The Digital Operational Resilience Act (DORA) is a regulatory framework that aims to enhance the operational resilience of financial entities by addressing risks related to Information and Communication Technology (ICT) systems. While DORA does not explicitly mention threat modeling or security by design, it contains provisions that promote security by design and good software security practices - which of course links to reasons to threat model.
Does DORA recommend threat modeling activities?
DORA requires financial entities to identify and assess their critical business services and supporting information systems, which could be considered a form of threat modeling. By conducting threat modeling exercises, organizations can identify potential vulnerabilities, evaluate risks, and implement appropriate security measures.
IriusRisk offers a comprehensive threat modeling solution that aligns well with the risk assessment requirements imposed by DORA. Financial entities seeking compliance with the regulation can leverage IriusRisk to streamline their threat modeling process and effectively address the ICT risks outlined in DORA. By choosing IriusRisk, organizations are able to strive for regulatory compliance and operational resilience.
Does DORA promote security by design?
Although not explicitly stated, DORA implicitly promotes security by design principles. The regulation requires financial entities to establish an effective and prudent management of ICT risk, an ICT risk management framework, and appropriate ICT systems, protocols, and tools that are technologically resilient. By incorporating these requirements into their operations, organizations are encouraged to integrate security considerations throughout the entire software development lifecycle.
Security by design emphasizes proactively building security into systems from the initial design stages, ensuring that security controls, risk assessments, and threat modeling are integral components of the development process. Financial entities complying with DORA are effectively incentivized to adopt security by design practices, enhancing the resilience and security of their ICT systems.
Does DORA promote good software security?
DORA significantly contributes to promoting good software security practices within financial entities. The regulation encompasses a range of provisions that address key aspects of software security. Financial entities must identify and classify ICT-supported business functions, assets, roles, and responsibilities, enabling them to gain a comprehensive understanding of their software landscape. On top of this, DORA mandates the establishment of ICT security policies, mechanisms for detecting anomalous activities, and backup policies and procedures.
These requirements foster a culture of proactive security management, ensuring that financial entities prioritize the resilience, continuity, and availability of their ICT systems. By adhering to DORA's guidelines, financial organizations can strengthen their overall software security posture and effectively protect critical information assets.
Conclusion
DORA provides a favorable environment for threat modeling activities to be undertaken by financial entities, especially those seeking compliance with the regulation itself. DORA indirectly promotes security by design principles by requiring effective ICT risk management frameworks and resilient ICT systems.
The regulation fosters good software security practices through its comprehensive provisions related to business continuity, risk assessment, detection of anomalous activities, and backup policies. Financial entities striving for compliance with DORA can leverage IriusRisk's threat modeling solution to efficiently address the ICT risks outlined in the regulation, ultimately enhancing their operational resilience and software security.
Find out more about what other standards IriusRisk supports, in our Security Content Libraries Page.