:00September 11th, 2024|Kommentare deaktiviert für 6.10 Vulnerability handling and disclosure

6.1 Security in acquisition of ICT services or ICT products

6.1.1. For the purpose of Article 21(2), point (e) of Directive (EU) 2022/2555, the relevant entities shall set and implement processes and procedures to manage risks stemming from the acquisition of ICT services or ICT products for components that are critical for the relevant entities’ security of network and information systems, based on the risk

Von |2024-09-11T14:28:42+02:00September 11th, 2024|Kommentare deaktiviert für 6.1 Security in acquisition of ICT services or ICT products

6.2 Secure development life cycle

6.2.1. The relevant entities shall lay down, implement and apply rules for the secure development of network and information systems, including software, and apply them when acquiring or developing network and information systems. The rules shall cover all development phases, including specification, design, development, implementation and testing. 6.2.2. The relevant entities shall: (a) carry out

Von |2024-09-11T14:27:12+02:00September 11th, 2024|Kommentare deaktiviert für 6.2 Secure development life cycle

6.3 Configuration management

6.3.1. The relevant entities shall establish, document, implement, and monitor configurations, including security configurations of hardware, software, services and networks. 6.3.2. For the purpose of point 6.3.1., the relevant entities shall: (a) lay down configurations, including security configurations, for their hardware, software, services and networks; (b) lay down and implement processes and tools to enforce

Von |2024-09-11T14:25:06+02:00September 11th, 2024|Kommentare deaktiviert für 6.3 Configuration management

6.4 Change management, repairs and maintenance

6.4.1. The relevant entities shall apply management procedures to changes, repairs and maintenance to network and information systems. Where applicable, the procedures shall be consistent with the relevant entities’ general policies concerning change management. 6.4.2. The procedures referred to in point 6.4.1. shall be applied for releases, modifications and emergency changes of any operational software,

Von |2024-09-11T14:23:49+02:00September 11th, 2024|Kommentare deaktiviert für 6.4 Change management, repairs and maintenance

6.5 Security testing

6.5.1. The relevant entities shall establish, implement and apply a policy and procedures for security testing. 6.5.2. The relevant entities shall: (a) establish, based on the risk assessment, the need, scope, frequency and type of security tests; (b) carry out security tests according to a documented test methodology, covering the components identified as relevant for

Von |2024-09-11T14:22:51+02:00September 11th, 2024|Kommentare deaktiviert für 6.5 Security testing

6.6 Security patch management

6.6.1. The relevant entities shall specify and apply procedures for ensuring that: (a) security patches are applied within a reasonable time after they become available; (b) security patches are tested before being applied in production systems; (c) security patches come from trusted sources and are checked for integrity; (d) additional measures are implemented and residual

Von |2024-09-11T14:21:48+02:00September 11th, 2024|Kommentare deaktiviert für 6.6 Security patch management

6.7 Network security

6.7.1. The relevant entities shall take the appropriate measures to protect their network and information systems from cyber threats. 6.7.2. For the purpose of point 6.7.1., the relevant entities shall (a) document the architecture of the network in a comprehensible and up to date manner; (b) determine and apply controls to protect the relevant entities’

Von |2024-09-11T14:20:49+02:00September 11th, 2024|Kommentare deaktiviert für 6.7 Network security

6.8 Network segmentation

6.8.1. The relevant entities shall segment systems into networks or zones in accordance with the results of the risk assessment referred to in point 2.1. They shall segment their systems and networks from third parties’ systems and networks. 6.8.2. For that purpose, the relevant entities shall (a) consider the functional, logical and physical relationship, including

Von |2024-09-11T14:19:00+02:00September 11th, 2024|Kommentare deaktiviert für 6.8 Network segmentation

6.9 Protection against malicious and unauthorised software

6.9.1. The relevant entities shall protect their network and information systems against malicious and unauthorised software. 6.9.2. For that purpose, the relevant entities shall in particular ensure that their network and information systems are equipped with malware detection and repair software, which is updated regularly in accordance with the with the risk assessment and the

Von |2024-09-11T14:17:42+02:00September 11th, 2024|Kommentare deaktiviert für 6.9 Protection against malicious and unauthorised software
Nach oben